From 8755b75907eb9b83b10c93d4c4137459ba7e5a49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Wed, 18 Oct 2023 21:16:20 +0200 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 openldap2 revision 797c98628f627d4fef10264beba567c3 --- .gitattributes | 23 + 0003-LDAPI-socket-location.dif | 12 + 0005-pie-compile.dif | 101 + ...nd-do-not-return-Connection0-entries.patch | 26 + ...ar-shared-key-only-in-close-function.patch | 16 + README.module-loading | 25 + _multibuild | 3 + addonschema.tar.gz | 3 + baselibs.conf | 6 + fixup-modulepath.sh | 42 + ldap-user.conf | 2 + openldap-2.6.4.tgz | 3 + openldap-2.6.4.tgz.asc | 16 + openldap2.changes | 3531 +++++++++++++++++ openldap2.conf | 2 + openldap2.keyring | Bin 0 -> 2259 bytes openldap2.spec | 609 +++ reproducible.patch | 13 + sasl-slapd.conf | 1 + schema2ldif | 53 + slapd-ldif-update-crc.sh | 33 + slapd.conf | 86 + slapd.conf.example | 354 ++ slapd.conf.olctemplate | 46 + slapd.service | 28 + start | 174 + sysconfig.openldap | 158 + update-crc.sh | 67 + 28 files changed, 5433 insertions(+) create mode 100644 .gitattributes create mode 100644 0003-LDAPI-socket-location.dif create mode 100644 0005-pie-compile.dif create mode 100644 0008-In-monitor-backend-do-not-return-Connection0-entries.patch create mode 100644 0016-Clear-shared-key-only-in-close-function.patch create mode 100644 README.module-loading create mode 100644 _multibuild create mode 100644 addonschema.tar.gz create mode 100644 baselibs.conf create mode 100644 fixup-modulepath.sh create mode 100644 ldap-user.conf create mode 100644 openldap-2.6.4.tgz create mode 100644 openldap-2.6.4.tgz.asc create mode 100644 openldap2.changes create mode 100644 openldap2.conf create mode 100644 openldap2.keyring create mode 100644 openldap2.spec create mode 100644 reproducible.patch create mode 100644 sasl-slapd.conf create mode 100644 schema2ldif create mode 100644 slapd-ldif-update-crc.sh create mode 100644 slapd.conf create mode 100644 slapd.conf.example create mode 100644 slapd.conf.olctemplate create mode 100644 slapd.service create mode 100644 start create mode 100644 sysconfig.openldap create mode 100644 update-crc.sh diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/0003-LDAPI-socket-location.dif b/0003-LDAPI-socket-location.dif new file mode 100644 index 0000000..38cdfbb --- /dev/null +++ b/0003-LDAPI-socket-location.dif @@ -0,0 +1,12 @@ +diff -ur openldap-2.6.2.orig/include/ldap_defaults.h openldap-2.6.2/include/ldap_defaults.h +--- openldap-2.6.2.orig/include/ldap_defaults.h 2022-05-04 16:55:23.000000000 +0200 ++++ openldap-2.6.2/include/ldap_defaults.h 2022-05-23 12:55:05.059335200 +0200 +@@ -40,7 +40,7 @@ + + /* default ldapi:// socket */ + #ifndef LDAPI_SOCK +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi" + #endif + + /* diff --git a/0005-pie-compile.dif b/0005-pie-compile.dif new file mode 100644 index 0000000..34c4a62 --- /dev/null +++ b/0005-pie-compile.dif @@ -0,0 +1,101 @@ +From 60edf86023da15db7be5935c85826e16d2b78648 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Fri, 12 Nov 2010 09:39:11 +0100 +Subject: pie compile + + +diff --git a/build/top.mk b/build/top.mk +index 38ce146d7..d7fee4ec2 100644 +--- a/build/top.mk ++++ b/build/top.mk +@@ -111,7 +111,7 @@ OL_VERSIONED_SYMBOLS = @OL_VERSIONED_SYMBOLS@ + LTSTATIC = @LTSTATIC@ + + LTLINK = $(LIBTOOL) --mode=link \ +- $(CC) $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS) ++ $(CC) -pie $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS) + + LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=compile \ + $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c +@@ -120,7 +120,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ + $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(SYMBOL_VERSION_FLAGS) + + LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ +- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c ++ $(CC) $(LT_CFLAGS) $(PIE_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c + + LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ + $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) +@@ -214,7 +214,7 @@ LLOADD_LIBS = @BALANCER_LIBS@ $(LEVENT_LIBS) + # Our Defaults + CC = $(AC_CC) + DEFS = $(LDAP_INCPATH) $(XINCPATH) $(XDEFS) $(AC_DEFS) $(DEFINES) +-CFLAGS = $(AC_CFLAGS) $(DEFS) ++CFLAGS = -fPIE $(AC_CFLAGS) $(DEFS) + LDFLAGS = $(LDAP_LIBPATH) $(AC_LDFLAGS) $(XLDFLAGS) + LIBS = $(XLIBS) $(XXLIBS) $(AC_LIBS) $(XXXLIBS) + +diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in +index 71400ca1b..6427165c6 100644 +--- a/servers/slapd/back-ldap/Makefile.in ++++ b/servers/slapd/back-ldap/Makefile.in +@@ -26,6 +26,8 @@ LDAP_LIBDIR= ../../../libraries + BUILD_OPT = "--enable-ldap" + BUILD_MOD = @BUILD_LDAP@ + ++PIE_CFLAGS="-fPIE" ++ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(@BUILD_LDAP@_DEFS) + +diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in +index 225c8dd19..2f07c067b 100644 +--- a/servers/slapd/back-ldif/Makefile.in ++++ b/servers/slapd/back-ldif/Makefile.in +@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries + BUILD_OPT = "--enable-ldif" + BUILD_MOD = yes + ++PIE_CFLAGS="-fPIE" ++ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(yes_DEFS) + +diff --git a/servers/slapd/back-mdb/Makefile.in b/servers/slapd/back-mdb/Makefile.in +index 6d64824da..9bbf8747d 100644 +--- a/servers/slapd/back-mdb/Makefile.in ++++ b/servers/slapd/back-mdb/Makefile.in +@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/liblmdb + BUILD_OPT = "--enable-mdb" + BUILD_MOD = @BUILD_MDB@ + ++PIE_CFLAGS="-fPIE" ++ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(@BUILD_MDB@_DEFS) + MOD_LIBS = $(MDB_LIBS) +diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in +index 200a1c65c..6b2afffb9 100644 +--- a/servers/slapd/back-monitor/Makefile.in ++++ b/servers/slapd/back-monitor/Makefile.in +@@ -30,6 +30,8 @@ LDAP_LIBDIR= ../../../libraries + BUILD_OPT = "--enable-monitor" + BUILD_MOD = yes + ++PIE_CFLAGS="-fPIE" ++ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(yes_DEFS) + +diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in +index 71d74a171..60b44afd8 100644 +--- a/servers/slapd/back-relay/Makefile.in ++++ b/servers/slapd/back-relay/Makefile.in +@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries + BUILD_OPT = "--enable-relay" + BUILD_MOD = @BUILD_RELAY@ + ++PIE_CFLAGS="-fPIE" ++ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(@BUILD_RELAY@_DEFS) diff --git a/0008-In-monitor-backend-do-not-return-Connection0-entries.patch b/0008-In-monitor-backend-do-not-return-Connection0-entries.patch new file mode 100644 index 0000000..99a96c1 --- /dev/null +++ b/0008-In-monitor-backend-do-not-return-Connection0-entries.patch @@ -0,0 +1,26 @@ +From d4b247e43fe1ea1b3713f3d8f493422d5adcc537 Mon Sep 17 00:00:00 2001 +From: HouzuoGuo +Date: Fri, 13 Mar 2015 16:14:10 +0100 +Subject: [PATCH] In monitor backend, do not return Connection0 entries as they + are created for internal use only. + +--- + servers/slapd/back-monitor/conn.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c +index 4d327f243..c4d3c6237 100644 +--- a/servers/slapd/back-monitor/conn.c ++++ b/servers/slapd/back-monitor/conn.c +@@ -456,6 +456,11 @@ monitor_subsys_conn_create( + c != NULL; + c = connection_next( c, &connindex ) ) + { ++ /* Connection 0 is created by connection_client_setup for internal use only */ ++ if (c->c_connid == 0) { ++ continue; ++ } ++ + monitor_entry_t *mp; + + /* ignore outbound for now, nothing to show */ diff --git a/0016-Clear-shared-key-only-in-close-function.patch b/0016-Clear-shared-key-only-in-close-function.patch new file mode 100644 index 0000000..e6ea5e9 --- /dev/null +++ b/0016-Clear-shared-key-only-in-close-function.patch @@ -0,0 +1,16 @@ +diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c +index 6bdf3151d..56212151b 100644 +--- a/libraries/liblmdb/mdb.c ++++ b/libraries/liblmdb/mdb.c +@@ -4692,6 +4692,11 @@ mdb_env_close0(MDB_env *env, int excl) + + if (env->me_flags & MDB_ENV_TXKEY) { + pthread_key_delete(env->me_txkey); ++ ++ // No need to call desctructor anymore, as all pid ++ // values are cleared below. ++ env->me_txkey = NULL; ++ + #ifdef _WIN32 + /* Delete our key from the global list */ + for (i=0; i + +Overlays man-pages: +man 5 slapo- diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..e00f085 --- /dev/null +++ b/_multibuild @@ -0,0 +1,3 @@ + + contrib + diff --git a/addonschema.tar.gz b/addonschema.tar.gz new file mode 100644 index 0000000..394594d --- /dev/null +++ b/addonschema.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c0dcd368d31071acffdc077887b661ba5360ee9395fdf957e827d64acdabfd64 +size 29233 diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..0087734 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,6 @@ +libldap2 + provides "openldap2-client- = " + obsoletes "openldap2-client- <= " +openldap2-devel + requires -openldap2- + requires "libldap2- = " diff --git a/fixup-modulepath.sh b/fixup-modulepath.sh new file mode 100644 index 0000000..b16fed2 --- /dev/null +++ b/fixup-modulepath.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +source /usr/lib/openldap/update-crc + +conf_dir='/etc/openldap/slapd.d' +tgt_ldif="${conf_dir}/cn=config.ldif" +if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ] +then + exit 0 +fi + +# Make sure slapd.service is not running. +slapd_running=1 + +# Don't check if no systemd, we could be in a container. +if [ -f "/usr/bin/systemctl" ]; then + /usr/bin/systemctl is-active --quiet slapd.service + slapd_running=$? +fi + +if [ $slapd_running -eq 0 ]; then + echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..." + exit 1 +fi + +# Remove the module path. +sed -n -i '/olcModulePath/!p' ${tgt_ldif} + +res=$? + +if [ $res -ne 0 ] +then + echo "Failed to remove olcModulePath in ${tgt_ldif}" + exit 1 +else + do_update_crc ${tgt_ldif} + echo "Updated crc of ${tgt_ldif}" +fi + + + + diff --git a/ldap-user.conf b/ldap-user.conf new file mode 100644 index 0000000..4455b7c --- /dev/null +++ b/ldap-user.conf @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] +u ldap - "User for OpenLDAP" /var/lib/ldap diff --git a/openldap-2.6.4.tgz b/openldap-2.6.4.tgz new file mode 100644 index 0000000..94ba548 --- /dev/null +++ b/openldap-2.6.4.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d51704e50178430c06cf3d8aa174da66badf559747a47d920bb54b2d4aa40991 +size 6478424 diff --git a/openldap-2.6.4.tgz.asc b/openldap-2.6.4.tgz.asc new file mode 100644 index 0000000..263ad8b --- /dev/null +++ b/openldap-2.6.4.tgz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEPOJptTmLyLeFZF6Yf2fV/Rzhy84FAmPkFcsACgkQf2fV/Rzh +y84clA/8C30COyp5lKWvqiBIVjQHe8ZSLEWML8j6g7IbYcHm7uLIqADjzlaE0MCI +YV2SfDFjom+OUFkQmzGNmYeyjpBV5yK5n5js0M1zSF2OPoapNoSZtnv0yXIUZ/Ee +M1njsiMYuYWX0KWg4tYVbdLSm2iWH1d5zbGgyAecSQCFHZ/nQnZo+OWbRel06dCz +ewkANAlUIIrsGEkKjKUetFOOuJiwb8r8KeXpYVijig7f/csoo7H78i4Pdmi3QzJ5 +D/TMHKx64ljes1n6ZHtm55lbkiuJTw3t4XnK9NhsKwr9zNlq+qI3ggJyK6xOQiQq +05IjPMVp8kV1u117Xb9SlRwlfR/00jPwTdepuAK9OyxVS3CclS8Gh6Lm8ztwwTee +C+eqwGhZNH7/twfq3TUHfWUl4LyclX02zxvljo3lcb3JIA7JWp8coi2EEeofOIlf +oXKdyR4zA0Iey8LfBuyRC/smZoggdpzr0jIE5Z5Q97hTt4Rm5U4ZDe2GRfUTR82g +Pz+VdBI/aCKlnDHqH912w4Tg62UeJiPfnLuWuCc7A0MNR2LAe7JKASdEaTb6t51N +uzmxPYOlAixvGcjCg38Sc0877FXE1ss3RUnDyx+mCK2phEsWO69SdL4uz5E9Xdve +0VbfO84pmN/+Gj5FfE93rJzTYjjySj80oANiqBAcA7P21pOttRg= +=UfjX +-----END PGP SIGNATURE----- diff --git a/openldap2.changes b/openldap2.changes new file mode 100644 index 0000000..ff1308b --- /dev/null +++ b/openldap2.changes @@ -0,0 +1,3531 @@ +------------------------------------------------------------------- +Tue Sep 5 11:52:49 UTC 2023 - Thorsten Kukuk + +- Disable SLP by default for Factory and ALP (bsc#1214884) + +------------------------------------------------------------------- +Sat Apr 15 10:42:10 UTC 2023 - Dirk Müller + +- update to 2.6.4: + * Fixed client tools to remove 'h' and 'p' options + * Fixed ldapsearch memory leak with paged results (ITS#9860) + * Fixed libldap ldif_open_urlto check for failure (ITS#9904 CVE-2023-2953 boo#1211795) + * Fixed libldap ldap_url_parsehosts check for failure + * Fixed liblunicode UTF8bvnormalize buffer size (ITS#9955) + * Fixed lloadd memory leaks (ITS#9907) + * Fixed lloadd shutdown code to protect memory correctly + * Fixed lloadd race in epoch.c (ITS#9947) + * Fixed lloadd potential deadlock with cn=monitor (ITS#9951) + * Fixed lloadd to keep listener base around when not active + * Fixed lloadd object reclamation sequencing (ITS#9983) + * Fixed slapd memory leak with olcAuthIDRewrite (ITS#6035) + * Fixed slapd free of redundant cmdline option (ITS#9912) + * Fixed slapd transactions extended operations cleanup after + * Fixed slapd deadlock with replicated cn=config + * Fixed slapd connection close logic (ITS#9991) + * Fixed slapd bconfig locking of cn=config entries (ITS#9045) + * Fixed slapd-mdb max number of index databases to 256 + * Fixed slapd-mdb to always release entries from ADD operations + * Fixed slapd-mdb to fully init empty DN in tool_entry_get + * Fixed slapd-monitor memory leaks with lloadd (ITS#9906) + * Fixed slapd-monitor to free remembered cookies (ITS#9339) + * Fixed slapo-accesslog reqStart ordering matching rule + * Fixed slapo-deref memory leak (ITS#9924) + * Fixed slapo-dynlist to ignore irrelevant objectClasses + * Fixed slapo-dynlist to avoid unnecessary searches (ITS#9929) + * Fixed slapo-dynlist to mark internal searches as such + * Fixed slapo-pcache crash in consistency_check (ITS#9966) + * Fixed slapo-remoteauth memory leaks (ITS#9438) + * Fixed slapo-rwm memory leaks (ITS#9817) + * Build Environment + * Fixed ancient DOS related ifdef checks (ITS#9925) + * Fixed build process to not use gmake specific features + * Fixed source tree to remove symlinks (ITS#9926) + * Fixed slapo-otp testdir creation (ITS#9437) + * Fixed slapd-tester memory leak (ITS#9908) + * Fixed usage of non-standard C syntax (ITS#9898, ITS#9899, + ITS#9901) + * Fixed usage of bashism (ITS#9900) + * Fixed test suite portability (ITS#9931) + * Documentation + * Fixed ldap_bind(3) to document ber_bvfree in ldap_sasl_bind + (ITS#9976) + * Fixed slapo-asyncmeta(5) to clarify scheduling for target + connections (ITS#9941) + * Fixed slapo-dynlist(5) to clarify configuration settings + (ITS#9957) + * Fixed slapo-unique(5) to clarify when quoting should be used + (ITS#9915) + * Minor cleanup + +------------------------------------------------------------------- +Sat Dec 10 09:46:56 UTC 2022 - Dirk Müller + +- add reproducible.patch to avoid using compile-time specific date/time + constructs + +------------------------------------------------------------------- +Mon Sep 26 05:16:18 UTC 2022 - William Brown + +- bsc#1202931 - CVE-2022-31253 - Openldap start script allowed the ldap user + to privilege escalate to root due to unbound chown commands. + +------------------------------------------------------------------- +Thu Jul 14 21:22:41 UTC 2022 - Michael Ströder + +- removed obsolete 0017-Resolve-error-handling-in-new-ctx-when-global.patch +- update to 2.6.3 + * Fixed librewrite declaration of calloc (ITS#9841) + * Fixed libldap to check for NULL ld (ITS#9157) + * Fixed libldap memory leaks (ITS#9876) + * Fixed lloadd to correctly tag Notice of Disconnection (ITS#9856) + * Fixed slapd delta-sync DN leak on ADD ops (ITS#9866) + * Fixed slapd replication with back-glue (ITS#9868) + * Fixed slapd lastbind replication with chaining (ITS#9863) + * Fixed slapd-ldap to correctly set authzid (ITS#9863) + * Fixed slapd-mdb to check for stale readers on + MDB_READERS_FULL (ITS#7165) + * Fixed