From 83da7a0ac93decce70c1a02b0739020d8e2b69fd Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 19:54:14 +0200 Subject: Adding debian version 2.6.7+dfsg-1~exp1. Signed-off-by: Daniel Baumann --- debian/patches/add-tlscacert-option-to-ldap-conf | 12 ++++ debian/patches/contrib-makefiles | 54 ++++++++++++++++ debian/patches/debian-version | 16 +++++ debian/patches/do-not-second-guess-sonames | 73 ++++++++++++++++++++++ debian/patches/fix-build-top-mk | 13 ++++ debian/patches/getaddrinfo-is-threadsafe | 47 ++++++++++++++ debian/patches/index-files-created-as-root | 41 ++++++++++++ debian/patches/ldap-conf-tls-cacertdir | 29 +++++++++ debian/patches/ldapi-socket-place | 18 ++++++ debian/patches/man-slapd | 62 ++++++++++++++++++ debian/patches/sasl-default-path | 59 +++++++++++++++++ debian/patches/series | 15 +++++ debian/patches/set-maintainer-name | 18 ++++++ debian/patches/slapi-errorlog-file | 18 ++++++ ...-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff | 42 +++++++++++++ debian/patches/wrong-database-location | 73 ++++++++++++++++++++++ 16 files changed, 590 insertions(+) create mode 100644 debian/patches/add-tlscacert-option-to-ldap-conf create mode 100644 debian/patches/contrib-makefiles create mode 100644 debian/patches/debian-version create mode 100644 debian/patches/do-not-second-guess-sonames create mode 100644 debian/patches/fix-build-top-mk create mode 100644 debian/patches/getaddrinfo-is-threadsafe create mode 100644 debian/patches/index-files-created-as-root create mode 100644 debian/patches/ldap-conf-tls-cacertdir create mode 100644 debian/patches/ldapi-socket-place create mode 100644 debian/patches/man-slapd create mode 100644 debian/patches/sasl-default-path create mode 100644 debian/patches/series create mode 100644 debian/patches/set-maintainer-name create mode 100644 debian/patches/slapi-errorlog-file create mode 100644 debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff create mode 100644 debian/patches/wrong-database-location (limited to 'debian/patches') diff --git a/debian/patches/add-tlscacert-option-to-ldap-conf b/debian/patches/add-tlscacert-option-to-ldap-conf new file mode 100644 index 0000000..7512dc1 --- /dev/null +++ b/debian/patches/add-tlscacert-option-to-ldap-conf @@ -0,0 +1,12 @@ +Index: openldap/libraries/libldap/ldap.conf +=================================================================== +--- openldap.orig/libraries/libldap/ldap.conf 2022-05-20 17:36:15.013248293 -0400 ++++ openldap/libraries/libldap/ldap.conf 2022-05-20 17:36:15.013248293 -0400 +@@ -11,3 +11,7 @@ + #SIZELIMIT 12 + #TIMELIMIT 15 + #DEREF never ++ ++# TLS certificates (needed for GnuTLS) ++TLS_CACERT /etc/ssl/certs/ca-certificates.crt ++ diff --git a/debian/patches/contrib-makefiles b/debian/patches/contrib-makefiles new file mode 100644 index 0000000..b2c8f99 --- /dev/null +++ b/debian/patches/contrib-makefiles @@ -0,0 +1,54 @@ +Index: openldap/contrib/slapd-modules/passwd/Makefile +=================================================================== +--- openldap.orig/contrib/slapd-modules/passwd/Makefile 2024-02-01 16:22:33.496188990 -0500 ++++ openldap/contrib/slapd-modules/passwd/Makefile 2024-02-01 16:22:33.496188990 -0500 +@@ -20,7 +20,7 @@ + LIBS = $($(PLAT)_LIB) $(LDAP_LIB) + LD_FLAGS = $(LDFLAGS) $($(PLAT)_LDFLAGS) -rpath $(moduledir) -module + +-PROGRAMS = pw-kerberos.la pw-netscape.la pw-radius.la pw-apr1.la ++PROGRAMS = pw-netscape.la pw-apr1.la + MANPAGES = slapd-pw-radius.5 + LTVER = 0:0:0 + +Index: openldap/contrib/slapd-modules/passwd/pbkdf2/Makefile +=================================================================== +--- openldap.orig/contrib/slapd-modules/passwd/pbkdf2/Makefile 2024-02-01 16:22:33.496188990 -0500 ++++ openldap/contrib/slapd-modules/passwd/pbkdf2/Makefile 2024-02-01 16:22:33.496188990 -0500 +@@ -18,7 +18,7 @@ + #DEFS = -DSLAPD_PBKDF2_DEBUG + + SSL_INC = +-SSL_LIB = -lcrypto ++SSL_LIB = -lnettle + + INCS = $(LDAP_INC) $(SSL_INC) + LIBS = $($(PLAT)_LIB) $(LDAP_LIB) $(SSL_LIB) +Index: openldap/contrib/slapd-modules/smbk5pwd/Makefile +=================================================================== +--- openldap.orig/contrib/slapd-modules/smbk5pwd/Makefile 2024-02-01 16:22:33.496188990 -0500 ++++ openldap/contrib/slapd-modules/smbk5pwd/Makefile 2024-02-01 16:23:34.552414593 -0500 +@@ -19,10 +19,10 @@ + $(LDAP_BUILD)/libraries/liblber/liblber.la + + SSL_INC = +-SSL_LIB = -lcrypto ++SSL_LIB = -lnettle + +-HEIMDAL_INC = -I/usr/heimdal/include +-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv ++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags krb5 kadm-server) ++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server) + + PLAT = UNIX + NT_LIB = -L$(LDAP_BUILD)/servers/slapd -lslapd +@@ -36,7 +36,8 @@ + # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. + DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW + INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC) +-LIBS = $($(PLAT)_LIB) $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB) ++# put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356 ++LIBS = $($(PLAT)_LIB) $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB) + LD_FLAGS = $(LDFLAGS) $($(PLAT)_LDFLAGS) -rpath $(moduledir) -module + + PROGRAMS = smbk5pwd.la diff --git a/debian/patches/debian-version b/debian/patches/debian-version new file mode 100644 index 0000000..0529c3e --- /dev/null +++ b/debian/patches/debian-version @@ -0,0 +1,16 @@ +Description: Replace upstream version with Debian version in version strings +Forwarded: not-needed +Author: Ryan Tandy +Index: openldap/build/version.sh +=================================================================== +--- openldap.orig/build/version.sh 2022-05-20 17:35:48.989227363 -0400 ++++ openldap/build/version.sh 2022-05-20 17:35:48.989227363 -0400 +@@ -36,7 +36,7 @@ + echo OL_PATCH=$ol_patch + echo OL_API_INC=$ol_api_inc + echo OL_API_LIB_VERSION=$ol_api_lib_version +-echo OL_VERSION=$ol_version ++echo OL_VERSION=\"${DEB_VERSION:-$ol_version}\" + echo OL_TYPE=$ol_type + echo OL_STRING=\"${ol_string}\" + echo OL_RELEASE_DATE=\"${ol_release_date}\" diff --git a/debian/patches/do-not-second-guess-sonames b/debian/patches/do-not-second-guess-sonames new file mode 100644 index 0000000..a5fb328 --- /dev/null +++ b/debian/patches/do-not-second-guess-sonames @@ -0,0 +1,73 @@ +Rip out code that second-guesses the libsasl soname / Debian shlibs. If +cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream +there, not kludged around upstream here! + +Debian bug #546885 + +Upstream ITS #6302 filed. + +Index: openldap/libraries/libldap/cyrus.c +=================================================================== +--- openldap.orig/libraries/libldap/cyrus.c 2022-05-20 17:36:13.661247231 -0400 ++++ openldap/libraries/libldap/cyrus.c 2022-05-20 17:36:13.661247231 -0400 +@@ -74,29 +74,6 @@ + */ + int ldap_int_sasl_init( void ) + { +-#ifdef HAVE_SASL_VERSION +- /* stringify the version number, sasl.h doesn't do it for us */ +-#define VSTR0(maj, min, pat) #maj "." #min "." #pat +-#define VSTR(maj, min, pat) VSTR0(maj, min, pat) +-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \ +- SASL_VERSION_STEP) +- { int rc; +- sasl_version( NULL, &rc ); +- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || +- (rc & 0xffff) < SASL_VERSION_STEP) { +- char version[sizeof("xxx.xxx.xxxxx")]; +- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff, +- rc & 0xffff ); +- +- Debug1( LDAP_DEBUG_ANY, +- "ldap_int_sasl_init: SASL library version mismatch:" +- " expected " SASL_VERSION_STRING "," +- " got %s\n", version ); +- return -1; +- } +- } +-#endif +- + /* SASL 2 takes care of