summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/add-tlscacert-option-to-ldap-conf12
-rw-r--r--debian/patches/contrib-makefiles54
-rw-r--r--debian/patches/debian-version16
-rw-r--r--debian/patches/do-not-second-guess-sonames73
-rw-r--r--debian/patches/fix-build-top-mk13
-rw-r--r--debian/patches/getaddrinfo-is-threadsafe47
-rw-r--r--debian/patches/index-files-created-as-root41
-rw-r--r--debian/patches/ldap-conf-tls-cacertdir29
-rw-r--r--debian/patches/ldapi-socket-place18
-rw-r--r--debian/patches/man-slapd62
-rw-r--r--debian/patches/sasl-default-path59
-rw-r--r--debian/patches/series15
-rw-r--r--debian/patches/set-maintainer-name18
-rw-r--r--debian/patches/slapi-errorlog-file18
-rw-r--r--debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff42
-rw-r--r--debian/patches/wrong-database-location73
16 files changed, 590 insertions, 0 deletions
diff --git a/debian/patches/add-tlscacert-option-to-ldap-conf b/debian/patches/add-tlscacert-option-to-ldap-conf
new file mode 100644
index 0000000..7512dc1
--- /dev/null
+++ b/debian/patches/add-tlscacert-option-to-ldap-conf
@@ -0,0 +1,12 @@
+Index: openldap/libraries/libldap/ldap.conf
+===================================================================
+--- openldap.orig/libraries/libldap/ldap.conf 2022-05-20 17:36:15.013248293 -0400
++++ openldap/libraries/libldap/ldap.conf 2022-05-20 17:36:15.013248293 -0400
+@@ -11,3 +11,7 @@
+ #SIZELIMIT 12
+ #TIMELIMIT 15
+ #DEREF never
++
++# TLS certificates (needed for GnuTLS)
++TLS_CACERT /etc/ssl/certs/ca-certificates.crt
++
diff --git a/debian/patches/contrib-makefiles b/debian/patches/contrib-makefiles
new file mode 100644
index 0000000..b2c8f99
--- /dev/null
+++ b/debian/patches/contrib-makefiles
@@ -0,0 +1,54 @@
+Index: openldap/contrib/slapd-modules/passwd/Makefile
+===================================================================
+--- openldap.orig/contrib/slapd-modules/passwd/Makefile 2024-02-01 16:22:33.496188990 -0500
++++ openldap/contrib/slapd-modules/passwd/Makefile 2024-02-01 16:22:33.496188990 -0500
+@@ -20,7 +20,7 @@
+ LIBS = $($(PLAT)_LIB) $(LDAP_LIB)
+ LD_FLAGS = $(LDFLAGS) $($(PLAT)_LDFLAGS) -rpath $(moduledir) -module
+
+-PROGRAMS = pw-kerberos.la pw-netscape.la pw-radius.la pw-apr1.la
++PROGRAMS = pw-netscape.la pw-apr1.la
+ MANPAGES = slapd-pw-radius.5
+ LTVER = 0:0:0
+
+Index: openldap/contrib/slapd-modules/passwd/pbkdf2/Makefile
+===================================================================
+--- openldap.orig/contrib/slapd-modules/passwd/pbkdf2/Makefile 2024-02-01 16:22:33.496188990 -0500
++++ openldap/contrib/slapd-modules/passwd/pbkdf2/Makefile 2024-02-01 16:22:33.496188990 -0500
+@@ -18,7 +18,7 @@
+ #DEFS = -DSLAPD_PBKDF2_DEBUG
+
+ SSL_INC =
+-SSL_LIB = -lcrypto
++SSL_LIB = -lnettle
+
+ INCS = $(LDAP_INC) $(SSL_INC)
+ LIBS = $($(PLAT)_LIB) $(LDAP_LIB) $(SSL_LIB)
+Index: openldap/contrib/slapd-modules/smbk5pwd/Makefile
+===================================================================
+--- openldap.orig/contrib/slapd-modules/smbk5pwd/Makefile 2024-02-01 16:22:33.496188990 -0500
++++ openldap/contrib/slapd-modules/smbk5pwd/Makefile 2024-02-01 16:23:34.552414593 -0500
+@@ -19,10 +19,10 @@
+ $(LDAP_BUILD)/libraries/liblber/liblber.la
+
+ SSL_INC =
+-SSL_LIB = -lcrypto
++SSL_LIB = -lnettle
+
+-HEIMDAL_INC = -I/usr/heimdal/include
+-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags krb5 kadm-server)
++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server)
+
+ PLAT = UNIX
+ NT_LIB = -L$(LDAP_BUILD)/servers/slapd -lslapd
+@@ -36,7 +36,8 @@
+ # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
+ DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW
+ INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
+-LIBS = $($(PLAT)_LIB) $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
++# put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356
++LIBS = $($(PLAT)_LIB) $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)
+ LD_FLAGS = $(LDFLAGS) $($(PLAT)_LDFLAGS) -rpath $(moduledir) -module
+
+ PROGRAMS = smbk5pwd.la
diff --git a/debian/patches/debian-version b/debian/patches/debian-version
new file mode 100644
index 0000000..0529c3e
--- /dev/null
+++ b/debian/patches/debian-version
@@ -0,0 +1,16 @@
+Description: Replace upstream version with Debian version in version strings
+Forwarded: not-needed
+Author: Ryan Tandy <ryan@nardis.ca>
+Index: openldap/build/version.sh
+===================================================================
+--- openldap.orig/build/version.sh 2022-05-20 17:35:48.989227363 -0400
++++ openldap/build/version.sh 2022-05-20 17:35:48.989227363 -0400
+@@ -36,7 +36,7 @@
+ echo OL_PATCH=$ol_patch
+ echo OL_API_INC=$ol_api_inc
+ echo OL_API_LIB_VERSION=$ol_api_lib_version
+-echo OL_VERSION=$ol_version
++echo OL_VERSION=\"${DEB_VERSION:-$ol_version}\"
+ echo OL_TYPE=$ol_type
+ echo OL_STRING=\"${ol_string}\"
+ echo OL_RELEASE_DATE=\"${ol_release_date}\"
diff --git a/debian/patches/do-not-second-guess-sonames b/debian/patches/do-not-second-guess-sonames
new file mode 100644
index 0000000..a5fb328
--- /dev/null
+++ b/debian/patches/do-not-second-guess-sonames
@@ -0,0 +1,73 @@
+Rip out code that second-guesses the libsasl soname / Debian shlibs. If
+cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
+there, not kludged around upstream here!
+
+Debian bug #546885
+
+Upstream ITS #6302 filed.
+
+Index: openldap/libraries/libldap/cyrus.c
+===================================================================
+--- openldap.orig/libraries/libldap/cyrus.c 2022-05-20 17:36:13.661247231 -0400
++++ openldap/libraries/libldap/cyrus.c 2022-05-20 17:36:13.661247231 -0400
+@@ -74,29 +74,6 @@
+ */
+ int ldap_int_sasl_init( void )
+ {
+-#ifdef HAVE_SASL_VERSION
+- /* stringify the version number, sasl.h doesn't do it for us */
+-#define VSTR0(maj, min, pat) #maj "." #min "." #pat
+-#define VSTR(maj, min, pat) VSTR0(maj, min, pat)
+-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+- SASL_VERSION_STEP)
+- { int rc;
+- sasl_version( NULL, &rc );
+- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+- (rc & 0xffff) < SASL_VERSION_STEP) {
+- char version[sizeof("xxx.xxx.xxxxx")];
+- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+- rc & 0xffff );
+-
+- Debug1( LDAP_DEBUG_ANY,
+- "ldap_int_sasl_init: SASL library version mismatch:"
+- " expected " SASL_VERSION_STRING ","
+- " got %s\n", version );
+- return -1;
+- }
+- }
+-#endif
+-
+ /* SASL 2 takes care of its own memory completely internally */
+ #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
+ sasl_set_alloc(
+Index: openldap/servers/slapd/sasl.c
+===================================================================
+--- openldap.orig/servers/slapd/sasl.c 2022-05-20 17:36:13.661247231 -0400
++++ openldap/servers/slapd/sasl.c 2022-05-20 17:36:13.661247231 -0400
+@@ -1271,26 +1271,6 @@
+ rewrite_mapper_register( &slapd_mapper );
+
+ #ifdef HAVE_CYRUS_SASL
+-#ifdef HAVE_SASL_VERSION
+- /* stringify the version number, sasl.h doesn't do it for us */
+-#define VSTR0(maj, min, pat) #maj "." #min "." #pat
+-#define VSTR(maj, min, pat) VSTR0(maj, min, pat)
+-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+- SASL_VERSION_STEP)