slapd-mdb indexer task with replicated config (ITS#9858) + * Fixed slapo-accesslog onetime memory leak (ITS#9864) + * Fixed slapo-ppolicy interaction with slapo-rwm (ITS#9871) + * Fixed slapo-rwm to handle escaping special characters (ITS#9817) + * Fixed slapo-syncprov memory leaks (ITS#9867) + * Fixed slapo-syncprov fallback in delta-sync mode (ITS#9823) + * Fixed slapo-unique to not release NULL entry (ITS#8245) + * doc: Fixed ldap_get_option(3) to clarify ldap_get/set_option + restrictions (ITS#9824) + +------------------------------------------------------------------- +Mon May 23 10:51:45 UTC 2022 - Michael Ströder + +- Update to release 2.6.2 + * Added support for OpenSSL 3.0 (ITS#9436) + * Fixed ldapdelete to prune LDAP subentries (ITS#9737) + * Fixed libldap to drop connection when non-LDAP data is + received (ITS#9803) + * Fixed libldap to allow newlines at end of included file + (ITS#9811) + * Fixed slapd slaptest conversion of olcLastBind (ITS#9808) + * Fixed slapd to correctly init global_host earlier (ITS#9787) + * Fixed slapd bconfig locking for cn=config replication + (ITS#9584) + * Fixed slapd usage of thread local counters (ITS#9789) + * Fixed slapd to clear runqueue task correctly (ITS#9785) + * Fixed slapd idletimeout handling (ITS#9820) + * Fixed slapd syncrepl handling of new sessions (ITS#9584) + * Fixed slapd to clear connections on bind (ITS#9799) + * Fixed slapd to correctly advance connections index (ITS#9831) + * Fixed slapd syncrepl ODSEE replication of unknown attr + (ITS#9801) + * Fixed slapd-asyncmeta memory leak in keepalive setting, + slapd-ldap memory leak in keepalive setting, SEGV on config + rewrite, ordering on config rewrite, memory leak in keepalive + setting (ITS#9802) + * Fixed slapo-pcache SEGV & slapd-monitor SEGV on shutdown + (ITS#9809) + * Fixed slapd-monitor crash when hitting sizelimit (ITS#9832) + * Fixed slapd-sql to properly escape filter value (ITS#9815) + * Fixed slapo-dynlist dynamic group regression (ITS#9825) + * Fixed slapo-ppolicy operation handling to be consistent + (ITS#9794) + * Fixed slapo-translucent to correctly duplicate substring + filters (ITS#9818) + * Contrib: + * Update ppm module to the 2.1 release (ITS#9814) + * Documentation: + * admin26: Document new lloadd features (ITS#9780) + * Fixed slapd.conf(5)/slapd-config(5) syncrepl + sizelimit/timelimit documentation (ITS#9804) + * Fixed slapd-sock(5) to clarify "sockresps result" behavior + (ITS#8255) + +------------------------------------------------------------------- +Thu May 12 02:48:19 UTC 2022 - William Brown + +- bsc#1199277 - Resolve segfault when calling new ctx with global ctx +* 0017-Resolve-error-handling-in-new-ctx-when-global.patch + +------------------------------------------------------------------- +Mon Apr 11 20:52:33 UTC 2022 - Michael Ströder + +- Use libargon2 instead of libsodium because it supports p>1 +- Added new contrib overlays: authzid, datamorph, variant, vc + +------------------------------------------------------------------- +Sat Apr 2 22:57:29 UTC 2022 - Jan Engelhardt + +- Update to release 2.6.1 + * Ability to log directly to a file bypassing syslog + * back-ndb is retired + * back-sql and back-perl are deprecated + * lloadd(8): Additional load balancing strategies. + * lloadd(8): Additional options to improve coherence with certain + controls and extended operations. + +------------------------------------------------------------------- +Sat Mar 26 14:08:57 UTC 2022 - Stephan Kulow + +- Add _multibuild support to integrate the build of libldapcpp-devel + to drop the outdated copy + +------------------------------------------------------------------- +Mon Oct 25 22:03:53 UTC 2021 - Michael Ströder + +- update to 2.5.9 + +OpenLDAP 2.5.9 Release (2021/10/25) + Fixed slapo-accesslog to initialize minCSN on import of 2.4 databases (ITS#9720) + +------------------------------------------------------------------- +Mon Oct 11 18:46:13 UTC 2021 - Michael Ströder + +- update to 2.5.8 + +OpenLDAP 2.5.8 Release (2021/10/11) + Fixed libldap ldap_int_tls_connect: isdigit() requires unsigned char (ITS#9668) + Fixed libldap memory leak in ldap_get_option LDAP_OPT_X_TLS_PEERCERT (ITS#9696) + Fixed slapd to allow normalized values for namingContexts in cn=monitor (ITS#8341) + Fixed slapd to normalize the suffix in rootDSE (ITS#9664) + Fixed slapd slapadd to avoid destroying configDB prematurely (ITS#9678) + Fixed slapd to not spam logs with lastbind information (ITS#9156) + Fixed slapd slaptest migration to correctly set olcTSLVerifyClient (ITS#9711) + Fixed slapd-mdb multival delete handling (ITS#9712) + Fixed slapd-sql ldap_entry_objectclass table for mariadb/mysql (ITS#9679) + Fixed slapd-wt multiple issues (ITS#9463) + Fixed slapd-wt to close cache db correctly (ITS#9631) + Fixed slapo-ppolicy to restore OpenLDAP 2.4 compatibilty (ITS#9671) + Fixed slapo-syncprov to free uuid list when finished replaying sessionlog (ITS#6467) + Build + Fixed libldap result.c compilation on musl systems (ITS#9648) + Fixed slapd duplicate definition of peerbv (ITS#9659) + Fixed test suite with memberof modular builds (ITS#9464) + Contrib + Added man page for ppm contrib module (ITS#9644) + Fix crash when pwdCheckModuleArg is not defined for ppm (ITS#9656) + Documentation + Fixed guide download link for heimdal (ITS#9669) + Fixed guide documentation for TLSECName (ITS#9687) + Fixed guide documentation missing tags (ITS#9693) + Fixed guide loadbalancer typo (ITS#9699) + Fixed guide synprov-nopresent redundant text (ITS#9689) + Fixed guide various typos and fix config alignment (ITS#9706) + Removed ppolicy.schema from servers/slapd/schema/README (ITS#9156) + Fixed slapd.conf(5)/slapd-config(5) to document default for database monitoring (ITS#9674) + Fixed slapd-meta(5)/slapd-asyncmeta(5) verbiage for try-propagate (ITS#9646) + Fixed slapo-syncprov(5) to note entryCSN indexing is highly recommended (ITS#9688) + +------------------------------------------------------------------- +Tue Aug 24 13:04:36 UTC 2021 - Philipp Wagner + +- Update to upstream version 2.5.7 + Fixed lloadd client state tracking (ITS#9624) + Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611) + Fixed slapd-ldif duplicate controls response (ITS#9497) + Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621) + Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958) + Fixed slapd-mdb idlexp maximum size handling (ITS#9637) + Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628) + Fixed slapd-sql to add support for ppolicy attributes (ITS#9629) + Fixed slapd-sql to close transactions after bind and search (ITS#9630) + Fixed slapo-accesslog to make reqMod optional (ITS#9569) + Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625) + Documentation + slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637) + slapo-accesslog(5) note that reqMod is optional (ITS#9569) + Add ldapvc(1) man page (ITS#9549) + Add guide section on load balancer (ITS#9443) + Updated guide to document multiprovider as replacement for mirrormode (ITS#9200) + Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200) + Updated guide to document removal of deprecated options from client tools (ITS#9200) + +------------------------------------------------------------------- +Fri Jul 30 13:30:05 UTC 2021 - Philipp Wagner + +- Major version update to 2.5.6 + See https://www.openldap.org/software/release/announce.html for a list of + changes. +- The threaded version of the OpenLDAP libraries, libldap_r, has been merged + with libldap with 2.5. Removed all related downstream changes, including the + openldap-r-only.dif patch. + Introduce a new compatibility symlink in the other direction: libldap_r + pointing to libldap. +- Removed the ppolicy-check-password module. It is unmaintained and does not + build any more. As part of that also remove the patch + patch 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch, which + is applied to this module. +- Removed patch 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch + Fixed upstream in 2.5 (ITS#8866) +- Updated patch 0005-pie-compile.dif + Removed the hunks on back-bdb and back-hdb, which are retired backends in 2.5. +- Removed patch 0007-Recover-on-DB-version-change.dif + The back-bdb backend was retired. +- Removed patch 0011-openldap-re24-its7796.patch + Fixed upstream in 2.5 (ITS#7796) +- Remove non-existant configure arguments: + --enable-rewrite, --enable-monitor, --enable-lmpasswd +- Add the --enable-dynacl configure option, which is required for --enable-aci +- Add the --with-argon2 configure option and remove it from the contrib + modules, since it is now official (ITS#9453). +- Pass mandir to smbk5pwd to ensure the man page ends up in /usr/share. +- Include the new overlays in libdir/openldap in the packages. +- Add the pkgconfig files to the devel package. +- Remove compat macro for _fillupdir, which was introduced in Nov 2017 and + should be widely available now. + +------------------------------------------------------------------- +Fri Jun 4 00:06:15 UTC 2021 - Michael Ströder + +- updated to 2.4.59 + +OpenLDAP 2.4.59 Release (2021/06/03) + Fixed libldap TLSv1.3 cipher suites with OpenSSL 1.1.1 (ITS#9521) + Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530) + Fixed slapd syncrepl handling of add+delete on single value attr (ITS#9295) + Fixed slapd-mdb cursor init check (ITS#9526) + Fixed slapd-mdb deletion of context entry (ITS#9531) + Fixed slapd-mdb off-by-one affecting search scope (ITS#9557) + Fixed slapo-pcache locking during expiration (ITS#9529) + Contrib + Fixed slapo-autogroup to not thrash thread context (ITS#9494) + Documentation + ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559) + +------------------------------------------------------------------- +Tue Mar 16 20:15:53 UTC 2021 - Michael Ströder + +- updated to 2.4.58 + +OpenLDAP 2.4.58 Release (2021/03/16) + Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9454) + Fixed slapd to alloc new conn struct after freeing old one (ITS#9458) + Fixed slapd syncrepl to check all contextCSNs (ITS#9282) + Fixed slapd-bdb lockdetect config (ITS#9449) + +------------------------------------------------------------------- +Mon Jan 18 20:31:58 UTC 2021 - Michael Ströder + +- updated to 2.4.57 + +OpenLDAP 2.4.57 Release (2021/01/18) + Fixed ldapexop to use correct return code (ITS#9417) + Fixed slapd to remove asserts in UUIDNormalize (ITS#9391) + Fixed slapd to remove assert in csnValidate (ITS#9410) + Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427) + Fixed slapd validity checks for serialNumberAndIssuerCheck (ITS#9404, ITS#9424) + Fixed slapd AVA sort with invalid RDN (ITS#9412) + Fixed slapd ldap_X509dn2bv to check for invalid BER after RDN count (ITS#9423, ITS#9425) + Fixed slapd saslauthz to remove asserts in validation (ITS#9406, ITS#9407) + Fixed slapd saslauthz to use slap_sl_free on normalized DN (ITS#9409) + Fixed slapd saslauthz SEGV in slap_parse_user (ITS#9413) + Fixed slapd modrdn memory leak (ITS#9420) + Fixed slapd double-free in vrfilter (ITS#9408) + Fixed slapd cancel operation to correctly terminate (ITS#9428) + Fixed slapd-ldap fix binds on retry with closed connection (ITS#9400) + Fixed slapo-syncprov to ignore duplicate sessionlog entries (ITS#9394) + +------------------------------------------------------------------- +Thu Dec 17 03:51:47 UTC 2020 - Michael Ströder + +- added openldap2.keyring and source signature file + +------------------------------------------------------------------- +Wed Nov 11 12:13:27 UTC 2020 - Michael Ströder + +- updated to 2.4.56 + +OpenLDAP 2.4.56 Release (2020/11/10) + Fixed slapd to remove assert in certificateListValidate (ITS#9383) + Fixed slapd to remove assert in csnNormalize23 (ITS#9384) + Fixed slapd to better parse ldapi listener URIs (ITS#9379) + +------------------------------------------------------------------- +Tue Oct 27 01:01:54 UTC 2020 - William Brown + +- bsc#1175568 CVE-2020-8027 + openldap_update_modules_path.sh has a number of issues in it's + design that lead to security issues. This file has been removed, + from the package, and the %post execution of the install. The + function is replaced by /usr/sbin/slapd-ldif-update-crc and + /usr/lib/openldap/fixup-modulepath, through the addition of the + source files: + * fixup-modulepath.sh + * slapd-ldif-update-crc.sh + * update-crc.sh + +------------------------------------------------------------------- +Mon Oct 26 21:48:45 UTC 2020 - Michael Ströder + +- updated to 2.4.55 + +OpenLDAP 2.4.55 Release (2020/10/26) + Fixed slapd normalization handling with modrdn (ITS#9370) + Fixed slapd-meta to check ldap_install_tls return code (ITS#9366) + Contrib + Fixed nssov misplaced semicolon (ITS#8731, ITS#9368) + +LMDB 0.9.27 Release (2020/10/26) + ITS#9376 fix repeated DUPSORT cursor deletes + +------------------------------------------------------------------- +Mon Oct 12 20:21:23 UTC 2020 - Michael Ströder + +- updated to 2.4.54 + +OpenLDAP 2.4.54 Release (2020/10/12) + Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342) + Fixed slapd delta-syncrepl to be fully serialized (ITS#9330) + Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352) + Fixed slapd sessionlog to use a TAVL tree (ITS#8486) + Fixed slapd syncrepl to be fully serialized (ITS#8102) + Fixed slapd syncrepl to call check_syncprov on fresh consumer (ITS#9345) + Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355) + Fixed slapd syncrepl to not create empty ADD ops (ITS#9359) + Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295) + Fixed slapd-monitor fix monitor_back_register_database for empty suffix DB (ITS#9353) + Fixed slapo-accesslog normalizer for reqStart (ITS#9358) + Fixed slapo-accesslog to not generate new contextCSN on purge (ITS#9361) + Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015) + +------------------------------------------------------------------- +Mon Sep 7 15:58:31 UTC 2020 - Michael Ströder + +- updated to 2.4.53 + +OpenLDAP 2.4.53 (2020/09/07) + Added slapd syncrepl additional SYNC logging (ITS#9043) + Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282) + Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338) + Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334) + Build + Require OpenSSL 1.0.2 or later (ITS#9323) + Fixed libldap compilation issue with broken C compilers (ITS#9332) + +------------------------------------------------------------------- +Fri Aug 28 22:06:57 UTC 2020 - Michael Ströder + +- updated to 2.4.52 + +OpenLDAP 2.4.52 (2020/08/28) + Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318) + Added libldap OpenSSL support for multiple EECDH curves (ITS#9054) + Added slapd OpenSSL support for multiple EECDH curves (ITS#9054) + Fixed librewrite malloc/free corruption (ITS#9249) + Fixed libldap hang when using UDP and server down (ITS#9328) + Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324) + Fixed slapd syncrepl regression that could trigger an assert (ITS#9329) + Fixed slapd-mdb index error with collapsed range (ITS#9135) + +------------------------------------------------------------------- +Thu Aug 20 16:39:54 UTC 2020 - Thorsten Kukuk + +- Switch from shadow to sysusers to generate ldap account +- Remove if's for code older than SLE12 (Even SLE12 builds no longer) +- Remove 12 years old sasl2 migration code + +------------------------------------------------------------------- +Sat Aug 15 06:56:27 UTC 2020 - Thorsten Kukuk + +- Drop obsolete, not working DB_CONFIG +- Remove init.d header from start script, does not work +- Use bash for