its own memory completely internally */ + #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC) + sasl_set_alloc( +Index: openldap/servers/slapd/sasl.c +=================================================================== +--- openldap.orig/servers/slapd/sasl.c 2022-05-20 17:36:13.661247231 -0400 ++++ openldap/servers/slapd/sasl.c 2022-05-20 17:36:13.661247231 -0400 +@@ -1271,26 +1271,6 @@ + rewrite_mapper_register( &slapd_mapper ); + + #ifdef HAVE_CYRUS_SASL +-#ifdef HAVE_SASL_VERSION +- /* stringify the version number, sasl.h doesn't do it for us */ +-#define VSTR0(maj, min, pat) #maj "." #min "." #pat +-#define VSTR(maj, min, pat) VSTR0(maj, min, pat) +-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \ +- SASL_VERSION_STEP) +- +- sasl_version( NULL, &rc ); +- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || +- (rc & 0xffff) < SASL_VERSION_STEP) +- { +- char version[sizeof("xxx.xxx.xxxxx")]; +- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff, +- rc & 0xffff ); +- Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:" +- " expected %s, got %s\n", +- SASL_VERSION_STRING, version ); +- return -1; +- } +-#endif + + sasl_set_mutex( + ldap_pvt_sasl_mutex_new, diff --git a/debian/patches/fix-build-top-mk b/debian/patches/fix-build-top-mk new file mode 100644 index 0000000..5cb469d --- /dev/null +++ b/debian/patches/fix-build-top-mk @@ -0,0 +1,13 @@ +Index: openldap/build/top.mk +=================================================================== +--- openldap.orig/build/top.mk 2022-05-20 17:36:15.513248684 -0400 ++++ openldap/build/top.mk 2022-05-20 17:36:15.509248681 -0400 +@@ -20,7 +20,7 @@ + RELEASEDATE= @OPENLDAP_RELEASE_DATE@ + + @SET_MAKE@ +-SHELL = /bin/sh ++SHELL = @SHELL@ + + top_builddir = @top_builddir@ + diff --git a/debian/patches/getaddrinfo-is-threadsafe b/debian/patches/getaddrinfo-is-threadsafe new file mode 100644 index 0000000..b79bcbf --- /dev/null +++ b/debian/patches/getaddrinfo-is-threadsafe @@ -0,0 +1,47 @@ +Author: Steve Langasek + +OpenLDAP upstream conservatively assumes that certain resolver functions +(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we +know that the glibc implementations of these functions are thread-safe, so +we should bypass the use of this mutex. This fixes a locking problem when +an application uses libldap and libnss-ldap is also used for hosts +resolution. + +Closes Debian bug #340601. + +Not suitable for forwarding upstream; might be made suitable by adding a +configure-time check for glibc and disabling the mutex only on known +thread-safe implementations. + +Index: openldap/libraries/libldap/os-ip.c +=================================================================== +--- openldap.orig/libraries/libldap/os-ip.c 2022-05-20 17:36:12.989246703 -0400 ++++ openldap/libraries/libldap/os-ip.c 2022-05-20 17:36:12.989246703 -0400 +@@ -645,13 +645,7 @@ + hints.ai_socktype = socktype; + snprintf(serv, sizeof serv, "%d", port ); + +- /* most getaddrinfo(3) use non-threadsafe resolver libraries */ +- LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex); +- + err = getaddrinfo( host, serv, &hints, &res ); +- +- LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex); +- + if ( err != 0 ) { + Debug1(LDAP_DEBUG_TRACE, + "ldap_connect_to_host: getaddrinfo failed: %s\n", +Index: openldap/libraries/libldap/util-int.c +=================================================================== +--- openldap.orig/libraries/libldap/util-int.c 2022-05-20 17:36:12.989246703 -0400 ++++ openldap/libraries/libldap/util-int.c 2022-05-20 17:36:12.989246703 -0400 +@@ -559,9 +559,7 @@ + int rc; + #if defined( HAVE_GETNAMEINFO ) + +- LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex ); + rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 ); +- LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex ); + if ( rc ) *err = (char *)AC_GAI_STRERROR( rc ); + return rc; + diff --git a/debian/patches/index-files-created-as-root b/debian/patches/index-files-created-as-root new file mode 100644 index 0000000..432113c --- /dev/null +++ b/debian/patches/index-files-created-as-root @@ -0,0 +1,41 @@ +Document in the man page that slapindex should be run as the same user +as slapd, and print a warning if it's run as root (since Debian defaults +to running slapd as openldap). + +Not suitable for upstream in this form. This patch needs to be reworked +to check the BerkeleyDB database ownership and only warn if running as +root with a database that's not owned by root. + +Upstream ITS #5356 filed requesting better handling of this. Current +upstream discussion leans towards putting the check into the database +backend and aborting if slapd is run as a different user than the database +owner, which is an even better fix. + +Index: openldap/doc/man/man8/slapindex.8 +=================================================================== +--- openldap.orig/doc/man/man8/slapindex.8 2022-05-20 17:36:11.609245615 -0400 ++++ openldap/doc/man/man8/slapindex.8 2022-05-20 17:36:11.605245612 -0400 +@@ -148,6 +148,10 @@ + should not be running (at least, not in read-write + mode) when you do this to ensure consistency of the database. + .LP ++slapindex ought to be run as the user specified for ++.BR slapd (8) ++to ensure correct database permissions. ++.LP + This command provides ample opportunity for the user to obtain + and drink their favorite beverage. + .SH EXAMPLES +Index: openldap/servers/slapd/slapindex.c +=================================================================== +--- openldap.orig/servers/slapd/slapindex.c 2022-05-20 17:36:11.609245615 -0400 ++++ openldap/servers/slapd/slapindex.c 2022-05-20 17:36:11.605245612 -0400 +@@ -34,6 +34,8 @@ + int + slapindex( int argc, char **argv ) + { ++ if (geteuid() == 0) ++ fprintf( stderr, "\nWARNING!\nRunning as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n"); + ID id; + int rc = EXIT_SUCCESS; + const char *progname = "slapindex"; diff --git a/debian/patches/ldap-conf-tls-cacertdir b/debian/patches/ldap-conf-tls-cacertdir new file mode 100644 index 0000000..2b83e56 --- /dev/null +++ b/debian/patches/ldap-conf-tls-cacertdir @@ -0,0 +1,29 @@ +Index: openldap/doc/man/man5/ldap.conf.5 +=================================================================== +--- openldap.orig/doc/man/man5/ldap.conf.5 2022-05-20 17:36:14.589247961 -0400 ++++ openldap/doc/man/man5/ldap.conf.5 2022-05-20 17:36:14.589247961 -0400 +@@ -408,13 +408,13 @@ + Specifying a minimum that is higher than that supported by the + OpenLDAP implementation will result in it requiring the + highest level that it does support. +-This parameter is ignored with GnuTLS. ++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS. + .TP + .B TLS_RANDFILE + Specifies the file to obtain random bits from when /dev/[u]random is + not available. Generally set to the name of the EGD/PRNGD socket. + The environment variable RANDFILE can also be used to specify the filename. +-This parameter is ignored with GnuTLS. ++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS. + .TP + .B TLS_REQCERT + Specifies what checks to perform on server certificates in a TLS session. +@@ -476,7 +476,7 @@ + used to verify if the server certificates have not been revoked. This + requires + .B TLS_CACERTDIR +-parameter to be set. This parameter is ignored with GnuTLS. ++parameter to be set. This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS. + .B + can be specified as one of the following keywords: + .RS diff --git a/debian/patches/ldapi-socket-place b/debian/patches/ldapi-socket-place new file mode 100644 index 0000000..1a52eca --- /dev/null +++ b/debian/patches/ldapi-socket-place @@ -0,0 +1,18 @@ +Move the ldapi socket to /var/run/slapd from /var/run, since /var/run +is only writable by root and slapd runs as openldap. + +Debian-specific. + +Index: openldap/include/ldap_defaults.h +=================================================================== +--- openldap.orig/include/ldap_defaults.h 2022-05-20 17:36:09.977244324 -0400 ++++ openldap/include/ldap_defaults.h 2022-05-20 17:36:09.973244321 -0400 +@@ -40,7 +40,7 @@ + + /* default ldapi:// socket */ + #ifndef LDAPI_SOCK +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi" + #endif + + /* diff --git a/debian/patches/man-slapd b/debian/patches/man-slapd new file mode 100644 index 0000000..aec9515 --- /dev/null +++ b/debian/patches/man-slapd @@ -0,0 +1,62 @@ +Patch the slapd man page to not refer to a header file that isn't +installed with the slapd package and to reference the correct path +for slapd. + +Debian-specific. + +Index: openldap/doc/man/man8/slapd.8 +=================================================================== +--- openldap.orig/doc/man/man8/slapd.8 2022-05-20 17:36:07.977242738 -0400 ++++ openldap/doc/man/man8/slapd.8 2022-05-20 17:36:07.973242735 -0400 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B /usr/sbin/slapd + [\c + .BR \-V [ V [ V ]] + [\c +@@ -110,11 +110,10 @@ + will not fork or disassociate from the invoking terminal. Some general + operation and status messages are printed for any value of \fIdebug-level\fP. + \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a +-different kind of debugging information. See for details. +-Comma-separated arrays of friendly names can be specified to select +-debugging output of the corresponding debugging information. +-All the names recognized by the \fIloglevel\fP directive +-described in \fBslapd.conf\fP(5) are supported. ++different kind of debugging information. Comma-separated arrays of friendly ++names can be specified to select debugging output of the corresponding ++debugging information. All the names recognized by the \fIloglevel\fP ++directive described in \fBslapd.conf\fP(5) are supported. + If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed, + and slapd exits. + +@@ -332,7 +331,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ /usr/sbin/slapd + .ft + .fi + .LP +@@ -343,7 +342,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ /usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255 + .ft + .fi + .LP +@@ -351,7 +350,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ /usr/sbin/slapd \-Tt + .ft + .fi + .LP diff --git a/debian/patches/sasl-default-path b/debian/patches/sasl-default-path new file mode 100644 index 0000000..aced4e5 --- /dev/null +++ b/debian/patches/sasl-default-path @@ -0,0 +1,59 @@ +Add /etc/ldap/sasl2 to the SASL configuration search path. + +Not submitted upstream. Somewhat Debian-specific and probably not of +interest upstream. + +Index: openldap/include/ldap_defaults.h +=================================================================== +--- openldap.orig/include/ldap_defaults.h 2022-05-20 17:36:12.337246188 -0400 ++++ openldap/include/ldap_defaults.h 2022-05-20 17:36:12.333246185 -0400 +@@ -75,4 +75,6 @@ + */ + #define LLOADD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "lloadd.conf" + ++#define SASL_CONFIGPATH LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2" ++ + #endif /* _LDAP_CONFIG_H */ +Index: openldap/servers/slapd/sasl.c +=================================================================== +--- openldap.orig/servers/slapd/sasl.c 2022-05-20 17:36:12.337246188 -0400 ++++ openldap/servers/slapd/sasl.c 2022-05-20 17:36:12.333246185 -0400 +@@ -1231,12 +1231,38 @@ + slapd_rw_destroy + }; + ++static int ++slap_sasl_getconfpath( void * context, char ** path ) ++{ ++ char * sasl_default_configpath; ++ size_t len; ++ ++#if SASL_VERSION_MAJOR >= 2 ++ sasl_default_configpath = "/usr/lib/sasl2"; ++#else ++ sasl_default_configpath = "/usr/lib/sasl"; ++#endif ++ ++ len = strlen(SASL_CONFIGPATH) + 1 /* colon */ + ++ strlen(sasl_default_configpath) + 1 /* \0 */; ++ *path = malloc( len ); ++ if ( *path == NULL ) ++ return SASL_FAIL; ++ ++ if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH, ++ sasl_default_configpath ) != len-1 ) ++ return SASL_FAIL; ++ ++ return SASL_OK; ++} ++ + int slap_sasl_init( void ) + { + #ifdef HAVE_CYRUS_SASL + int rc; + static sasl_callback_t server_callbacks[] = { + { SASL_CB_LOG, (slap_sasl_cb_ft)&slap_sasl_log, NULL }, ++ { SASL_CB_GETCONFPATH, (slap_sasl_cb_ft)&slap_sasl_getconfpath, NULL }, + { SASL_CB_GETOPT, (slap_sasl_cb_ft)&slap_sasl_getopt, NULL }, + { SASL_CB_LIST_END, NULL, NULL } + }; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..a8d57cb --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,15 @@ +debian-version +man-slapd +slapi-errorlog-file +ldapi-socket-place +wrong-database-location +index-files-created-as-root +sasl-default-path +getaddrinfo-is-threadsafe +do-not-second-guess-sonames +contrib-makefiles +ldap-conf-tls-cacertdir +add-tlscacert-option-to-ldap-conf +fix-build-top-mk +switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff +set-maintainer-name diff --git a/debian/patches/set-maintainer-name b/debian/patches/set-maintainer-name new file mode 100644 index 0000000..b537e4e --- /dev/null +++ b/debian/patches/set-maintainer-name @@ -0,0 +1,18 @@ +Index: openldap/build/mkversion +=================================================================== +--- openldap.orig/build/mkversion 2022-05-20 17:36:16.721249629 -0400 ++++ openldap/build/mkversion 2022-05-20 17:36:16.717249626 -0400 +@@ -50,12 +50,7 @@ + fi + + APPLICATION=$1 +-# Reproducible builds set SOURCE_DATE_EPOCH, want constant strings +-if [ -n "${SOURCE_DATE_EPOCH}" ]; then +- WHOWHERE="openldap" +-else +- WHOWHERE="$USER@$(uname -n):$(pwd)" +-fi ++WHOWHERE="${DEB_MAINTAINER:-openldap}" + + cat << __EOF__ + /* This work is part of OpenLDAP Software . diff --git a/debian/patches/slapi-errorlog-file b/debian/patches/slapi-errorlog-file new file mode 100644 index 0000000..f538c10 --- /dev/null +++ b/debian/patches/slapi-errorlog-file @@ -0,0 +1,18 @@ +The slapi error log file defaults to /var/errors given our setting +of --localstatedir. Move it to /var/log/slapi-errors instead. + +Debian-specific. + +Index: openldap/servers/slapd/slapi/slapi_overlay.c +=================================================================== +--- openldap.orig/servers/slapd/slapi/slapi_overlay.c 2022-05-20 17:36:09.141243662 -0400 ++++ openldap/servers/slapd/slapi/slapi_overlay.c 2022-05-20 17:36:09.141243662 -0400 +@@ -933,7 +933,7 @@ + ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex ); + + if ( slapi_log_file == NULL ) +- slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" ); ++ slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" ); + + rc = slapi_int_init_object_extensions(); + if ( rc != 0 ) diff --git a/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff new file mode 100644 index 0000000..17b448a --- /dev/null +++ b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff @@ -0,0 +1,42 @@ +From: Jan-Marek Glogowski +Date: Tue, 18 May 2010 17:47:05 +0200 +Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. + Open all modules with RTLD_GLOBAL, needed so that back_perl can load + non-trivial Perl extensions that require symbols from back_perl.so itself. +Bug-Debian: http://bugs.debian.org/327585 + +--- +Index: openldap/servers/slapd/module.c +=================================================================== +--- openldap.orig/servers/slapd/module.c 2022-05-20 17:36:16.057249110 -0400 ++++ openldap/servers/slapd/module.c 2022-05-20 17:36:16.053249107 -0400 +@@ -117,6 +117,20 @@ + return -1; /* not found */ + } + ++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) ++{ ++ lt_dlhandle handle = 0; ++ lt_dladvise advise; ++ ++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) ++ && !lt_dladvise_global (&advise)) ++ handle = lt_dlopenadvise (filename, advise); ++ ++ lt_dladvise_destroy (&advise); ++ ++ return handle; ++} ++ + int module_load(const char* file_name, int argc, char *argv[]) + { + module_loaded_t *module; +@@ -179,7 +193,7 @@ + * to calling Debug. This is because Debug is a macro that expands + * into multiple function calls. + */ +- if ((module->lib = lt_dlopenext(file)) == NULL) { ++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { + error = lt_dlerror(); + #ifdef HAVE_EBCDIC + strcpy( ebuf, error ); diff --git a/debian/patches/wrong-database-location b/debian/patches/wrong-database-location new file mode 100644 index 0000000..3900a0e --- /dev/null +++ b/debian/patches/wrong-database-location @@ -0,0 +1,73 @@ +Move the default slapd database location to /var/lib/ldap instead of +/var/openldap-data. + +Debian-specific. + +Index: openldap/doc/man/man5/slapd.conf.5 +=================================================================== +--- openldap.orig/doc/man/man5/slapd.conf.5 2022-05-20 17:36:10.817244990 -0400 ++++ openldap/doc/man/man5/slapd.conf.5 2022-05-20 17:36:10.813244986 -0400 +@@ -2122,7 +2122,7 @@ + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-directory LOCALSTATEDIR/openldap\-data ++directory LOCALSTATEDIR/lib/ldap + # Indices to maintain + index objectClass eq + index cn,sn,mail pres,eq,approx,sub +Index: openldap/include/ldap_defaults.h +=================================================================== +--- openldap.orig/include/ldap_defaults.h 2022-05-20 17:36:10.817244990 -0400 ++++ openldap/include/ldap_defaults.h 2022-05-20 17:36:10.813244986 -0400 +@@ -54,7 +54,7 @@ + #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" + #endif + #ifndef SLAPD_DEFAULT_DB_DIR +-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" ++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap" + #endif + #define SLAPD_DEFAULT_DB_MODE 0600 + /* default max deref depth for aliases */ +Index: openldap/servers/slapd/Makefile.in +=================================================================== +--- openldap.orig/servers/slapd/Makefile.in 2022-05-20 17:36:10.817244990 -0400 ++++ openldap/servers/slapd/Makefile.in 2022-05-20 17:36:10.813244986 -0400 +@@ -452,9 +452,9 @@ + + install-db-config: FORCE + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) +- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data ++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ +- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example ++ $(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example + +Index: openldap/doc/man/man5/slapd-config.5 +=================================================================== +--- openldap.orig/doc/man/man5/slapd-config.5 2022-05-20 17:36:10.817244990 -0400 ++++ openldap/doc/man/man5/slapd-config.5 2022-05-20 17:36:10.813244986 -0400 +@@ -2233,7 +2233,7 @@ + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-olcDbDirectory: LOCALSTATEDIR/openldap\-data ++olcDbDirectory: LOCALSTATEDIR/lib/ldap + # Indices to maintain + olcDbIndex: objectClass eq + olcDbIndex: cn,sn,mail pres,eq,approx,sub +Index: openldap/doc/man/man5/slapd-mdb.5 +=================================================================== +--- openldap.orig/doc/man/man5/slapd-mdb.5 2022-05-20 17:36:10.817244990 -0400 ++++ openldap/doc/man/man5/slapd-mdb.5 2022-05-20 17:36:10.813244986 -0400 +@@ -63,7 +63,7 @@ + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap\-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR} + Specify flags for finer-grained control of the LMDB library's operation. -- cgit v1.2.3