+-
+- sasl_version( NULL, &rc );
+- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+- (rc & 0xffff) < SASL_VERSION_STEP)
+- {
+- char version[sizeof("xxx.xxx.xxxxx")];
+- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+- rc & 0xffff );
+- Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:"
+- " expected %s, got %s\n",
+- SASL_VERSION_STRING, version );
+- return -1;
+- }
+-#endif
+
+ sasl_set_mutex(
+ ldap_pvt_sasl_mutex_new,
diff --git a/debian/patches/fix-build-top-mk b/debian/patches/fix-build-top-mk
new file mode 100644
index 0000000..5cb469d
--- /dev/null
+++ b/debian/patches/fix-build-top-mk
@@ -0,0 +1,13 @@
+Index: openldap/build/top.mk
+===================================================================
+--- openldap.orig/build/top.mk 2022-05-20 17:36:15.513248684 -0400
++++ openldap/build/top.mk 2022-05-20 17:36:15.509248681 -0400
+@@ -20,7 +20,7 @@
+ RELEASEDATE= @OPENLDAP_RELEASE_DATE@
+
+ @SET_MAKE@
+-SHELL = /bin/sh
++SHELL = @SHELL@
+
+ top_builddir = @top_builddir@
+
diff --git a/debian/patches/getaddrinfo-is-threadsafe b/debian/patches/getaddrinfo-is-threadsafe
new file mode 100644
index 0000000..b79bcbf
--- /dev/null
+++ b/debian/patches/getaddrinfo-is-threadsafe
@@ -0,0 +1,47 @@
+Author: Steve Langasek <vorlon@debian.org>
+
+OpenLDAP upstream conservatively assumes that certain resolver functions
+(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
+know that the glibc implementations of these functions are thread-safe, so
+we should bypass the use of this mutex. This fixes a locking problem when
+an application uses libldap and libnss-ldap is also used for hosts
+resolution.
+
+Closes Debian bug #340601.
+
+Not suitable for forwarding upstream; might be made suitable by adding a
+configure-time check for glibc and disabling the mutex only on known
+thread-safe implementations.
+
+Index: openldap/libraries/libldap/os-ip.c
+===================================================================
+--- openldap.orig/libraries/libldap/os-ip.c 2022-05-20 17:36:12.989246703 -0400
++++ openldap/libraries/libldap/os-ip.c 2022-05-20 17:36:12.989246703 -0400
+@@ -645,13 +645,7 @@
+ hints.ai_socktype = socktype;
+ snprintf(serv, sizeof serv, "%d", port );
+
+- /* most getaddrinfo(3) use non-threadsafe resolver libraries */
+- LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex);
+-
+ err = getaddrinfo( host, serv, &hints, &res );
+-
+- LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex);
+-
+ if ( err != 0 ) {
+ Debug1(LDAP_DEBUG_TRACE,
+ "ldap_connect_to_host: getaddrinfo failed: %s\n",
+Index: openldap/libraries/libldap/util-int.c
+===================================================================
+--- openldap.orig/libraries/libldap/util-int.c 2022-05-20 17:36:12.989246703 -0400
++++ openldap/libraries/libldap/util-int.c 2022-05-20 17:36:12.989246703 -0400
+@@ -559,9 +559,7 @@
+ int rc;
+ #if defined( HAVE_GETNAMEINFO )
+
+- LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex );
+ rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 );
+- LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex );
+ if ( rc ) *err = (char *)AC_GAI_STRERROR( rc );
+ return rc;
+
diff --git a/debian/patches/index-files-created-as-root b/debian/patches/index-files-created-as-root
new file mode 100644
index 0000000..432113c
--- /dev/null
+++ b/debian/patches/index-files-created-as-root
@@ -0,0 +1,41 @@
+Document in the man page that slapindex should be run as the same user
+as slapd, and print a warning if it's run as root (since Debian defaults
+to running slapd as openldap).