start script as syntax is not POSIX sh supported +- Remove UPDATE_NEEDED section in start script, does never match + +------------------------------------------------------------------- +Sat Aug 15 06:36:43 UTC 2020 - Thorsten Kukuk + +- Remove remaining rc.status usage in start script + +------------------------------------------------------------------- +Wed Aug 12 06:16:42 UTC 2020 - Michael Ströder + +- updated to 2.4.51 +- removed obsolete patch 0014-ITS-8650-fix-debug-usage.patch + +OpenLDAP 2.4.51 Release (2020/08/11) + Added slapo-ppolicy implement Netscape password policy controls (ITS#9279) + Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) + Fixed libldap to use getaddrinfo in ldap_pvt_get_fqdn (ITS#9287) + Fixed slapd to enforce singular existence of some overlays (ITS#9309) + Fixed slapd syncrepl to not delete non-replicated attrs (ITS#9227) + Fixed slapd syncrepl to correctly delete entries on resync (ITS#9282) + Fixed slapd syncrepl to use replace on single valued attrs (ITS#9294, ITS#9295) + Fixed slapd-perl dynamic config with threaded slapd (ITS#7573) + Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285) + Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302) + Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309) + Fixed slapo-chain to check referral (ITS#9262) + Build Environment + Fix test064 so it no longer uses bashisms (ITS#9263) + Contrib + Fix default prefix value for pw-argon2, pw-pbkdf2 modules (ITS#9248) + slapo-allowed - Fix usage of unitialized variable (ITS#9308) + Documentation + ldap_parse_result(3) - Document ldap_parse_intermediate (ITS#9271) + +------------------------------------------------------------------- +Mon Jun 8 12:46:34 UTC 2020 - Callum Farmer + +- Revert changes to libexecdir + +------------------------------------------------------------------- +Sun Jun 7 10:20:45 UTC 2020 - Michael Ströder + +- More .spec cleanups + +------------------------------------------------------------------- +Fri Jun 5 11:25:16 UTC 2020 - Callum Farmer + +- Fixes for %_libexecdir changing to /usr/libexec +- Spec file cleanups + +------------------------------------------------------------------- +Wed May 6 17:59:58 UTC 2020 - Michael Ströder + +- updated to 2.4.50 +- added 0014-ITS-8650-fix-debug-usage.patch +- enabled new contrib overlay pw-argon2 +- replaced FTP by HTTPS download URL for source +- removed 0009-Fix-ldap-host-lookup-ipv6.patch (see bsc#1171127) + +OpenLDAP 2.4.50 Release (2020/04/28) + Fixed client benign typos (ITS#8890) + Fixed libldap type cast (ITS#9175) + Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) + Fixed libldap_r race on Windows mutex initialization (ITS#9181) + Fixed liblunicode memory leak (ITS#9198) + Fixed slapd benign typos (ITS#8890) + Fixed slapd to limit depth of nested filters (ITS#9202) + Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214) + Fixed slapo-pcache database initialization (ITS#9182) + Fixed slapo-ppolicy callback (ITS#9171) + Build + Fix olcDatabaseDummy initialization for windows (ITS#7074) + Fix detection for ws2tcpip.h for windows (ITS#8383) + Fix back-mdb types for windows (ITS#7878) + Contrib + Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855) + Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206) + Documentation + slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003) + slapd-meta(5) - Remove client-pr option (ITS#8683) + slapdinex(8) - Fix truncate option information for back-mdb (ITS#9230) + +------------------------------------------------------------------- +Thu Jan 30 20:57:33 UTC 2020 - Michael Ströder + +- updated to 2.4.49 +- removed obsolete back-port patches: + * 0013_openldap-its9124_fix_crash_with_cancel_exop.patch +- removed obsolete source file DB_CONFIG + +OpenLDAP 2.4.49 Release (2020/01/30) + Added slapd-monitor database entry count for slapd-mdb (ITS#9154) + Fixed client tools to not add controls on cancel/abandon (ITS#9145) + Fixed client tools SyncInfo message to be LDIF compliant (ITS#8116) + Fixed libldap to correctly free sb (ITS#9081, ITS#8755) + Fixed libldap descriptor leak if ldaps fails (ITS#9147) + Fixed libldap remove unnecessary global mutex for GnuTLS (ITS#9069) + Fixed slapd syntax evaluation of preferredDeliveryMethod (ITS#9067) + Fixed slapd to relax domainScope control check (ITS#9100) + Fixed slapd to have cleaner error handling during connection setup (ITS#9112) + Fixed slapd data check when processing cancel exop (ITS#9124) + Fixed slapd attribute description processing (ITS#9128) + Fixed slapd-ldap to set oldctrls correctly (ITS#9076) + Fixed slapd-mdb to honor unchecked limit with alias deref (ITS#7657) + Fixed slapd-mdb missing final commit with slapindex (ITS#9095) + Fixed slapd-mdb drop attr mappings added in an aborted txn (ITS#9091) + Fixed slapd-mdb nosync FLAG configuration handling (ITS#9150) + Fixed slapd-monitor global operation counter reporting (ITS#9119) + Fixed slapo-ppolicy when used with slapauth (ITS#8629) + Fixed slapo-ppolicy to add a missed normalised copy of pwdChangedTime (ITS#9126) + Fixed slapo-syncprov fix sessionlog init (ITS#9146) + Fixed slapo-unique loop termination (ITS#9077) + Build Environment + Fix mkdep to honor TMPDIR if set (ITS#9062) + Remove ICU library detection (ITS#9144) + Update config.guess and config.sub to support newer architectures (ITS#7855) + Disable ITS8521 regression test as it is no longer valid (ITS#9015) + Documentation + admin24 - Fix inconsistent whitespace in replication section (ITS#9153) + slapd-config(5)/slapd.conf(5) - Fix missing bold tag for keyword (ITS#9063) + slapd-ldap(5) - Document "tls none" option (ITS#9071) + slapo-ppolicy(5) - Correctly document pwdGraceAuthnLimit (ITS#9065) + +------------------------------------------------------------------- +Fri Jan 10 13:16:40 UTC 2020 - Michael Ströder + +- added back-port patch + 0013_openldap-its9124_fix_crash_with_cancel_exop.patch + to fix OpenLDAP ITS#9124 + +------------------------------------------------------------------- +Sun Dec 22 14:44:19 UTC 2019 - Michael Ströder + +- use BuildRequires: pkgconfig(krb5) instead of krb5-devel-mini + +------------------------------------------------------------------- +Fri Aug 2 08:16:46 UTC 2019 - Martin Liška + +- Use FAT LTO objects in order to provide proper static library. + +------------------------------------------------------------------- +Thu Jul 25 11:08:46 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Wed Jul 24 21:23:28 UTC 2019 - Michael Ströder + +- Update to upstream release 2.4.48 with security fixes: + * CVE-2019-13057 (ITS#9038): + rootdn of any db can assert any identity + * CVE-2019-13565 (ITS#9052): + Unauthorized access caused by incorrect handling of SASL SSF values +- Fix CVE-2017-17740 by disabling nops overlay not maintained by upstream + (see also bsc#1073313, comment #36) +- Removed obsolete patches: + * 0002-openldap-its8727-plug-ber-leaks.patch + * 0017-Fix-segfault-in-nops.patch + +OpenLDAP 2.4.48 (2019/07/24) + Added libldap OpenSSL Elliptic Curve support (ITS#7595) + Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671) + Added slapd-monitor support for slapd-mdb (ITS#7770) + Fixed liblber leaks (ITS#8727) + Fixed liblber with partial flush (ITS#8864) + Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980) + Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) + Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585) + Fixed libldap to be able to unset syncrepl TLS options (ITS#7042) + Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450) + Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674) + Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754) + Fixed libldap to correctly close TLS connection (ITS#8755) + Fixed libldap with non-blocking TLS and referals (ITS#8167) + Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) + Fixed liblunicode case correspondance (ITS#8508) + Fixed slapd with an idletimeout of less than four seconds (ITS#8952) + Fixed slapd config parser variable for Windows64 (ITS#9012) + Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015) + Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999) + Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) + Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038) + Fixed slapd to initialize SASL SSF per connection (ITS#9052) + Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) + Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) + Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997) + Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) + Fixed slapd-meta assertion when network interface goes down (ITS#8841) + Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) + Fixed slapd-mdb index cleanup with cn=config (ITS#8472) + Fixed slapd-mdb to improve performance with alias deref (ITS#7657) + Fixed slapo-accesslog possible assert with exops (ITS#8971) + Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) + Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) + Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663) + Fixed slapo-memberof for group name change to itself (ITS#9000) + Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349) + Fixed slapo-rwm to not free original filter (ITS#8964) + Fixed slapo-syncprov contextCSN generation (ITS#9015) + Build Environment + Fixed slapd to only link to BDB libraries with static build (ITS#8948) + Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794) + Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041) + Documentation + General - Fixed minor typos (ITS#8764, ITS#8761) + admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031) + slapd.access(5) - Note MDB is the primary backend (ITS#8881) + slapd.backends(5) - Note MDB is the recommended backend (ITS#8771) + slapd-ldap(5) - Document starttls parameter (ITS#8693) + Contrib + Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721) + +------------------------------------------------------------------- +Tue May 14 04:33:38 UTC 2019 - William Brown + +- bsc#1111388 - incorrect post script call causes tmpfiles create not to + be run. + +------------------------------------------------------------------- +Sun Mar 10 11:45:15 UTC 2019 - Michael Ströder + +- Corrected moduleload back_mdb.la to get a working configuration + right after package installation. + +------------------------------------------------------------------- +Fri Jan 4 14:13:47 UTC 2019 - Michael Ströder + +- added back-ported fix for OpenLDAP ITS#8727 + (file 0002-openldap-its8727-plug-ber-leaks.patch) + +------------------------------------------------------------------- +Thu Dec 20 09:35:55 UTC 2018 - Michael Ströder + +- Update to upstream release 2.4.47 +- Removed obsolete patches: + * 0006-No-Build-date-and-time-in-binaries.dif + (upstream now uses SOURCE_DATE_EPOCH for reproducable builds) + * 0012-ITS8051-sockdnpat.patch + * 0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch + +OpenLDAP 2.4.47 Release (2018/12/19) + Added slapd-sock DN qualifier for subtrees to be processed (ITS#8051) + Added slapd-sock ability to send extended operations to external listeners (ITS#8714) + Fixed liblber to avoid incremental access to user-supplied bv in dupbv (ITS#8752) + Fixed libldap dn to domain parsing with bad input (ITS#8842) + Fixed slapd slapcat to correctly honor -g option (ITS#8667) + Fixed slapd to correctly handle NO_SUCH_OBJECT with dynamic groups (ITS#8923) + Fixed slapd to check status of rdnNormalize (ITS#8932) + Fixed slapd cn=config when modifying slapo-syncprov config (ITS#8616) + Fixed slapd sasl authz-policy "all" behavior (ITS#8909) + Fixed slapd sasl minor typo (ITS#8918) + Fixed slapd to correctly hide hidden DBs in the rootDSE (ITS#8912) + Fixed slapd domainScope control to match Microsoft specification (ITS#8840) + Fixed slapd-bdb/hdb/mdb to not convert certain IDLs to ranges (ITS#8868) + Fixed slapo-accesslog deadlock during cleanup (ITS#8752) + Fixed slapo-memberof cn=config modifications (ITS#8663) + Fixed slapo-ppolicy with multimaster replication (ITS#8927) + Fixed slapo-syncprov with NULL modlist (ITS#8843) + Build Environment + Added slapd reproducible build support (ITS#8928) + Fixed missing includes with OpenSSL 1.0.2 (ITS#8809) + Contrib + Fixed slapo-pbkdf2 hash generation (ITS#8878) + Documentation + admin24 fixed minor typo (ITS#8887) + +------------------------------------------------------------------- +Thu Nov 22 16:03:22 UTC 2018 - Jan Engelhardt + +- Replace old $RPM_* shell vars + +------------------------------------------------------------------- +Tue Nov 20 13:32:36 UTC 2018 - ckowalczyk@suse.com + +- Fix CVE-2017-17740: when both the nops module and the memberof + overlay are enabled, attempts to free a buffer that was allocated + on the stack + * patch: 0017-Fix-segfault-in-nops.patch + (bsc#1073313) + +------------------------------------------------------------------- +Mon Nov 12 14:25:52 UTC 2018 - Dominique Leuenberger + +- Emergency fix: move tmpfiles_create post from the library package + to the main package's post script, which ships the tmpfiles.d + configuration. Fixes the post script of the library (-p + /sbin/ldconfig does not allow more statements in the script). + +------------------------------------------------------------------- +Thu Nov 8 15:25:08 UTC 2018 - varkoly@suse.com + +- bsc#1111388 openldap and /var/lib/ldap/DB_CONFIG* (transactional-update) + +------------------------------------------------------------------- +Fri Oct 26 14:58:41 UTC 2018 - Michael Ströder + +- Fixed broken memory handling in + 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch + affecting error response of slapo-unique + +------------------------------------------------------------------- +Fri Aug 17 07:46:47 UTC 2018 - ckowalczyk@suse.com + +- Fix slapd segfaults in mdb_env_reader_dest ++ with patch 0016-Clear-shared-key-only-in-close-function.patch ++ (bsc#1089640) + +------------------------------------------------------------------- +Fri Jun 29 16:23:22 UTC 2018 - michael@stroeder.com + +- fixed shee-bang in openldap_update_modules_path.sh (bsc#1099705) + +------------------------------------------------------------------- +Wed Jun 20 10:04:06 UTC 2018 - michael@stroeder.com + +- Added a patch to let slapd return the uniqueness check filter + used before constraint violation to the client + 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch + +------------------------------------------------------------------- +Tue Jun 5 13:24:09 UTC 2018 - varkoly@suse.com + +- bsc#1095816 libldap package does not contain and provide libldap anymore + +------------------------------------------------------------------- +Thu May 24 11:59:02 CEST 2018 - kukuk@suse.de + +- Don't require systemd explicit, spec file can handle both cases + correct and in containers we don't have systemd. + +------------------------------------------------------------------- +Tue Apr 24 16:35:09 UTC 2018 - zsolt.kalmar@suse.com + +- bsc#1085064 Packaging issues have been discovered around the + openldap_update_modules_path.sh which has been corrected: + - the spec file was wrongly configured, therefore the script has + never been called + - the script should create the symlinks first, as slapcat is + useless on a system which is already affected. + +------------------------------------------------------------------- +Fri Apr 6 11:29:22 UTC 2018 - zsolt.kalmar@suse.com + +- bsc#1085064 Add script "openldap_update_modules_path.sh" which + which removes the configuration item olcModulePath in cn=config + which is after upgrade from SLE12 to SLE15 holds inappropriate + information. If the cn=config is being used on a system, the + conflicting items in slapd.conf are ignored, despite of it, the + backend DB configuration section has been also commented out in + the default slapd.conf. + In case of correct cn=config (the olcModulePath has been already + removed), the script stops without touching anything. + +------------------------------------------------------------------- +Fri Mar 23 19:43:23 UTC 2018 - michael@stroeder.com + +- Upgrade to upstream 2.4.46 release +- removed obsolete back-port patches: + * 0013-ITS-8692-let-back-sock-generate-increment-line.patch + * 0016-ITS-8782-fix-cancel-memleak.patch + +OpenLDAP 2.4.46 Release (2018/03/22) + Fixed libldap connection delete callbacks when TLS fails to start (ITS#8717) + Fixed libldap to not reuse tls_session if TLS hostname check fails (ITS#7373) + Fixed libldap cross-compiling with OpenSSL 1.1 (ITS#8687) + Fixed libldap OpenSSL 1.1.1 compatibility with BIO_method (ITS#8791) + Fixed libldap MozNSS CA certificate hash matching (ITS#7374) + Fixed libldap MozNSS with PEM certs when also using an NSS cert db (ITS#7389) + Fixed libldap MozNSS initialization (ITS#8484) + Fixed libldap GnuTLS with GNUTLS_E_AGAIN (ITS#8650) + Fixed libldap memory leak with cancel operations (ITS#8782) + Fixed slapd Eventlog registry key creation on 64-bit Windows (ITS#8705) + Fixed slapd to maintain SSF across SASL binds (ITS#8796) + Fixed slapd syncrepl deadlock when updating cookie (ITS#8752) + Fixed slapd syncrepl callback to always be last in the stack (ITS#8752) + Fixed slapd telephoneNumberNormalize when the value is spaces and hyphens (ITS#8778) + Fixed slapd CSN queue processing (ITS#8801) + Fixed slapd-ldap TLS connection timeout with high latency connections (ITS#8720) + Fixed slapd-ldap to ignore unknown schema when omit-unknown-schema is set (ITS#7520) + Fixed slapd-mdb with an optimization for long lived read transactions (ITS#8226) + Fixed slapd-meta assert when olcDbRewrite is modified (ITS#8404) + Fixed slapd-sock with LDAP_MOD_INCREMENT operations (ITS#8692) + Fixed slapo-accesslog cleanup to only occur on failed operations (ITS#8752) + Fixed slapo-dds entryTTL to actually decrease as per RFC 2589 (ITS#7100) + Fixed slapo-syncprov memory leak with delete operations (ITS#8690) + Fixed slapo-syncprov to not clear pending operation when checkpointing (ITS#8444) + Fixed slapo-syncprov to correctly record contextCSN values in the accesslog (ITS#8100) + Fixed slapo-syncprov not to log checkpoints to accesslog db (ITS#8607) + Fixed slapo-syncprov to process changes from this SID on REFRESH (ITS#8800) + Fixed slapo-syncprov session log parsing to not block other operations (ITS#8486) + Build Environment + Fixed Windows build with newer MINGW version (ITS#8697) + Fixed compiler warnings and removed unused variables (ITS#8578) + Contrib + Fixed ldapc++ Control structure (ITS#8583) + Documentation + Delete stub manpage for back-ldbm (ITS#8713) + Fixed ldap_bind(3) to mention the LDAP_SASL_SIMPLE mechanism (ITS#8121) + Fixed ldap.conf(5) to note SASL_MECH/SASL_REALM are no longer user-only (ITS#8818) + Fixed slapd-config(5) typo for olcTLSCipherSuite (ITS#8715) + Fixed slapo-syncprov(5) indexing requirements (ITS#5048) + +------------------------------------------------------------------- +Thu Feb 22 15:10:42 UTC 2018 - fvogt@suse.com + +- Use %license (boo#1082318) + +------------------------------------------------------------------- +Mon Dec 11 22:51:03 UTC 2017 - michael@stroeder.com + +- added 0016-ITS-8782-fix-cancel-memleak.patch + +------------------------------------------------------------------- +Thu Nov 23 13:36:52 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Mon Oct 2 18:15:46 UTC 2017 - jengelh@inai.de + +- Add openldap-r-only.dif so that openldap2's own tools also + link against libldap_r rather than libldap. +- Make libldap equivalent to libldap_r (like Debian) to avoid + crashes in threaded programs which unknowingly get both + libraries inserted into their process image. + [rh#1370065, boo#996551] + +------------------------------------------------------------------- +Mon Oct 2 13:18:54 UTC 2017 - mrueckert@suse.de + +- use existing groups instead of inventing new ones + +------------------------------------------------------------------- +Mon Sep 18 20:45:58 UTC 2017 - michael@stroeder.com + +- added 0012-ITS8051-sockdnpat.patch + +------------------------------------------------------------------- +Wed Sep 6 07:58:06 UTC 2017 - michael@stroeder.com + +- updated 0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch + +------------------------------------------------------------------- +Fri Aug 18 17:00:54 UTC 2017 - michael@stroeder.com + +- Added OpenLDAP new feature implementing OpenLDAP ITS#8714 + 0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch + +------------------------------------------------------------------- +Thu Jul 20 14:19:47 UTC 2017 - michael@stroeder.com + +- added overlay trace to package openldap2-contrib + +------------------------------------------------------------------- +Wed Jul 12 18:52:42 UTC 2017 - michael@stroeder.com + +- Upgrade to upstream 2.4.45 release +- removed obsolete 0010-Enforce-minimum-DH-size-of-1024.patch + and 0012-use-system-wide-cert-dir-by-default.patch +- added 0013-ITS-8692-let-back-sock-generate-increment-line.patch + for supporting modify increment operations with back-sock +- added overlay addpartial to package openldap2-contrib + +-------------------------------------------------------------------- +Wed Jun 7 09:32:52 UTC 2017 - hguo@suse.com + +- Remove legacy daemon control that was used to migrate from SLE 11 + to 12. (bsc#1038405) + +-------------------------------------------------------------------- +Tue Jun 6 13:47:18 UTC 2017 - hguo@suse.com + +- There is no change made about the package itself, this is only + copying over some changelog texts from SLE package: +- bug#976172 owned by hguo@suse.com: openldap2 - missing + /usr/share/doc/packages/openldap2/guide/admin/guide.html +- bug#916914 owned by varkoly@suse.com: VUL-0: CVE-2015-1546: + openldap2: slapd crash in valueReturnFilter cleanup +- [fate#319300](https://fate.suse.com/319300) +- [CVE-2015-1545](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545) +- bug#905959 owned by hguo@suse.com: L3-Question: Are multiple + "Connection 0" in a Multi Master setup normal ? +- [CVE-2015-1546](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546) +- bug#916897 owned by varkoly@suse.com: VUL-0: CVE-2015-1545: + openldap2: slapd crashes on search with deref control and empty attr list + +------------------------------------------------------------------- +Fri Apr 7 16:47:24 UTC 2017 - jengelh@inai.de + +- Drop binutils requirement; the code using /usr/bin/strings has + been dropped in openSUSE:Factory/openldap2 revision 112. + +------------------------------------------------------------------- +Sat Feb 18 22:11:29 UTC 2017 - kukuk@suse.com + +- Remove superfluous insserv PreReq. + +------------------------------------------------------------------- +Thu Nov 10 12:55:26 UTC 2016 - hguo@suse.com + +- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch + to let OpenLDAP read system wide certificate directory by + default and avoid hiding the error if user specified CA location + cannot be read (bsc#1009470). + +------------------------------------------------------------------- +Fri Oct 14 13:15:23 UTC 2016 - hguo@suse.com + +- Add more details in the comments of slapd.conf concerning + file permission and StartTLS capability. + +------------------------------------------------------------------- +Thu Jun 23 22:46:29 UTC 2016 - jengelh@inai.de + +- Test for user/group existence before trying to add them. + Summary spello update. + +------------------------------------------------------------------- +Thu Jun 16 10:10:36 UTC 2016 - hguo@suse.com + +- Move schema files into tarball addonschema.tar.gz: + ldapns.ldif ldapns.schema rfc2307bis.ldif rfc2307bis.schema + yast.ldif yast.schema +- Package previously missing schema files in LDIF format: + amavisd-new.ldif dhcp.ldif dlz.ldif dnszone.ldif samba3.ldif + sudo.ldif suse-mailserver.ldif (bsc#984691) +- Fix a minor issue in schema2ldif script that led to missing + attribute in the generated LDIF. + +------------------------------------------------------------------- +Tue May 17 08:37:00 UTC 2016 - hguo@suse.com + +- Enable build flag LDAP_USE_NON_BLOCKING_TLS to fix bsc#978408. + +------------------------------------------------------------------- +Thu Feb 25 11:06:12 UTC 2016 - hguo@suse.com + +- Move ldap.conf into libldap-data package, per convention. + +------------------------------------------------------------------- +Sun Feb 21 23:04:38 UTC 2016 - jengelh@inai.de + +- Move ldap.conf out of shlib package again, they are not allowed + there for obvious reasons (conflict with future package). + +------------------------------------------------------------------- +Thu Feb 18 14:45:30 UTC 2016 - hguo@suse.com + +- Build password strength enforcer as an implementation of ppolicy + password checker, introducing: + ppolicy-check-password-1.2.tar.gz + ppolicy-check-password.Makefile + ppolicy-check-password.conf + ppolicy-check-password.5 + 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch + (Implements fate#319461) + +------------------------------------------------------------------- +Thu Feb 18 12:18:13 UTC 2016 - lmuelle@suse.com + +- Remove redundant -n openldap2- package name prefix. + +------------------------------------------------------------------- +Mon Feb 8 14:40:32 UTC 2016 - hguo@suse.com + +- Remove openldap2-client.spec and openldap2-client.changes + openldap2.spec now builds client utilities and libraries. + Thus pre_checkin.sh is removed. +- Move ldap.conf and its manual page from openldap2-client package + to libldap-2_4-2 package, which is more appropriate. +- Use RPM_OPT_FLAGS in build flags. +- Macros dealing with old/unsupported distributions are removed. +- Remove 0002-slapd.conf.dif and install improved slapd.conf from + new source file slapd.conf. +- Install slapd.conf.olctemplate to assist in preparing slapd.d + for OLC. +- Be explicit in sysconfig that by default openldap will use + static file configuration. +- Add the following schemas in LDIF format: + * rfc2307bis.ldif + * ldapns.ldif + * yast.ldif +- Other minor clean-ups in the spec file. + +------------------------------------------------------------------- +Mon Feb 8 13:24:49 UTC 2016 - mpluskal@suse.com + +- Use optflags when building + +------------------------------------------------------------------- +Sat Feb 6 12:10:53 UTC 2016 - michael@stroeder.com + +- Upgrade to upstream 2.4.44 release with accumulated bug fixes. +- Specify source with FTP URL +- Removed obsolete 0012-openldap-re24-its8336.patch + +------------------------------------------------------------------- +Mon Jan 25 14:10:12 UTC 2016 - hguo@suse.com + +- Relabel patch 0011-Enforce-minimum-DH-size-of-1024.patch + into 0010-Enforce-minimum-DH-size-of-1024.patch + +------------------------------------------------------------------- +Tue Dec 8 11:36:16 UTC 2015 - michael@stroeder.com + +- Upgrade to upstream 2.4.43 release with accumulated bug fixes. +- Still build on SLES12 +- Loadable backend and overlay modules are now installed + into arch-specific path %{_libdir}/openldap +- All backends and overlays as modules for smaller memory footprint + on memory constrained systems +- Added extra package for back-sock +- Consequent use of %{_rundir} everywhere +- Rely on upstream ./configure script instead of any other + macro foo +- Dropped linking with libwrap +- Dropped 0004-libldap-use-gethostbyname_r.dif because this + work-around for nss_ldap is obsolete +- New sub-package openldap2-contrib with selected contrib/ overlays +- Replaced addonschema.tar.gz with separate schema sources +- Updated ldapns.schema from recent slapo-nssov source tree +- Added symbolic link to slapd executable in /usr/sbin/ +- Added more complex example configuration file + /etc/openldap/slapd.conf.example +- Set OPENLDAP_START_LDAPI="yes" in /etc/sysconfig/openldap +- Set OPENLDAP_REGISTER_SLP="no" in /etc/sysconfig/openldap +- Added patch for OpenLDAP ITS#7796 to avoid excessive + "not index" logging: + 0011-openldap-re24-its7796.patch +- Replaced openldap-rc.tgz with single source files +- Added soft dependency (Recommends) to cyrus-sasl +- Added soft dependency (Recommends) to cyrus-sasl-devel + to openldap2-devel +- Added patch for OpenLDAP ITS#8336 (assert in liblmdb): + 0012-openldap-re24-its8336.patch +- Remove obsolete patch 0001-build-adjustments.dif + +------------------------------------------------------------------- +Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com + +- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch + to fix CVE-2015-6908. (bsc#945582) +- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch + to address weak DH size vulnerability (bsc#937766) + +------------------------------------------------------------------- +Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com + +- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch + to fix an issue with unresponsive LDAP host lookups in IPv6 environment. + (bsc#955210) + +------------------------------------------------------------------- +Fri Oct 9 09:19:35 UTC 2015 - hguo@suse.com + +- Remove OpenLDAP 2.3 code and patches from build source. + Compatibility libraries for OpenLDAP 2.3 are built in package: + compat-libldap-2_3-0 + Removed source files: + openldap-2.3.37-liblber-length-decoding.dif + openldap-2.3.37-libldap-ntlm.diff + openldap-2.3.37-libldap-ssl.dif + openldap-2.3.37-libldap-sasl-max-buff-size.dif + openldap-2.3.37-libldap-tls_chkhost-its6239.dif + openldap-2.3.37-libldap-gethostbyname_r.dif + openldap-2.3.37-libldap-suid.diff + openldap-2.3.37.dif + openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif + openldap-2.3.37-libldap-ldapi_url.dif + openldap-2.3.37.tgz + openldap-2.3.37-libldap-utf8-ADcanonical.dif + README.update + check-build.sh + +------------------------------------------------------------------- +Thu Oct 1 11:08:41 UTC 2015 - hguo@suse.com + +- Upgrade to upstream 2.4.42 release with accumulated bug fixes. + +------------------------------------------------------------------- +Tue Jul 21 08:12:50 UTC 2015 - hguo@suse.com + +- Upgrade to upstream 2.4.41 release with accumulcated bug fixes and stability improvements. + * Add patch 0008-In-monitor-backend-do-not-return-Connection0-entries.patch + * Remove already applied patch 0008-ITS-7723-fix-reference-counting.patch + * Remove already applied patch 0009-gcc5.patch + (Implements fate#319301) + +------------------------------------------------------------------- +Thu Feb 19 10:03:30 UTC 2015 - rguenther@suse.com + +- Add 0009-gcc5.patch to pass -P to the preprocessor in configure checks + for Berkeley DB version + +------------------------------------------------------------------- +Wed Nov 26 11:21:34 UTC 2014 - jengelh@inai.de + +- binutils is required for "strings" utility invocation in %pre + [bnc#904028] +- Remove SLE10 definitions + +------------------------------------------------------------------- +Sun Oct 12 11:48:00 UTC 2014 - jengelh@inai.de + +- Use %_smp_mflags for parallel build + +------------------------------------------------------------------- +Mon Sep 22 13:41:56 UTC 2014 - tchvatal@suse.com + +- Add baselibs.conf to sources list + +------------------------------------------------------------------- +Wed