+
+Not suitable for upstream in this form. This patch needs to be reworked
+to check the BerkeleyDB database ownership and only warn if running as
+root with a database that's not owned by root.
+
+Upstream ITS #5356 filed requesting better handling of this. Current
+upstream discussion leans towards putting the check into the database
+backend and aborting if slapd is run as a different user than the database
+owner, which is an even better fix.
+
+Index: openldap/doc/man/man8/slapindex.8
+===================================================================
+--- openldap.orig/doc/man/man8/slapindex.8 2022-05-20 17:36:11.609245615 -0400
++++ openldap/doc/man/man8/slapindex.8 2022-05-20 17:36:11.605245612 -0400
+@@ -148,6 +148,10 @@
+ should not be running (at least, not in read-write
+ mode) when you do this to ensure consistency of the database.
+ .LP
++slapindex ought to be run as the user specified for
++.BR slapd (8)
++to ensure correct database permissions.
++.LP
+ This command provides ample opportunity for the user to obtain
+ and drink their favorite beverage.
+ .SH EXAMPLES
+Index: openldap/servers/slapd/slapindex.c
+===================================================================
+--- openldap.orig/servers/slapd/slapindex.c 2022-05-20 17:36:11.609245615 -0400
++++ openldap/servers/slapd/slapindex.c 2022-05-20 17:36:11.605245612 -0400
+@@ -34,6 +34,8 @@
+ int
+ slapindex( int argc, char **argv )
+ {
++ if (geteuid() == 0)
++ fprintf( stderr, "\nWARNING!\nRunning as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n");
+ ID id;
+ int rc = EXIT_SUCCESS;
+ const char *progname = "slapindex";
diff --git a/debian/patches/ldap-conf-tls-cacertdir b/debian/patches/ldap-conf-tls-cacertdir
new file mode 100644
index 0000000..2b83e56
--- /dev/null
+++ b/debian/patches/ldap-conf-tls-cacertdir
@@ -0,0 +1,29 @@
+Index: openldap/doc/man/man5/ldap.conf.5
+===================================================================
+--- openldap.orig/doc/man/man5/ldap.conf.5 2022-05-20 17:36:14.589247961 -0400
++++ openldap/doc/man/man5/ldap.conf.5 2022-05-20 17:36:14.589247961 -0400
+@@ -408,13 +408,13 @@
+ Specifying a minimum that is higher than that supported by the
+ OpenLDAP implementation will result in it requiring the
+ highest level that it does support.
+-This parameter is ignored with GnuTLS.
++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
+ .TP
+ .B TLS_RANDFILE <filename>
+ Specifies the file to obtain random bits from when /dev/[u]random is
+ not available. Generally set to the name of the EGD/PRNGD socket.
+ The environment variable RANDFILE can also be used to specify the filename.
+-This parameter is ignored with GnuTLS.
++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
+ .TP
+ .B TLS_REQCERT <level>
+ Specifies what checks to perform on server certificates in a TLS session.
+@@ -476,7 +476,7 @@
+ used to verify if the server certificates have not been revoked. This
+ requires
+ .B TLS_CACERTDIR
+-parameter to be set. This parameter is ignored with GnuTLS.
++parameter to be set. This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
+ .B <level>
+ can be specified as one of the following keywords:
+ .RS
diff --git a/debian/patches/ldapi-socket-place b/debian/patches/ldapi-socket-place
new file mode 100644
index 0000000..1a52eca
--- /dev/null
+++ b/debian/patches/ldapi-socket-place
@@ -0,0 +1,18 @@
+Move the ldapi socket to /var/run/slapd from /var/run, since /var/run
+is only writable by root and slapd runs as openldap.