Sep 10 10:26:02 UTC 2014 - varkoly@suse.com + +- Do not bypass output of useradd and groupadd + +------------------------------------------------------------------- +Wed Sep 3 01:49:12 CEST 2014 - ro@suse.de + +- sanitize release line in specfile + +------------------------------------------------------------------- +Wed Jul 16 15:56:11 UTC 2014 - ckornacker@suse.com + +- segfault on certain queries with rwm overlay (bnc#846389) + 0008-ITS-7723-fix-reference-counting.patch + +------------------------------------------------------------------- +Fri Jun 6 13:16:24 UTC 2014 - ckornacker@suse.com + +- enable systemd slapd service if SysV ldap was enabled (bnc#881476) + +------------------------------------------------------------------- +Tue May 13 15:20:40 UTC 2014 - coolo@suse.com + +- use %_rundir if available, otherwise /var/run + +------------------------------------------------------------------- +Wed Apr 23 20:51:14 UTC 2014 - dmueller@suse.com + +- move systemd requires to server package + +------------------------------------------------------------------- +Tue Feb 18 14:39:07 UTC 2014 - ckornacker@suse.com + +- Fix systemd service installation + +------------------------------------------------------------------- +Sun Feb 16 18:55:40 CET 2014 - ro@suse.de + +- use configure macro also for building the 2.3.37 version + +------------------------------------------------------------------- +Wed Feb 12 11:24:08 UTC 2014 - varkoly@suse.com + +- Remove PidFile from service definition +- Update to 2.4.39 + * Fixed libldap MozNSS crash (ITS#7783) + * Fixed libldap memory leak with SASL (ITS#7757) + * Fixed libldap assert in parse_passwdpolicy_control (ITS#7759) + * Fixed libldap shortcut NULL RDNs (ITS#7762) + * Fixed libldap deref to use correct control + * Fixed liblmdb keysizes with mdb_update_key (ITS#7756) + * Fixed slapd cn=config olcDbConfig modification (ITS#7750) + * Fixed slapd-bdb/hdb to bail out of search if config is paused (ITS#7761) + * Fixed slapd-bdb/hdb indexing issue with derived attributes (ITS#7778) + * Fixed slapd-mdb to bail out of search if config is paused (ITS#7761) + * Fixed slapd-mdb indexing issue with derived attributes (ITS#7778) + * Fixed slapd-perl to bail out of search if config is paused (ITS#7761) + * Fixed slapd-sql to bail out of search if config is paused (ITS#7761) + * Fixed slapo-constraint handling of softadd/softdel (ITS#7773) + * Fixed slapo-syncprov assert with findbase (ITS#7749) + * Build Environment + Test suite: Use $(MAKE) for tests (ITS#7753) + * Documentation + admin24 fix TLSDHParamFile to be correct (ITS#7684) + +------------------------------------------------------------------- +Tue Feb 11 08:49:43 UTC 2014 - varkoly@suse.com + +- Add systemd style service definition +- FATE#315028 remove memory limit for slapd +- FATE#315415: LDAP compat packages required for older SLES versions + For this reson following patches were applied: + openldap-2.3.37-libldap-suid.diff + openldap-2.3.37-libldap-ldapi_url.dif + openldap-2.3.37-libldap-ntlm.diff + openldap-2.3.37-libldap-gethostbyname_r.dif + openldap-2.3.37-libldap-sasl-max-buff-size.dif + openldap-2.3.37-libldap-utf8-ADcanonical.dif + openldap-2.3.37-liblber-length-decoding.dif + openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif + openldap-2.3.37-libldap-tls_chkhost-its6239.dif + openldap-2.3.37-libldap-ssl.dif + +------------------------------------------------------------------- +Wed Dec 11 13:29:51 UTC 2013 - matz@suse.de + +- Make /etc/sasl2 owned by openldap2. + +------------------------------------------------------------------- +Wed Dec 11 10:44:26 UTC 2013 - varkoly@suse.com + +- Update to 2.4.38 + * Fixed liblmdb nordahead flag (ITS#7734) + * Fixed liblmdb to check cursor index before cursor_del (ITS#7733) + * Fixed liblmdb wasted space on split (ITS#7589) + * Fixed slapd for certs with a NULL issuerDN (ITS#7746) + * Fixed slapd cn=config with empty nested includes (ITS#7739) + * Fixed slapd syncrepl memory leak with delta-sync MMR (ITS#7735) + * Fixed slapd-bdb/hdb to stop processing on dn not found (ITS#7741) + * Fixed slapd-bdb/hdb with indexed ANDed filters (ITS#7743) + * Fixed slapd-mdb to stop processing on dn not found (ITS#7741) + * Fixed slapd-mdb dangling reader (ITS#7662) + * Fixed slapd-mdb matching rule for OlcDbEnvFlags (ITS#7737) + * Fixed slapd-mdb with indexed ANDed filters (ITS#7743) + * Fixed slapd-meta from blocking other threads (ITS#7740) + * Fixed slapo-syncprov assert with findbase (ITS#7749) + Changes in 2.4.37 + * Added liblmdb nordahead environment flag (ITS#7725) + * Fixed client tools CLDAP with IPv6 (ITS#7695) + * Fixed libldap CLDAP with IPv6 (ITS#7695) + * Fixed libldap lock ordering with abandon op (ITS#7712) + * Fixed liblmdb segfault with mdb_cursor_del (ITS#7718) + * Fixed liblmdb when converting to writemap (ITS#7715) + * Fixed liblmdb assert on MDB_NEXT with delete (ITS#7722) + * Fixed liblmdb wasted space on split (ITS#7589) + * Fixed slapd cn=config with olcTLSProtocolMin (ITS#7685) + * Fixed slapd-bdb/hdb optimize index updates (ITS#7329) + * Fixed slapd-ldap chaining with cn=config (ITS#7381, ITS#7434) + * Fixed slapd-ldap chaning with controls (ITS#7687) + * Fixed slapd-mdb optimize index updates (ITS#7329) + * Fixed slapd-meta chaining with cn=config (ITS#7381, ITS#7434) + * Fixed slapo-constraint to no-op on nonexistent entries (ITS#7692) + * Fixed slapo-dds assert on startup (ITS#7699) + * Fixed slapo-memberof to not replicate internal ops (ITS#7710) + * Fixed slapo-refint to not replicate internal ops (ITS#7710) + Changes in 2.4.36 + * Added back-meta target filter patterns (ITS#7609) + * Added liblmdb mdb_txn_env to API (ITS#7660) + * Fixed libldap CLDAP with uninit'd memory (ITS#7582) + * Fixed libldap with UDP (ITS#7583) + * Fixed libldap OpenSSL TLS versions (ITS#7645) + * Fixed liblmdb MDB_PREV behavior (ITS#7556) + * Fixed liblmdb transaction issues (ITS#7515) + * Fixed liblmdb mdb_drop overflow page return (ITS#7561) + * Fixed liblmdb nested split (ITS#7592) + * Fixed liblmdb overflow page behavior (ITS#7620) + * Fixed liblmdb race condition with read and write txns (ITS#7635) + * Fixed liblmdb mdb_del behavior with MDB_DUPSORT and mdb_del (ITS#7658) + * Fixed slapd cn=config with unknown schema elements (ITS#7608) + * Fixed slapd cn=config with loglevel 0 (ITS#7611) + * Fixed slapd slapi filterlist free behavior (ITS#7636) + * Fixed slapd slapi control free behavior (ITS#7641) + * Fixed slapd schema countryString as directoryString (ITS#7659) + * Fixed slapd schema telephoneNumber as directoryString (ITS#7659) + * Fixed slapd-bdb/hdb to wait for read locks in tool mode (ITS#6365) + * Fixed slapd-mdb behavior with alias dereferencing (ITS#7577 ) + * Fixed slapd-mdb modrdn and base-scoped searches (ITS#7604) + * Fixed slapd-mdb refcount behavior (ITS#7628) + * Fixed slapd-meta binding flag is set (ITS#7524) + * Fixed slapd-meta with minimal config (ITS#7581) + * Fixed slapd-meta missing results messages (ITS#7591) + * Added slapd-meta TCP keepalive support (ITS#7513) + * Fixed slapo-sssvlv double free (ITS#7588) + * Fixed slaptest to list -Q option (ITS#7568) + Changes in 2.4.35 + * Fixed liblmdb mdb_cursor_put with MDB_MULTIPLE (ITS#7551) + * Fixed liblmdb page rebalance (ITS#7536) + * Fixed liblmdb missing parens (ITS#7377) + * Fixed liblmdb mdb_cursor_del crash (ITS#7553) + * Fixed slapd syncrepl updateCookie status (ITS#7531) + * Fixed slapd connection logging (ITS#7543) + * Fixed slapd segfault on modify (ITS#7542, ITS#7432) + * Fixed slapd-mdb to reject undefined attrs (ITS#7540) + * Fixed slapo-pcache with +/- attrsets (ITS#7552) + Changes in 2.4.34 + * Fixed libldap connections with EINTR (ITS#7476) + * Fixed libldap lineno overflow in ldif_read_record (ITS#7497) + * Fixed liblmdb mdb_env_open flag handling (ITS#7453) + * Fixed liblmdb mdb_midl_sort array optimization (ITS#7432) + * Fixed liblmdb freelist with large entries (ITS#7455) + * Fixed liblmdb to check for filled dirty page list (ITS#7491) + * Fixed liblmdb to validate data limits (ITS#7485) + * Fixed liblmdb mdb_update_key for large keys (ITS#7505) + * Fixed ldapmodify to not core dump with invalid LDIF (ITS#7477) + * Fixed slapd syncrepl for old entries in MMR setup (ITS#7427) + * Fixed slapd signedness for index_substr_any_* (ITS#7449) + * Fixed slapd enforce SLAPD_MAX_DAEMON_THREADS (ITS#7450) + * Fixed slapd mutex in send_ldap_ber (ITS#6164) + * Added slapd-ldap onerr option (ITS#7492) + * Added slapd-ldap keepalive support (ITS#7501) + * Fixed slapd-ldif with empty dir (ITS#7451) + * Fixed slapd-mdb to reopen attr DBs after env reopen (ITS#7416) + * Fixed slapd-mdb handling of missing entries (ITS#7483,7496) + * Fixed slapd-mdb environment flag setting (ITS#7452) + * Fixed slapd-mdb with sub db slapcat (ITS#7469) + * Fixed slapd-mdb to correctly work with toolthreads > 2 (ITS#7488,ITS#7527) + * Fixed slapd-mdb subtree search speed (ITS#7473) + * Fixed slapd-meta conversion to cn=config (ITS#7525) + * Fixed slapd-meta segfault when modifying olcDbUri (ITS#7526) + * Fixed slapd-sql back-config support (ITS#7499) + * Fixed slapo-constraint handle uri and restrict correctly (ITS#7418) + * Fixed slapo-constraint with multi-master replication (ITS#7426) + * Fixed slapo-constraint segfault (ITS#7431) + * Fixed slapo-deref control initialization (ITS#7436) + * Fixed slapo-deref control exposure (ITS#7445) + * Fixed slapo-memberof with internal ops (ITS#7487) + * Fixed slapo-pcache matching rules for config db (ITS#7459) + * Fixed slapo-rwm modrdn cleanup (ITS#7414) + * Fixed slapo-sssvlv maxperconn parameter (ITS#7484) + +------------------------------------------------------------------- +Mon Jun 17 14:37:45 UTC 2013 - jengelh@inai.de + +- For now, avoid automatic use of libdb-6_0 by explicitly selecting + libdb-4_8 as BuildRequire. + +------------------------------------------------------------------- +Mon Mar 25 16:08:21 UTC 2013 - jengelh@inai.de + +- Put static libs into openldap2-devel-static and relieve + openldap2-devel of static-only deps + +------------------------------------------------------------------- +Sat Nov 17 12:06:23 CET 2012 - ro@suse.de + +- fix check-build.sh for kernel > 3.0 + +------------------------------------------------------------------- +Fri Nov 16 09:52:42 UTC 2012 - rhafer@suse.com + +- Fixed initscript to avoid endless loop when no configuration + is present in /etc/openldap/slapd.d/ (bnc#767464) +- cleaned up SLES10 buildrequires and dependencies +- removed support for building on SLES9, didn't work anyway anymore +- Don't buildrequire krb5-mini on Distributions where it does not + exist + +------------------------------------------------------------------- +Fri Oct 26 12:38:46 UTC 2012 - rhafer@suse.com + +- enabled mdb backend +- Update to 2.4.33 + * Added slapd-meta cn=config support + * Fixed slapd alock handling on Windows (ITS#7361) + * Fixed slapd acl handling with zero-length values (ITS#7350) + * Fixed slapd syncprov to not reference ops inside a lock (ITS#7172) + * Fixed slapd delta-syncrepl MMR with large attribute values (ITS#7354) + * Fixed slapd slapd_rw_destroy function (ITS#7390) + * Fixed slapd-ldap idassert bind handling (ITS#7403) + * Fixed slapo-constraint with multiple modifications (ITS#7168) + Changes in 2.4.32: + * Added slappasswd loadable module support (ITS#7284) + * Fixed tools to not clobber SASL_NOCANON (ITS#7271) + * Fixed libldap function declarations (ITS#7293) + * Fixed libldap double free (ITS#7270) + * Fixed libldap debug level setting (ITS#7290) + * Fixed libldap gettime() regression (ITS#6262) + * Fixed libldap sasl handling (ITS#7118, ITS#7133) + * Fixed libldap to correctly free socket with TLS (ITS#7241) + * Fixed slapd config index renumbering (ITS#6987) + * Fixed slapd duplicate error response (ITS#7076) + * Fixed slapd parsing of PermissiveModify control (ITS#7298) + * Fixed slapd-bdb/hdb cache hang under high load (ITS#7222) + * Fixed slapd-bdb/hdb alias checking (ITS#7303) + * Fixed slapd-bdb/hdb olcDbConfig changes work immediately (ITS#7338) + * Fixed slapd-ldap to encode user DN during password change (ITS#7319) + * Fixed slapd-ldap assertion when proxying to MS AD (ITS#6851) + * Fixed slapd-ldap monitoring (ITS#7182, ITS#7225) + * Fixed slapd-perl panic (ITS#7325) + * Fixed slapo-accesslog memory leaks with sync replication (ITS#7292) + * Fixed slapo-syncprov memory leaks with sync replication (ITS#7292) + +------------------------------------------------------------------- +Fri Oct 26 08:44:23 UTC 2012 - coolo@suse.com + +- add explicit buildrequire on groff - needed to build manuals + +------------------------------------------------------------------- +Tue Oct 16 07:38:01 UTC 2012 - coolo@suse.com + +- buildrequire krb5-mini in openldap2-client to avoid cycle +- move Summary out of the %if as prepare_spec is confused about + the license otherwise + +------------------------------------------------------------------- +Thu May 10 09:22:52 UTC 2012 - rhafer@suse.de + +- update to 2.4.31 + * Added slapo-accesslog support for reqEntryUUID (ITS#6656) + * Fixed libldap IPv6 URL detection (ITS#7194) + * Fixed libldap rebinding on failed connection (ITS#7207) + * Fixed slapd listener initialization (ITS#7233) + * Fixed slapd cn=config with olcTLSVerifyClient (ITS#7197) + * Fixed slapd delta-syncrepl fallback on non-leaf error (ITS#7195) + * Fixed slapd to reject MMR setups with bad serverID setting + (ITS#7200) + * Fixed slapd approxIndexer key generation (ITS#7203) + * Fixed slapd modification of olcSuffix (ITS#7205) + * Fixed slapd schema validation with missing definitions + (ITS#7224) + * Fixed slapd syncrepl -c with supplied CSN values (ITS#7245) + * Fixed slapd-bdb/hdb idlcache with only one element (ITS#7231) + * Fixed slapo-accesslog deadlock with non-logged write ops + (ITS#7088) + * Fixed slapo-syncprov sessionlog check (ITS#7218) + * Fixed slapo-syncprov entry leak (ITS#7234) + * Fixed slapo-syncprov startup initialization (ITS#7235) + +------------------------------------------------------------------- +Mon Apr 23 07:08:13 UTC 2012 - rhafer@suse.de + +- Disabled testsuite for now. Causes problems in the buildserivce + +------------------------------------------------------------------- +Tue Mar 6 12:23:35 UTC 2012 - rhafer@suse.de + +- Update to 2.4.30 + * Fixed libldap socket polling for writes (ITS#7167) + * Fixed liblutil string modifications (ITS#7174) + * Fixed slapd crash when attrsOnly is true (ITS#7143) + * Fixed slapd syncrepl delete handling (ITS#7052,ITS#7162) + * Fixed slapo-pcache time-to-refesh handling (ITS#7178) + * Fixed slapo-syncprov loop detection (ITS#6024) + +------------------------------------------------------------------- +Mon Feb 27 14:14:23 UTC 2012 - rhafer@suse.de + +- Update to 2.4.29 + * Fixed slapd cn=config modification of first schema element + (ITS#7098) + * Fixed slapd operation reuse (ITS#7107) + * Fixed slapd blocked writers to not interfere with pool pause + (ITS#7115) + * Fixed slapd connection loop connindex usage (ITS#7131) + * Fixed slapd double mutex unlock via connection_done (ITS#7125) + * Fixed slapd check order in connection_write (ITS#7113) + * Fixed slapd slapadd to exit on failure (ITS#7142) + * Fixed slapd syncrepl reference to freed memory + (ITS#7127,ITS#7132) + * Fixed slapd syncrepl to ignore some errors on delete + (ITS#7052) + * Fixed slapd syncrepl to handle missing oldRDN (ITS#7144) + * Fixed slapd-monitor compare op to update cached entry + (ITS#7123) + * Fixed slapo-syncprov with already abandoned operation + (ITS#7150) +- Included patches from RE24 branch: + * only poll sockets for write as needed (ITS#7167, bnc#749082) + * sycnrepl Fixes (ITS#7162) + +------------------------------------------------------------------- +Wed Dec 7 11:10:19 UTC 2011 - cfarrell@suse.com + +- license update: OLDAP-2.8 + SPDX format (http://www.spdx.org/licenses) + +------------------------------------------------------------------- +Fri Dec 2 16:11:01 UTC 2011 - rhafer@suse.de + +- Update to 2.4.28 + * Fixed back-mdb out of order slapadd (ITS#7090) + changes in OpenLDAP 2.4.27 Release (2011/11/24): + * Added slapd delta-syncrepl MMR (ITS#6734,ITS#7029,ITS#7031) + * Fixed ldapmodify crash with LDIF controls (ITS#7039) + * Fixed ldapsearch to honor timeout and timelimit (ITS#7009) + * Fixed libldap endless looping (ITS#7035) + * Fixed libldap TLS to not check hostname when using 'allow' + (ITS#7014) + * Fixed slapadd common code into slapcommon (ITS#6737) + * Fixed slapd backend connection initialization (ITS#6993) + * Fixed slapd frontend DB parsing in cn=config (ITS#7016) + * Fixed slapd hang with {numbered} overlay insertion (ITS#7030) + * Fixed slapd inet_ntop usage (ITS#6925) + * Fixed slapd cn=config deletion of bitmasks (ITS#7083) + * Fixed slapd cn=config modify replace/delete crash (ITS#7065) + * Fixed slapd schema UTF8StringNormalize with 0 length values + (ITS#7059) + * Fixed slapd with dynamic acls for cn=config (ITS#7066) + * Fixed slapd response callbacks (ITS#6059,ITS#7062) + * Fixed slapd no_connection warnings with ldapi + (ITS#6548,ITS#7092) + * Fixed slapd return code processing (ITS#7060) + * Fixed slapd sl_malloc various issues (ITS#6437) + * Fixed slapd startup behavior (ITS#6848) + * Fixed slapd syncrepl crash with non-replicated ops (ITS#6892) + * Fixed slapd syncrepl with modrdn (ITS#7000,ITS#6472) + * Fixed slapd syncrepl timeout when using refreshAndPersist + (ITS#6999) + * Fixed slapd syncrepl deletes need a non-empty CSN (ITS#7052) + * Fixed slapd syncrepl glue for empty suffix (ITS#7037) + * Fixed slapd results cleanup (ITS#6763,ITS#7053) + * Fixed slapd validation of args for TLSCertificateFile + (ITS#7012) + * Fixed slapd-bdb/hdb to build entry DN based on parent DN + (ITS#5326) + * Fixed slapd-hdb with zero-length entries (ITS#7073) + * Fixed slapd-hdb duplicate entries in subtree IDL cache + (ITS#6983) + * Fixed slapo-pcache response cleanup (ITS#6981) + * Fixed slapo-ppolicy pwdAllowUserChange behavior (ITS#7021) + * Fixed slapo-sssvlv issue with greaterThanorEqual (ITS#6985) + * Fixed slapo-sssvlv to only return requested attrs (ITS#7061) + * Fixed slapo-syncprov DSA attribute filtering for Persist mode + (ITS#7019) + * Fixed slapo-syncprov when consumer has newer state of our SID + (ITS#7040) + * Fixed slapo-syncprov crash (ITS#7025) + * Added missing LDIF form of schema files (ITS#7063) + +------------------------------------------------------------------- +Fri Nov 25 10:42:39 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Mon Oct 24 13:57:45 UTC 2011 - rhafer@suse.de + +- ACL changes to the config database only got active after slapd + restart in certain cases (bnc#716895, ITS#7066). +- Adjusted default DB_CONFIG to increase max values for locks and + lock objects (bnc#719803) +- Fix UTF8StringNormalize overrun on zero-length string + (bnc#724201, ITS#7059) + +------------------------------------------------------------------- +Thu Jul 7 14:43:05 UTC 2011 - rhafer@suse.de + +- Update to 2.4.26 + * Added libldap LDAP_OPT_X_TLS_PACKAGE (ITS#6969) + * Fixed libldap descriptor leak (ITS#6929) + * Fixed libldap socket leak (ITS#6930) + * Fixed libldap get option crash (ITS#6931) + * Fixed libldap lockup (ITS#6898) + * Fixed libldap ASYNC TLS setup (ITS#6828) + * Fixed libldap with missing \n terminations (ITS#6947) + * Fixed tools double free (ITS#6946) + * Fixed tools verbose output (ITS#6977) + * Fixed ldapmodify SEGV on invalid LDIF (ITS#6978) + * Added slapd extra_attrs database option (ITS#6513) + * Fixed slapd asserts (ITS#6932) + * Fixed slapd configfile param on windows (ITS#6933) + * Fixed slapd config with global chaining (ITS#6843) + * Fixed slapd uninitialized variables (ITS#6935) + * Fixed slapd config objectclass is readonly (ITS#6963) + * Fixed slapd entry response with control (ITS#6899) + * Fixed slapd with unknown attrs (ITS#6819) + * Fixed slapd normalization of schema RDN (ITS#6967) + * Fixed slapd operations cache to 10 op limit (ITS#6944) + * Fixed slapd syncrepl crash with non-replicated ops (ITS#6892) + * Fixed slapd-bdb/hdb with sparse index ranges (ITS#6961) + * Fixed back-ldap ppolicy updates (ITS#6711) + * Fixed back-ldap with id-assert (ITS#6817) + * Fixed various slapo-pcache issues (ITS#6823, ITS#6950, + ITS#6951, ITS#6953, ITS#6954) + * Fixed slapo-pcache database corruption (ITS#6831) + * Fixed slapo-syncprov with replicated subtrees (ITS#6872) +- backported delete support for child entries of overlays from + master (bnc#704398) + +------------------------------------------------------------------- +Tue Mar 29 15:29:38 UTC 2011 - rhafer@suse.de + +- Updated to 2.4.25, important changes: + * Fixed ldapsearch pagedresults loop (ITS#6755) + * Fixed tools for incompatible args (ITS#6849) + * Fixed libldap MozNSS crash (ITS#6863) + * Fixed slapd add objectclasses in order (ITS#6837) + * Added slapd ordering for uidNumber and gidNumber (ITS#6852) + * Fixed slapd segfault when adding values out of order (ITS#6858) + * Fixed slapd sortval handling (ITS#6845) + * Fixed slapd-bdb with slapadd/index quick option (ITS#6853) + * Fixed slapd-ldap chain cn=config support (ITS#6837) + * Fixed slapd-ldap chain with slapd.conf (ITS#6857) + * Fixed slapd-meta deadlock (ITS#6846) + * Fixed slapo-sssvlv with multiple requests (ITS#6850) + * Fixed contrib/lastbind install rules (ITS#6238) + * Fixed contrib/cloak install rules (ITS#6877) + +------------------------------------------------------------------- +Tue Feb 22 09:46:04 UTC 2011 - rhafer@suse.de + +- Surpress gcc warnings about extra format string arguments for 2.3.x + built as well. + +------------------------------------------------------------------- +Mon Feb 14 11:09:36 UTC 2011 - rhafer@suse.de + +- Updated to 2.4.24, important changes: + * Added libldap_r,libldap formal concurrency API (ITS#6625,ITS#5421) + * Added slapadd attribute value checking (ITS#6592) + * Added slapcat continue mode for problematic DBs (ITS#6482) + * Added slapd syncrepl suffixmassage support (ITS#6781) + * Fixed liblber to not close invalid sockets (ITS#6585) + * Fixed libldap referral chasing (ITS#6602) + * Fixed libldap leak when chasing referrals (ITS#6744) + * Fixed slapd acl parsing overflow (ITS#6611) + * Fixed slapd acl when resuming parsing (ITS#6804) + * Fixed slapd default config acls with overlays (ITS#6822) + * Fixed slapd config leak with olcDbDirectory (ITS#6634) + * Fixed slapd when first acl is value dependent (ITS#6693) + * Fixed slapd-bdb slapadd -q with glued dbs (ITS#6794) + * Fixed slapo-ppolicy don't update opattrs on consumers (ITS#6608) + * Fixed slapo-ppolicy to allow userPassword deletion (ITS#6620) + * Fixed slapo-syncprov to send error if consumer is newer (ITS#6606) + * Fixed slapo-syncprov filter race condition (ITS#6708) + * Fixed slapo-syncprov active mod race (ITS#6709) + * Fixed slapo-syncprov to refresh if context is dirty (ITS#6710) + * Fixed slapo-syncprov CSN updates to all replicas (ITS#6718) + * Fixed slapo-syncprov sessionlog ordering (ITS#6716) + * Fixed slapo-syncprov sessionlog with adds (ITS#6503) + * Fixed slapo-syncprov mutex (ITS#6438) + * Fixed slapo-syncprov mincsn check with MMR (ITS#6717) + * Fixed slapo-syncprov control leak (ITS#6795) + * Fixed slapo-syncprov error codes (ITS#6812) + * For a comprehensive list of changes please consult the CHANGES + file +- removed unneeded openSUSE 11.0 specifc patch + +------------------------------------------------------------------- +Tue Feb 1 10:08:06 UTC 2011 - rhafer@suse.de + +- slapadd -q could crash for glued bdb/hdb databases + +------------------------------------------------------------------- +Wed Jan 19 15:05:27 UTC 2011 - rhafer@suse.de + +- Install the correct schema2ldif script (bnc#665530) + +------------------------------------------------------------------- +Wed Jan 5 15:48:27 UTC 2011 - rhafer@novell.com + +- Fixed quotation in init-script to avoid errors when calling it + from within /etc/openldap/slapd.d/cn=config/ (bnc#660492). + +------------------------------------------------------------------- +Fri Nov 12 12:31:57 UTC 2010 - rhafer@novell.com + +- Surpress gcc warnings about extra format string arguments. +- Split-off openldap2-doc (noarch) package (Admin Guide and IDs) +- Backported -VVV commandline switch for slapd from HEAD + (to list enabled static overlays) +- Build all overlays except syncprov and ppolicy as dynamic modules + (Fixes bnc#648479, FATE#307837) +- Added README.dynamic-overlays to point out some details about + dynamic overlays +- simplified pie-compile patch and adjusted it to work with + dynamic overlays + +------------------------------------------------------------------- +Tue Oct 5 14:39:46 UTC 2010 - rhafer@novell.com + +- Handle the libdb-4_5 -> libdb-4_8 Version update by opening the + Databases with DB_RECOVER if a version mismatch is detected. + +------------------------------------------------------------------- +Sun Oct 3 22:55:34 UTC 2010 - cristian.rodriguez@opensuse.org + +- Do not include Build date and time in binaries, this + avoids build-compare failures and unhelpful rebuilds/republishes + +------------------------------------------------------------------- +Wed Sep 29 09:21:52 UTC 2010 - rhafer@novell.com + +- Don't build 2.3 slapcat anymore for 11.3 and newer. We switch to + 2.4 long ago. +- Removed automatic 2.3->2.4 migration in %post +- moved back-sql examples to make rpmlint happy + +------------------------------------------------------------------- +Thu Aug 26 14:04:06 UTC 2010 - rhafer@novell.com + +- Fix listener URIs in init script to make SLP registration work + again (bnc#620389) + +------------------------------------------------------------------- +Fri Jul 23 07:49:40 UTC 2010 - rhafer@novell.com + +- Fixed RPM Group and Summary Tags (bnc#624980) + +------------------------------------------------------------------- +Thu Jul 1 13:02:13 UTC 2010 - rhafer@novell.com + +- Updated to 2.4.23: + * Fixed libldap to return server's error code (ITS#6569) + * Fixed libldap memleaks (ITS#6568) + * Fixed liblutil off-by-one with delta (ITS#6541) + * Fixed slapd acls with glued databases (ITS#6468) + * Fixed slapd syncrepl rid logging (ITS#6533) + * Fixed slapd modrdn handling of invalid values (bnc#612430, + ITS#6570) + * Fixed slapd-bdb hasSubordinates computation (ITS#6549) + * Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474) + * Fixed slapd-bdb entry cache delete failure (ITS#6577) + * Fixed slapd-ldap to return control responses (ITS#6530) + * Fixed slapo-ppolicy to use Debug (ITS#6566) + * Fixed slapo-refint to zero out freed DN vals (ITS#6572) + * Fixed slapo-rwm to use Debug (ITS#6566) + * Fixed slapo-sssvlv to use Debug (ITS#6566) + * Fixed slapo-syncprov lost deletes in refresh phase (bnc#606294, + ITS#6555) + * Fixed slapo-valsort to use Debug (ITS#6566) + * Fixed contrib/nssov network.c missing patch (ITS#6562) +- New subpackage openldap2-back-sql. Contains the SQL backend + module plus some documentation (bnc#395719) +- generate Patches from git tree (resulted in all patches being + renamed) +- installing binaries without stripping them is done by setting + the STRIP enviroment variable instead for patching the Makefile + now +- Fixed a bug in the syncprov overlay which could lead to not + replicate delete Operations (ITS#6555, bnc#606294) +- BuildRequires cleanup + +------------------------------------------------------------------- +Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com + +- LDAP clients could crash the server by submitting a specially + crafted LDAP ModRDN operation. (bnc#612430, ITS#6570) +- Delete Operations happening during the "Refresh" phase of + "refreshAndPersist" replication failed to replicate under + certain circumstances (bnc#606294, ITS#6555) + +------------------------------------------------------------------- +Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com + +- Create /var/run/slapd on demand. /var/run might be mounted on + tmpfs. + +------------------------------------------------------------------- +Thu Apr 15 08:18:49 UTC 2010 - adrian@suse.de + +- fix build dependency cycle for -client package with openslp + +------------------------------------------------------------------- +Wed Mar 17 13:06:12 UTC 2010 - rhafer@novell.com + +- Fixed quotation in sed expression to escape ldapi path in init + script + +------------------------------------------------------------------- +Tue Mar 16 10:01:39 UTC 2010 - rhafer@novell.com + +- Removed obsolete hunk from openldap2.dif +- Remove ldap.conf patch to use saner default for Certificate + verification (bnc#575146) + +------------------------------------------------------------------- +Sat Feb 13 23:11:03 CET 2010 - rguenther@suse.de + +- Add fix for stricter fortification checks of GCC 4.5. + +------------------------------------------------------------------- +Thu Jan 7 15:47:20 UTC 2010 - rhafer@novell.com + +- Updated to 2.4.21: + * Fixed liblutil for negative microsecond offsets (ITS#6405) + * Fixed slapd global settings to work without restart (ITS#6428) + * Fixed slapd looping with SSL/TLS connections (ITS#6412) + * Fixed slapd syncrepl freeing tasks from queue (ITS#6413) + * Fixed slapd syncrepl parsing of tls defaults (ITS#6419) + * Fixed slapd syncrepl uninitialized variables (ITS#6425) + * Fixed slapd-config Adds with Abstract classes (ITS#6408) + * Fixed slapo-dynlist behavior with simple filters (ITS#6421) + * Fixed slapd-ldif access outside database directory (ITS#6414) + * Fixed slapo-translucent with back-null (ITS#6403) + * Fixed slapo-unique criteria checking (ITS#6270) +- removed some obsolete RPM dependencies +- Added missing tags to init script to silence rpmlint warnings + +------------------------------------------------------------------- +Thu Dec 10 15:41:11 UTC 2009 - rhafer@novell.com + +- Fixed an issue in back-config's objectclass inheritence code that + could cause the server to fail to start or to spin in an endless + loop (bnc#558059,ITS#6408) +- default the tls_reqcert parameter of a syncrepl config to + "demand" as documented even if other tls_ options are absent + (bnc#558397, ITS#6319) +- apply changes to the global size and timelimits to all database + that don't specify limits themself. (bnc#562184, ITS#6428) + +------------------------------------------------------------------- +Mon Nov 30 16:09:22 UTC 2009 - rhafer@novell.com + +- Update to 2.4.20 (fate#306593), most important fixes since 2.4.19 + * Fixed liblber embedded NUL values in BerValues (ITS#6353) + * Fixed libldap sasl buffer sizing (ITS#6327,ITS#6334) + * Fixed libldap uninitialized return value (ITS#6355) + * Fixed libldap unlimited timeout (ITS#6388) + * Added slapd handling of hex server IDs (ITS#6297) + * Fixed slapd checks of str2filter (ITS#6391) + * Fixed slapd configArgs initialization (ITS#6363) + * Fixed slapd db_open with connection_fake_init (ITS#6381) + * Fixed slapd with embedded \0 in bervals (ITS#6378,ITS#6379) + * Fixed slapd inclusion of ac/unistd.h (ITS#6342) + * Fixed slapd sl_free to better reclaim memory (ITS#6380) + * Fixed