+
+Debian-specific.
+
+Index: openldap/include/ldap_defaults.h
+===================================================================
+--- openldap.orig/include/ldap_defaults.h 2022-05-20 17:36:09.977244324 -0400
++++ openldap/include/ldap_defaults.h 2022-05-20 17:36:09.973244321 -0400
+@@ -40,7 +40,7 @@
+
+ /* default ldapi:// socket */
+ #ifndef LDAPI_SOCK
+-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi"
+ #endif
+
+ /*
diff --git a/debian/patches/man-slapd b/debian/patches/man-slapd
new file mode 100644
index 0000000..aec9515
--- /dev/null
+++ b/debian/patches/man-slapd
@@ -0,0 +1,62 @@
+Patch the slapd man page to not refer to a header file that isn't
+installed with the slapd package and to reference the correct path
+for slapd.
+
+Debian-specific.
+
+Index: openldap/doc/man/man8/slapd.8
+===================================================================
+--- openldap.orig/doc/man/man8/slapd.8 2022-05-20 17:36:07.977242738 -0400
++++ openldap/doc/man/man8/slapd.8 2022-05-20 17:36:07.973242735 -0400
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd
++.B /usr/sbin/slapd
+ [\c
+ .BR \-V [ V [ V ]]
+ [\c
+@@ -110,11 +110,10 @@
+ will not fork or disassociate from the invoking terminal. Some general
+ operation and status messages are printed for any value of \fIdebug-level\fP.
+ \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
+-different kind of debugging information. See <ldap_log.h> for details.
+-Comma-separated arrays of friendly names can be specified to select
+-debugging output of the corresponding debugging information.
+-All the names recognized by the \fIloglevel\fP directive
+-described in \fBslapd.conf\fP(5) are supported.
++different kind of debugging information. Comma-separated arrays of friendly
++names can be specified to select debugging output of the corresponding
++debugging information. All the names recognized by the \fIloglevel\fP
++directive described in \fBslapd.conf\fP(5) are supported.
+ If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
+ and slapd exits.
+
+@@ -332,7 +331,7 @@
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd
++ /usr/sbin/slapd
+ .ft
+ .fi
+ .LP
+@@ -343,7 +342,7 @@
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++ /usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255
+ .ft
+ .fi
+ .LP
+@@ -351,7 +350,7 @@
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-Tt
++ /usr/sbin/slapd \-Tt
+ .ft
+ .fi
+ .LP
diff --git a/debian/patches/sasl-default-path b/debian/patches/sasl-default-path
new file mode 100644
index 0000000..aced4e5
--- /dev/null
+++ b/debian/patches/sasl-default-path
@@ -0,0 +1,59 @@
+Add /etc/ldap/sasl2 to the SASL configuration search path.
+
+Not submitted upstream. Somewhat Debian-specific and probably not of
+interest upstream.