slapd syncrepl deletes in MirrorMode (ITS#6368) + * Fixed slapd syncrepl to use correct SID (ITS#6367) + * Fixed slapd tls_accept to retry in certain cases (ITS#6304) + * Fixed slapd-bdb/hdb cache corruption (ITS#6341) + * Fixed slapd-bdb/hdb entry cache (ITS#6360) + * Fixed slapo-syncprov checkpoint conversion (ITS#6370) + * Fixed slapo-syncprov deadlock (ITS#6335) + * Fixed slapo-syncprov out of order changes (ITS#6346) +- Added switch to enable/disable testsuite (%run_test_suite) + +------------------------------------------------------------------- +Tue Nov 3 19:13:32 UTC 2009 - coolo@novell.com + +- updated patches to apply with fuzz=0 + +------------------------------------------------------------------- +Mon Sep 28 13:59:18 UTC 2009 - rhafer@novell.com + +- Added schema2ldif tool to openldap2-client subpackage + (bnc#541819) + +------------------------------------------------------------------- +Wed Sep 23 15:35:13 UTC 2009 - rhafer@novell.com + +- Changed permissions on /var/run/slapd to a saner default for + ldapi:/// (bnc#536729) + +------------------------------------------------------------------- +Wed Sep 9 07:48:20 UTC 2009 - rhafer@novell.com + +- libldap's check of the hostname against the TLS Certificate's CN + Attribute did not handle possible NUL bytes in the CN correctly + and was vulnerable against attacks with spoofed Certificates. + (bnc#537143, ITS#6239) + +------------------------------------------------------------------- +Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com + +- Update to 2.4.17. Most important changes: + * Fixed liblber to use ber_strnlen (ITS#6080) + * Fixed libldap openssl digest initialization (ITS#6192) + * Fixed libldap tls NULL error messages (ITS#6079) + * Added slapd sasl auxprop support (ITS#6147) + * Added slapd schema checking tool (ITS#6150) + * Added slapd writetimeout keyword (ITS#5836) + * Fixed slapd abandon/cancel handling for some ops (ITS#6157) + * Fixed slapd access setstyle to expand (ITS#6179) + * Fixed slapd assert with closing connections (ITS#6111) + * Fixed slapd bind race condition (ITS#6189) + * Fixed slapd cert validation (ITS#6098) + * Fixed slapd connection_destroy assert (ITS#6089) + * Fixed slapd csn normalization (ITS#6195) + * Fixed slapd errno handling (ITS#6037) + * Fixed slapd hung writers (ITS#5836) + * Fixed slapd ldapi issues (ITS#6056) + * Fixed slapd normalization of updated schema attributes (ITS#5540) + * Fixed slapd olcLimits handling (ITS#6159) + * Fixed slapd olcLogLevel with hex levels (ITS#6162) + * Fixed slapd sending cancelled operations results (ITS#6103) + * Fixed slapd slapi_entry_has_children (ITS#6132) + * Fixed slapd sockets usage on windows (ITS#6039) + * Fixed slapd some abandon and cancel race conditions (ITS#6104) + * Fixed slapd tls context after changes (ITS#6135) + * Fixed slapd-bdb/hdb adjust dncachesize if too low (ITS#6176) + * Fixed slapd-bdb/hdb crashes during delete (ITS#6177) + * Fixed slapd-bdb/hdb multiple olcIndex for same attr (ITS#6196) + * Fixed slapd-hdb freeing of already freed entries (ITS#6074) + * Fixed slapd-hdb entryinfo cleanup (ITS#6088) + * Fixed slapd-hdb dncache lockups (ITS#6095) + * Fixed slapd-ldap deadlock with non-responsive TLS URIs (ITS#6167) + * Fixed slapo-ppolicy to honor pwdLockout (ITS#6168) + * Fixed slapo-ppolicy to return check modules error message (ITS#6082) + * Added slapo-rwm rwm-drop-unrequested-attrs config option (ITS#6057) + * Fixed slapo-rwm dn passing (ITS#6070) + * Fixed slapo-rwm entry free/release (ITS#6058, ITS#6081) + * Fixed tools returning ldif errors (ITS#5892) +- Backported fix for failing back-monitor test from HEAD +- re-enabled some formerly disabled tests from the testsuite + +------------------------------------------------------------------- +Mon Jun 29 14:24:56 CEST 2009 - rhafer@novell.com + +- Fixed Summary/Description for -client subpackage + +------------------------------------------------------------------- +Thu Jun 25 17:29:03 CEST 2009 - rhafer@novell.com + +- Improved connection check in init script (bnc#510295) + +------------------------------------------------------------------- +Mon Jun 15 12:12:17 CEST 2009 - rhafer@novell.com + +- Fixed complilation with newer glibc (2.3.X release needs + GNU_SOURCE defined as well in getpeerid.c) + +------------------------------------------------------------------- +Wed Apr 29 17:07:33 CEST 2009 - rhafer@novell.com + +- gcc 4.4 fixes + +------------------------------------------------------------------- +Mon Apr 6 15:41:05 CEST 2009 - rhafer@suse.de + +- Update to 2.4.16. Most important fixes: + * Fixed libldap segfault in checking cert/DN (ITS#5976) + * Fixed libldap peer cert double free (ITS#5849) + * Fixed libldap referral chasing (ITS#5980) + * Fixed slapd backglue with empty DBs (ITS#5986) + * Fixed slapd ctxcsn race condition (ITS#6001) + * Fixed slapd debug message (ITS#6027) + * Fixed slapd redundant module loading (ITS#6030) + * Fixed slapd schema_init freed value (ITS#6036) + * Fixed slapd syncrepl newCookie sync messages (ITS#5972) + * Fixed slapd syncrepl hang during shutdown (ITS#6011) + * Fixed slapd syncrepl too many MMR messages (ITS#6020) + * Fixed slapd syncrepl skipped entries with MMR (ITS#5988) + * Fixed slapd-bdb/hdb cachesize handling (ITS#5860) + * Fixed slapd-bdb/hdb with slapcat with empty dn (ITS#6006) + * Fixed slapd-bdb/hdb with NULL transactions (ITS#6012) + * Fixed slapd-ldap incorrect referral handling (ITS#6003,ITS#5916) + * Fixed slapd-ldap/meta with broken AD results (ITS#5977) + * Fixed slapd-ldap/meta with invalid attrs again (ITS#5959) + * Fixed slapo-accesslog interaction with ppolicy (ITS#5979) + * Fixed slapo-dynlist conversion to cn=config (ITS#6002) + * Fixed various slapo-syncprov issues (ITS#5972, ITS#6020, + ITS#5985, ITS#5999, ITS#5973, ITS#6045, ITS#6024, ITS#5988) +- Fix building on older openSUSE releases + +------------------------------------------------------------------- +Fri Mar 20 14:00:20 CET 2009 - rhafer@suse.de + +- Update to 2.4.15. Most important changes: + * Fixed slapd bconfig conversion again (ITS#5346) + * Fixed slapd behavior with superior objectClasses again (ITS#5517) + * Fixed slapd RFC4512 behavior with same attr in RDN (ITS#5968) + * Fixed slapd corrupt contextCSN (ITS#5947) + * Fixed slapd syncrepl order to match on add/delete (ITS#5954) + * Fixed slapd adding rdn with other values (ITS#5965) + * Fixed slapd-bdb/hdb behavior with unallocatable shm (ITS#5956) + * Fixed slapd-ldap/meta with entries with invalid attrs (ITS#5959) + * Fixed slapo-pcache caching invalid entries (ITS#5927) + * Fixed slapo-syncprov csn updates (ITS#5969) + * Added libldap option to disable SASL host canonicalization (ITS#5812) + * Fixed libldap chasing multiple referrals (ITS#5853) + * Fixed libldap setuid usage with .ldaprc (ITS#4750) + * Fixed libldap deref handling (ITS#5768) + * Fixed libldap NULL pointer deref (ITS#5934) + * Fixed libldap peer cert memory leak (ITS#5849) + * Fixed libldap intermediate response behavior (ITS#5896) + * Fixed libldap IPv6 address handling (ITS#5937) + * Fixed libldap_r deref building (ITS#5768) + * Fixed libldap_r slapd lockup when paused during shutdown (ITS#5841) + * Fixed slapd acl checks on ADD (ITS#4556,ITS#5723) + * Fixed slapd acl application to newly created backends (ITS#5572) + * Fixed slapd bconfig to return error codes (ITS#5867) + * Fixed slapd bconfig encoding incorrectly (ITS#5897) + * Fixed slapd bconfig dangling pointers (ITS#5924) + * Fixed slapd epoll handling (ITS#5886) + * Fixed slapd glue with MMR (ITS#5925) + * Fixed slapd listener comparison (ITS#5613) + * Fixed various syncrepl issues (ITS#5809,ITS#5850, ITS#5843, + ITS#5866, ITS#5901, ITS#5881, ITS#5935, ITS#5710, + ITS#5781, ITS#5809, ITS#5798, ITS#5826) + * Fixed slapd-bdb/hdb dncachesize handling (ITS#5860) + * Fixed slapd-bdb/hdb trickle task usage (ITS#5864) + * Fixed slapd-hdb idlcache with empty suffix (ITS#5859) + +------------------------------------------------------------------- +Wed Jan 7 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Fri Dec 12 14:45:07 CET 2008 - rhafer@suse.de + +- Fixed openldap2-devel dependencies (bnc#457989) + +------------------------------------------------------------------- +Tue Dec 9 11:11:38 CET 2008 - rhafer@suse.de + +- Fixed a bug in the threadpool implementation that could cause + slapd to lockup when shutting down while the pool is paused. + (bnc#450457, ITS#5841) + +------------------------------------------------------------------- +Fri Nov 28 14:08:16 CET 2008 - rhafer@suse.de + +- Disable the slapadd trickle-task it cause performance issues + when using libdb-4.5 (bnc#449641) +- removed obsolete configure option (ldbm backend does not exist + in OpenLDAP 2.4) + +------------------------------------------------------------------- +Fri Nov 21 16:39:20 CET 2008 - ro@suse.de + +- update check-build.sh + +------------------------------------------------------------------- +Wed Nov 5 12:01:57 CET 2008 - rhafer@suse.de + +- Fixed database shutdown sequence (bnc#441774, ITS#5745) + +------------------------------------------------------------------- +Tue Nov 4 14:10:24 CET 2008 - rhafer@suse.de + +- Handle ldbm databases in updates from 2.3 release (bnc#440589) + +------------------------------------------------------------------- +Thu Oct 23 12:59:08 CEST 2008 - rhafer@suse.de + +- the helper function to create various LDAP controls returned + wrong error codes under certain circumstances + (bnc#429064, ITS#5762) +- Fixed referral chasing in chain-overlay (bnc#438088, ITS#5742) +- Fixed back-config integration of overlays with private instances + of databases (translucent, chain, ...) (bnc#438094, ITS#5736) + +------------------------------------------------------------------- +Mon Oct 13 11:33:57 CEST 2008 - rhafer@suse.de + +- Added missing #include to slapo-collect + +------------------------------------------------------------------- +Sun Oct 12 23:51:09 CEST 2008 - rhafer@suse.de + +- Update to 2.4.12. Most important changes: + * Fixed libldap ldap_utf8_strchar arguments (ITS#5720) + * Fixed libldap TLS_CRLFILE (ITS#5677) + * Fixed librewrite memory handling (ITS#5691) + * Fixed slapd attribute leak (ITS#5683) + * Fixed slapd config backend with index greater than sibs (ITS#5684) + * Fixed slapd custom attribute inheritance (ITS#5642) + * Fixed slapd firstComponentMatch normalization (ITS#5634) + * Fixed slapd connection events enabled twice (ITS#5725) + * Fixed slapd memory handling (ITS#5691) + * Fixed slapd objectClass canonicalization (ITS#5681) + * Fixed slapd objectClass termination (ITS#5682) + * Fixed slapd overlay control registration (ITS#5649) + * Fixed slapd runqueue checking (ITS#5726) + * Fixed slapd sortvals comparison (ITS#5578) + * Fixed slapd syncrepl contextCSN detection (ITS#5675) + * Fixed slapd syncrepl error logging (ITS#5618) + * Fixed slapd syncrepl runqueue interval (ITS#5719) + * Fixed slapd-bdb entry return if attr not present (ITS#5650) + * Fixed slapd-bdb/hdb release search entries earlier (ITS#5728,ITS#5730) + * Fixed slapd-bdb/hdb subtree search with empty suffix (ITS#5729) + * Fixed slapo-memberof internal operations DN (ITS#5622) + * Fixed slapo-pcache attrset crash (ITS#5665) + * Fixed slapo-pcache caching with invalid schema (ITS#5680) + * Fixed slapo-ppolicy control return on password modify exop (ITS#5711) +- removed obsolete patches + +------------------------------------------------------------------- +Mon Oct 6 10:49:23 CEST 2008 - rhafer@suse.de + +- remove some problematic test-cases, that cause a lot of + unreproducable buildfailures +- check for exisitence of /etc/openldap/slapd.conf in init-script + assume back-config usage if it isn't present (bnc#428168) + +------------------------------------------------------------------- +Wed Sep 24 10:58:09 CEST 2008 - rhafer@suse.de + +- Mark Schema and SuSEfirewall files as %config +- openldap2-back-perl requires perl +- Give more meaningful error messages when index configuration + fails (bnc#429150) + +------------------------------------------------------------------- +Fri Sep 19 17:52:55 CEST 2008 - rhafer@suse.de + +- Reduced debug-level during "make test" to reduce required disk + space and buildtime + +------------------------------------------------------------------- +Thu Sep 18 13:02:21 CEST 2008 - rhafer@suse.de + +- Fixed init-script dependencies (bnc#426214) + +------------------------------------------------------------------- +Fri Sep 12 10:09:28 CEST 2008 - rhafer@suse.de + +- Backported fix for a crash in back-config when adding entries with + a too large index (ITS#5684) +- Backported fix for a crash when adding an invalid olcBdbConfig + Entry to back-config (ITS#5698) + +------------------------------------------------------------------- +Tue Sep 9 17:22:18 CEST 2008 - rhafer@suse.de + +- Removed getaddrinfo workaround. Recent glibc doesn't need it + anymore (bnc#288879, ITS#5251) +- Server requires libldap of the same version. + +------------------------------------------------------------------- +Mon Sep 8 16:07:47 CEST 2008 - rhafer@suse.de + +- Import back-config support for deleting databases from CVS HEAD + +------------------------------------------------------------------- +Tue Sep 2 09:18:05 CEST 2008 - rhafer@suse.de + +- Dropped evolution specific ntlm-bind Patch (Fate#303480) + +------------------------------------------------------------------- +Thu Aug 28 11:46:08 CEST 2008 - rhafer@suse.de + +- added ldapns.schema , to allow to use pam_ldap's "check_host_attr" + and "check_service_attr" features (bnc#419984) +- backport overlay_register_control fix from HEAD (bnc#420016, + ITS#5649) + +------------------------------------------------------------------- +Mon Aug 18 18:10:07 CEST 2008 - mrueckert@suse.de + +- remove outdated options in the fillup_and_insserv call + +------------------------------------------------------------------- +Mon Aug 18 11:00:13 CEST 2008 - rhafer@suse.de + +- fixed LSB-Headers in init-script + +------------------------------------------------------------------- +Wed Aug 13 17:25:25 CEST 2008 - ro@suse.de + +- try to fix build for buildservice + (BUILD_INCARNATION can be empty) + +------------------------------------------------------------------- +Mon Aug 11 11:06:08 CEST 2008 - rhafer@suse.de + +- /usr/lib/sasl2/slapd.conf was moved to /etc/sasl2/slapd.conf + (bnc#412652) +- adjust ownerships of database directories even when using + back-config + +------------------------------------------------------------------- +Thu Jul 31 11:40:35 CEST 2008 - rhafer@suse.de + +- Enable back-config delete support + +------------------------------------------------------------------- +Tue Jul 29 15:32:05 CEST 2008 - rhafer@suse.de + +- Update to Version 2.4.11. Most important changes: + * Fixed liblber ber_get_next length decoding (ITS#5580) + * Added libldap assertion control (ITS#5560) + * Fixed liblutil missing return code (ITS#5615) + * Fixed slapd cert serial number parsing (ITS#5588) + * Fixed slapd check for structural_class failures (ITS#5540) + * Fixed slapd config backend renumbering (ITS#5571) + * Fixed slapd configContext OID (ITS#5383) + * Fixed slapd crash with no listeners (ITS#5563) + * Fixed slapd sets memory leak (ITS#5557) + * Fixed slapd sortvals binary search (ITS#5578) + * Fixed slapd syncrepl updates with multiple masters (ITS#5597) + * Fixed slapd syncrepl superior objectClass delete/add (ITS#5600) + * Fixed slapd syncrepl/slapo-syncprov contextCSN updates as internal ops (ITS#5596) + * Fixed