+
+Index: openldap/include/ldap_defaults.h
+===================================================================
+--- openldap.orig/include/ldap_defaults.h 2022-05-20 17:36:12.337246188 -0400
++++ openldap/include/ldap_defaults.h 2022-05-20 17:36:12.333246185 -0400
+@@ -75,4 +75,6 @@
+ */
+ #define LLOADD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "lloadd.conf"
+
++#define SASL_CONFIGPATH LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2"
++
+ #endif /* _LDAP_CONFIG_H */
+Index: openldap/servers/slapd/sasl.c
+===================================================================
+--- openldap.orig/servers/slapd/sasl.c 2022-05-20 17:36:12.337246188 -0400
++++ openldap/servers/slapd/sasl.c 2022-05-20 17:36:12.333246185 -0400
+@@ -1231,12 +1231,38 @@
+ slapd_rw_destroy
+ };
+
++static int
++slap_sasl_getconfpath( void * context, char ** path )
++{
++ char * sasl_default_configpath;
++ size_t len;
++
++#if SASL_VERSION_MAJOR >= 2
++ sasl_default_configpath = "/usr/lib/sasl2";
++#else
++ sasl_default_configpath = "/usr/lib/sasl";
++#endif
++
++ len = strlen(SASL_CONFIGPATH) + 1 /* colon */ +
++ strlen(sasl_default_configpath) + 1 /* \0 */;
++ *path = malloc( len );
++ if ( *path == NULL )
++ return SASL_FAIL;
++
++ if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH,
++ sasl_default_configpath ) != len-1 )
++ return SASL_FAIL;
++
++ return SASL_OK;
++}
++
+ int slap_sasl_init( void )
+ {
+ #ifdef HAVE_CYRUS_SASL
+ int rc;
+ static sasl_callback_t server_callbacks[] = {
+ { SASL_CB_LOG, (slap_sasl_cb_ft)&slap_sasl_log, NULL },
++ { SASL_CB_GETCONFPATH, (slap_sasl_cb_ft)&slap_sasl_getconfpath, NULL },
+ { SASL_CB_GETOPT, (slap_sasl_cb_ft)&slap_sasl_getopt, NULL },
+ { SASL_CB_LIST_END, NULL, NULL }
+ };
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..a8d57cb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,15 @@
+debian-version
+man-slapd
+slapi-errorlog-file
+ldapi-socket-place
+wrong-database-location
+index-files-created-as-root
+sasl-default-path
+getaddrinfo-is-threadsafe
+do-not-second-guess-sonames
+contrib-makefiles
+ldap-conf-tls-cacertdir
+add-tlscacert-option-to-ldap-conf
+fix-build-top-mk
+switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
+set-maintainer-name
diff --git a/debian/patches/set-maintainer-name b/debian/patches/set-maintainer-name
new file mode 100644
index 0000000..b537e4e
--- /dev/null
+++ b/debian/patches/set-maintainer-name
@@ -0,0 +1,18 @@
+Index: openldap/build/mkversion
+===================================================================
+--- openldap.orig/build/mkversion 2022-05-20 17:36:16.721249629 -0400
++++ openldap/build/mkversion 2022-05-20 17:36:16.717249626 -0400
+@@ -50,12 +50,7 @@
+ fi
+
+ APPLICATION=$1
+-# Reproducible builds set SOURCE_DATE_EPOCH, want constant strings
+-if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+- WHOWHERE="openldap"
+-else
+- WHOWHERE="$USER@$(uname -n):$(pwd)"
+-fi
++WHOWHERE="${DEB_MAINTAINER:-openldap}"
+
+ cat << __EOF__
+ /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
diff --git a/debian/patches/slapi-errorlog-file b/debian/patches/slapi-errorlog-file
new file mode 100644
index 0000000..f538c10
--- /dev/null
+++ b/debian/patches/slapi-errorlog-file
@@ -0,0 +1,18 @@
+The slapi error log file defaults to /var/errors given our setting
+of --localstatedir. Move it to /var/log/slapi-errors instead.
+
+Debian-specific.
+
+Index: openldap/servers/slapd/slapi/slapi_overlay.c
+===================================================================
+--- openldap.orig/servers/slapd/slapi/slapi_overlay.c 2022-05-20 17:36:09.141243662 -0400
++++ openldap/servers/slapd/slapi/slapi_overlay.c 2022-05-20 17:36:09.141243662 -0400
+@@ -933,7 +933,7 @@
+ ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex );
+
+ if ( slapi_log_file == NULL )
+- slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" );
++ slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" );
+
+ rc = slapi_int_init_object_extensions();
+ if ( rc != 0 )
diff --git a/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
new file mode 100644
index 0000000..17b448a
--- /dev/null
+++ b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
@@ -0,0 +1,42 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL.
+ Open all modules with RTLD_GLOBAL, needed so that back_perl can load
+ non-trivial Perl extensions that require symbols from back_perl.so itself.
+Bug-Debian: http://bugs.debian.org/327585
+
+---
+Index: openldap/servers/slapd/module.c
+===================================================================
+--- openldap.orig/servers/slapd/module.c 2022-05-20 17:36:16.057249110 -0400
++++ openldap/servers/slapd/module.c 2022-05-20 17:36:16.053249107 -0400
+@@ -117,6 +117,20 @@
+ return -1; /* not found */
+ }
+
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++ lt_dlhandle handle = 0;
++ lt_dladvise advise;
++
++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++ && !lt_dladvise_global (&advise))
++ handle = lt_dlopenadvise (filename, advise);
++
++ lt_dladvise_destroy (&advise);
++
++ return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ module_loaded_t *module;
+@@ -179,7 +193,7 @@
+ * to calling Debug. This is because Debug is a macro that expands
+ * into multiple function calls.
+ */
+- if ((module->lib = lt_dlopenext(file)) == NULL) {
++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ strcpy( ebuf, error );
diff --git a/debian/patches/wrong-database-location b/debian/patches/wrong-database-location
new file mode 100644
index 0000000..3900a0e
--- /dev/null
+++ b/debian/patches/wrong-database-location
@@ -0,0 +1,73 @@
+Move the default slapd database location to /var/lib/ldap instead of
+/var/openldap-data.
+
+Debian-specific.
+
+Index: openldap/doc/man/man5/slapd.conf.5
+===================================================================
+--- openldap.orig/doc/man/man5/slapd.conf.5 2022-05-20 17:36:10.817244990 -0400
++++ openldap/doc/man/man5/slapd.conf.5 2022-05-20 17:36:10.813244986 -0400
+@@ -2122,7 +2122,7 @@
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-directory LOCALSTATEDIR/openldap\-data
++directory LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ index objectClass eq
+ index cn,sn,mail pres,eq,approx,sub
+Index: openldap/include/ldap_defaults.h
+===================================================================
+--- openldap.orig/include/ldap_defaults.h 2022-05-20 17:36:10.817244990 -0400
++++ openldap/include/ldap_defaults.h 2022-05-20 17:36:10.813244986 -0400
+@@ -54,7 +54,7 @@
+ #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
+ #endif
+ #ifndef SLAPD_DEFAULT_DB_DIR
+-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap"
+ #endif
+ #define SLAPD_DEFAULT_DB_MODE 0600
+ /* default max deref depth for aliases */
+Index: openldap/servers/slapd/Makefile.in
+===================================================================
+--- openldap.orig/servers/slapd/Makefile.in 2022-05-20 17:36:10.817244990 -0400
++++ openldap/servers/slapd/Makefile.in 2022-05-20 17:36:10.813244986 -0400
+@@ -452,9 +452,9 @@
+
+ install-db-config: FORCE
+ @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
+- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap
+ $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
++ $(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example
+ $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+ $(DESTDIR)$(sysconfdir)/DB_CONFIG.example
+
+Index: openldap/doc/man/man5/slapd-config.5
+===================================================================
+--- openldap.orig/doc/man/man5/slapd-config.5 2022-05-20 17:36:10.817244990 -0400
++++ openldap/doc/man/man5/slapd-config.5 2022-05-20 17:36:10.813244986 -0400
+@@ -2233,7 +2233,7 @@
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-olcDbDirectory: LOCALSTATEDIR/openldap\-data
++olcDbDirectory: LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ olcDbIndex: objectClass eq
+ olcDbIndex: cn,sn,mail pres,eq,approx,sub
+Index: openldap/doc/man/man5/slapd-mdb.5
+===================================================================
+--- openldap.orig/doc/man/man5/slapd-mdb.5 2022-05-20 17:36:10.817244990 -0400
++++ openldap/doc/man/man5/slapd-mdb.5 2022-05-20 17:36:10.813244986 -0400
+@@ -63,7 +63,7 @@
+ associated indexes live.
+ A separate directory must be specified for each database.
+ The default is
+-.BR LOCALSTATEDIR/openldap\-data .
++.BR LOCALSTATEDIR/lib/ldap .
+ .TP
+ \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR}
+ Specify flags for finer-grained control of the LMDB library's operation.