slapo-memberof replace handling (ITS#5584) + * Added slapo-nssov contrib module + * Fixed slapo-pcache handling of negative search caches (ITS#5546) + * Fixed slapo-ppolicy DNs with whitespaces (ITS#5552) + * Fixed slapo-ppolicy modify with internal ops (ITS#5569) + * Fixed slapo-syncprov ACL evaluation (ITS#5548) + * Fixed slapo-syncprov crash with delcsn (ITS#5589) + * Fixed slapo-syncprov full reload (ITS#5564) + * Fixed slapo-syncprov missing olcSpReloadHint attr(ITS#5591) + * Fixed slapo-unique filter normalization (ITS#5581) + +------------------------------------------------------------------- +Mon Jun 30 16:32:10 CEST 2008 - rhafer@suse.de + +- Only apply -fPIE patch to recent Distributions +- removed -fPIE from the slapcat-2.3 build +- Adjust BuildRequires for older Distributions + +------------------------------------------------------------------- + +Fri Jun 27 10:57:53 CEST 2008 - coolo@suse.de + +- make sure the subpacks are only in one spec file declared + +------------------------------------------------------------------- +Tue Jun 24 11:08:00 CEST 2008 - rhafer@suse.de + +- branched off libldap-2_4-2 package to support the shared library + packaging policy + +------------------------------------------------------------------- +Wed Jun 11 13:03:29 CEST 2008 - rhafer@suse.de + +- Update to Version 2.4.10. Most important changes: + * Fixed libldap ld_defconn cleanup if it was freed (ITS#5518, + ITS#5525) + * Fixed libldap msgid handling (ITS#5318) + * Fixed libldap t61 infinite loop (ITS#5542) + * Fixed libldap_r missing stubs (ITS#5519) + * Fixed slapd initialization of sr_msgid, rs->sr_tag (ITS#5461) + * Fixed slapd missing termination of integerFilter keys + (ITS#5503) + * Fixed slapd multiple attrs in URI (ITS#5516) + * Fixed slapd sasl_ssf retrieval (ITS#5403) + * Fixed slapd socket assert (ITS#5489) + * Fixed slapd syncrepl cookie (ITS#5536) + * Fixed slapd-bdb/hdb MAXPATHLEN (ITS#5531) + * Fixed slapd-bdb indexing in single ADD/MOD (ITS#5521) + * Fixed slapd-ldap entry_get() op-dependent behavior (ITS#5513) + * Fixed slapd-meta quarantine crasher (ITS#5522) + * Fixed slapo-refint to allow setting modifiers name (ITS#5505) + * Fixed slapo-syncprov contextCSN passing on syncprov consumers + (ITS#5488) + * Fixed slapo-syncprov csn update with delta-syncrepl (ITS#5493) + * Fixed slapo-syncprov op2.o_extra reset (ITS#5501, #5506) + * Fixed slapo-syncprov searching wrong backend (ITS#5487) + * Fixed slapo-syncprov sending ops without queued CSNs (ITS#5465) + * Fixed slapo-syncprov max csn search on startup (ITS#5537) + * Fixed slapo-unique config structs (ITS#5526) + * Fixed slapo-unique filter terminator (ITS#5511) + +------------------------------------------------------------------- +Fri May 16 13:24:11 CEST 2008 - rhafer@suse.de + +- Support update from 2.3 releases (bnc#390247) + +------------------------------------------------------------------- +Thu May 8 08:55:00 CEST 2008 - rhafer@suse.de + +- Update to Version 2.4.9. Most important changes: + * Fixed libldap to use unsigned port (ITS#5436) + * Fixed libldap error message for missing close paren (ITS#5458) + * Fixed libldap_r tpool pause checks (ITS#5364, #5407) + * Fixed slapcat error checking (ITS#5387) + * Fixed slapd abstract objectClass inheritance check (ITS#5474) + * Fixed slapd add operations requiring naming attrs (ITS#5412) + * Fixed slapd connection handling (ITS#5469) + * Fixed slapd frontendDB backend selection (ITS#5419) + * Fixed slapd pagedresults stale state (ITS#5409) + * Fixed slapd pointer dereference (ITS#5388) + * Fixed slapd null argument dereference (ITS#5435) + * Fixed slapd REP_ENTRY flags (ITS#5340) + * Fixed slapd value list termination (ITS#5450) + * Fixed slapd-bdb ID_NOCACHE handling (ITS#5439) + * Fixed slapd-bdb entryinfo state if db_lock fails (ITS#5455) + * Fixed slapd-bdb referral rewrite (ITS#5339) + * Fixed slapd-config overlay stacking (ITS#5346) + * Fixed slapd-config attribute publishing (ITS#5383) + * Fixed slapd-ldap connection handler (ITS#5404) + * Fixed slapd-ldif file name handling & multi-suffix/dir catch + (ITS#5408) + * Fixed slapd-meta connections on error (ITS#5440) + * Fixed slapd-meta crash on search (ITS#5481) + * Various syncrepl fixes (ITS#5407, ITS#5413, ITS#5426, ITS#5430, + ITS#5432, ITS#5454, ITS#5397, ITS#5470) + * Various slapo-syncprov fixes (ITS#5401, ITS#5405, ITS#5418, + ITS#5486, ITS#5433, ITS#5434, ITS#5437, ITS#5444, ITS#5445, + ITS#5484, ITS#5451) + +------------------------------------------------------------------- +Fri Apr 25 10:56:18 CEST 2008 - rhafer@suse.de + +- Adjust ownership of DB_CONFIG to ldap:ldap (bnc#376204) + +------------------------------------------------------------------- +Thu Apr 10 23:07:30 CEST 2008 - matz@suse.de + +- Compile with glibc 2.8. + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Thu Apr 3 14:26:12 CEST 2008 - rhafer@suse.de + +- removed apparmor profile + +------------------------------------------------------------------- +Mon Mar 3 08:50:18 CET 2008 - rhafer@suse.de + +- revert last change and make libldap_r available again as some + packages seem to directly rely on libldap_r. Assume they know + of the libldap_r's limitations. + +------------------------------------------------------------------- +Wed Feb 27 11:21:39 CET 2008 - rhafer@suse.de + +- Moved libldap_r from -client subpackage to the main server + package as it is only meant to be used by slapd. +- Removed static libldap_r.a library and libldap_r.so link from + -devel subpackage. External programs should only use the "normal" + libldap library. + +------------------------------------------------------------------- +Wed Feb 20 09:49:30 CET 2008 - rhafer@suse.de + +- Update to Version 2.4.8. Most important changes: + * Fixed libldap extended decoding (ITS#5304) + * Fixed libldap filter abort (ITS#5300) + * Fixed libldap ldap_parse_sasl_bind_result (ITS#5263) + * Fixed libldap result codes for open (ITS#5338) + * Fixed libldap search timeout crash (ITS#5291) + * Fixed libldap paged results crash (ITS#5315) + * Fixed slapd support for 2.1 CSN (ITS#5348) + * Fixed slapd include handling (ITS#5276) + * Fixed slapd modrdn check for valid new DN (ITS#5344) + * Fixed slapd multi-step SASL binds (ITS#5298) + * Fixed slapd overlay ordering when moving to slapd.d (ITS#5284) + * Fixed slapd NULL printf (ITS#5264) + * Fixed slapd NULL set values (ITS#5286) + * Fixed slapd timestamp race condition (ITS#5370) + * Fixed slapd cn=config crash on delete (ITS#5343) + * Fixed slapd cn=config global acls (ITS#5352) + * Fixed slapd truncated cookie (ITS#5362) + * Fixed slapd str2entry with no attrs (ITS#5308) + * Fixed slapd TLSVerifyClient default (ITS#5360) + * Fixed slapd delta-syncrepl refresh mode (ITS#5376) + * Fixed slapd ACL sets URI attrs (ITS#5384) + * Fixed slapd invalid entryUUID filter (ITS#5386) + * Fixed slapd-bdb idlcache on adds (ITS#5086) + * Fixed slapd-bdb crash with modrdn (ITS#5358) + * Fixed slapd-bdb modrdn to same dn (ITS#5319) + * Fixed slapd-bdb MMR (ITS#5332) + * Fixed slapd-meta setting of sm_nvalues (ITS#5375) + * Fixed slapd-monitor crash (ITS#5311) + * Fixed slapo-ppolicy only password check with policy (ITS#5285) + * Fixed slapo-ppolicy del/replace password without new one (ITS#5373) + * Fixed slapo-syncprov hang on checkpoint (ITS#5261) + +------------------------------------------------------------------- +Thu Jan 10 15:06:12 CET 2008 - rhafer@suse.de + +- Removed bogus debugging output from slapd_getaddrinfo_dupl.dif + +------------------------------------------------------------------- +Wed Jan 9 13:29:33 CET 2008 - rhafer@suse.de + +- Fixed allocation for paged results cookie (Bug #352255, ITS#5315) + +------------------------------------------------------------------- +Fri Dec 14 13:53:33 CET 2007 - rhafer@suse.de + +- Update to Version 2.4.7. Most important changes: + * Added slapd ordered indexing of integer attributes (ITS#5239) + * Fixed slapd paged results control handling (ITS#5191) + * Fixed slapd sasl-host parsing (ITS#5209) + * Fixed slapd filter normalization (ITS#5212) + * Fixed slapd multiple suffix checking (ITS#5186) + * Fixed slapd paged results handling when using rootdn (ITS#5230) + * Fixed slapd syncrepl presentlist handling (ITS#5231) + * Fixed slapd core schema 'c' definition for RFC4519 (ITS#5236) + * Fixed slapd 3-way Multi-Master Replication (ITS#5238) + * Fixed slapd hash collisions in index slots (ITS#5183) + * Fixed slapd replication of dSAOperation attributes (ITS#5268) + * Fixed slapadd contextCSN updating (ITS#5225) + * Fixed slapd-bdb/hdb to report and fail on internal errors (ITS#5232) + * Fixed slapd-bdb/hdb dn2entry lock bug (ITS#5257) + * Fixed slapd-bdb/hdb dn2id lock bug (ITS#5262) + * Fixed slapd-hdb caching on rename ops (ITS#5221) + * Fixed slapo-accesslog abandoned op cleanup (ITS#5161) + * Fixed slapo-dds deleting from nonexistent db (ITS#5267) + * Fixed slapo-memberOf deleted values saving (ITS#5258) + * Fixed slapo-pcache op->o_abandon handling (ITS#5187) + * Fixed slapo-ppolicy single password check on modify (ITS#5146) + * Fixed slapo-ppolicy internal search (ITS#5235) + * Fixed slapo-syncprov refresh and persist cookie sending (ITS#5210) + * Fixed slapo-syncprov ignore invalid cookies (ITS#5211) + * Fixed slapo-translucent interaction with slapo-rwm (ITS#4889) + +------------------------------------------------------------------- +Thu Nov 29 15:43:11 CET 2007 - rhafer@suse.de + +- check for duplicates in getaddrinfo results and ignore them. + (Bug #288879) + +------------------------------------------------------------------- +Tue Nov 27 13:51:52 CET 2007 - rhafer@suse.de + +- The init-script removed directory access on /etc/openldap/slapd.d + (Bug #344091) + +------------------------------------------------------------------- +Mon Nov 26 15:56:28 CET 2007 - rhafer@suse.de + +- Update to Version 2.4.6. Initial 2.4 release for "general use". + New features: + * Usability/Manageability: + - More complete Documentation (manual pages and Admin Guide) + - dynamic configuration and monitoring improvments + * More functionality + - New overlays (dds, memberof, constraint) + - Multimaster syncrepl replication + * Performance improvments: + - Further optimized frontend + - Reduced locking contention in backend +- back-config support through new sysconfig option + "OPENLDAP_CONFIG_BACKEND" +- Install admin guide from the main tarball, to get rid of the + admin-guide tarball +- New sysconfig options: + * OPENLDAP_START_LDAP to allow to disable the ldap:// listener + * OPENLDAP_LDAPI_INTERFACES to specify the paths for the ldapi:/// + listeners + +------------------------------------------------------------------- +Mon Oct 29 16:59:18 CET 2007 - rhafer@suse.de + +- Update to Version 2.3.39. Most important changes: + * Fixed slapd database/overlay config conflict (ITS#4848) + * Fixed slapd password_hash config order (ITS#5082) + * Fixed slapd slap_mods_check bug (ITS#5119) + * Fixed slapd ACL sets memory handling (ITS#4860,ITS#4873) + * Fixed slapd ordered values add normalization issue (ITS#5136) + * Fixed slapd-bdb DB_CONFIG conversion bug (ITS#5118) + * Fixed slapd-ldap search control parsing (ITS#5138) + * Fixed slapd-ldap SASL idassert w/o authcId + * Fixed slapd-ldif directory separators in DN (ITS#5172) + * Fixed slapd-meta conn caching on bind failure (ITS#5154) + * Fixed slapd-meta bind timeout assertion (ITS#5185) + * Fixed slapd-sql concurrency issue (ITS#5095) + * Fixed slapo-chain double-free (ITS#5137) + * Fixed slapo-pcache and -rwm interaction fix (ITS#4991) + * Fixed slapo-pcache non-null terminated array crasher (ITS#5163) + * Fixed slapo-rwm modlist handling (ITS#5124) + * Fixed slapo-rwm UUID in filter (ITS#5168) + * Fixed sasl SASL_SSF_EXTERNAL type (ITS#3864) + * Fixed liblber Windows x64 portability (ITS#5105) + * Fixed libldap ppolicy control creation (ITS#5103) +- Silenced some rpmlint warnings + +------------------------------------------------------------------ +Wed Aug 22 13:56:25 CEST 2007 - rhafer@suse.de + +- Call "ldconfig" from %post and %postun in openldap2-client + (Bug #298297) + +------------------------------------------------------------------- +Tue Jul 24 15:19:05 CEST 2007 - rhafer@suse.de + +- Update to Version 2.3.37. Most important changes: + * Fixed slapd-glue/syncprov interaction (ITS#4623) + * Fixed slapd-ldap search reference crash (ITS#5025) + * Fixed slapd-ldbm crash on Compare op (ITS#5044) + * Fixed slapo-rwm searchFilter double free (ITS#5043) +- Most important changes in 2.3.36: + * Fixed slapd mutex bug after failed startup (ITS#4957) + * Fixed slapd sasl failed Bind bug (ITS#4954) + * Fixed slapd sasl ssf logging (ITS#5001) + * Fixed slapd tool op init (ITS#4911) + * Fixed slapd-bdb no-op crasher (ITS#4925) + * Fixed slapd-relay crash when no database can be selected (ITS#4958) + * Fixed slapo-chain RFC3062 passwd exop handling (ITS#4964) + * Fixed slapo-dynlist multiple group/url[/member] config (ITS#4989) + * Fixed slapo-pcache handling of abandoned Operations (#5015) + * Fixed slapo-pcache and -rwm interaction (ITS#4991) + * Fixed slapo-ppolicy pwdReset/pwdMinAge (ITS#4970) + * Fixed slapo-ppolicy control cleanup from ITS#4665 + * Fixed slapo-syncprov cookie parsing error (ITS#4977) + * Fixed slapo-valsort crash on delete op (ITS#4966) + * Fixed libldap referral chasing loop (ITS#4955) + * Fixed libldap response code handling on rebind (ITS#4924) + * Fixed libldap SASL_MAX_BUFF_SIZE (ITS#4935) + +------------------------------------------------------------------- +Thu Jun 14 00:01:58 CEST 2007 - dmueller@suse.de + +- remove binutils prereq + +------------------------------------------------------------------- +Mon May 21 12:19:45 CEST 2007 - dmueller@suse.de + +- reduce duplicated buildrequires against db42 and db45 + +------------------------------------------------------------------- +Tue May 15 15:50:11 CEST 2007 - rhafer@suse.de + +- imported apparmor profile from apparmor (this profile is not + enabled by default) + +------------------------------------------------------------------- +Fri May 4 14:00:39 CEST 2007 - rhafer@suse.de + +- Update to Version 2.3.35. Most important changes: + * Fixed ldapmodify to use correct memory free functions (ITS#4901) + * Fixed slapd acl set minor typo (ITS#4874) + * Fixed slapd entry consistency check in str2entry2 (ITS#4852) + * Fixed slapd ldapi:// credential issue (ITS#4893) + * Fixed slapd str2anlist handling of undefined attrs/OCs (ITS#4854) + * Fixed slapd syncrepl delta-sync modlist free (ITS#4904) + * Added slapd syncrepl retry logging (ITS#4915) + * Fixed slapd zero-length IA5string handling (ITS#4823) + * Fixed slapd-bdb/hdb startup with missing shm env (ITS#4851) + * Fixed slapd-ldap/meta consistency in referral proxying (ITS#4861) + * Fixed slapd-ldap bind cleanup in case of unauthorized idassert + * Fixed slapd-meta search cleanup + * Fixed slapd-meta/slapo-rwm filter mapping + * Fixed slapd-sql subtree shortcut (ITS#4856) + * Fixed slapo-dynlist crasher (ITS#4891) + * Fixed slapo-refint config message (ITS#4853) + * Fixed libldap time_t signedness (ITS#4872) + * Fixed libldap_r tpool reset (ITS#4855,#4899) + +------------------------------------------------------------------- +Wed May 2 14:05:05 CEST 2007 - dmueller@suse.de + +- Fix comparison with string literal + +------------------------------------------------------------------- +Wed Apr 18 15:16:43 CEST 2007 - schwab@suse.de + +- Fix generation of debuginfo packages. + +------------------------------------------------------------------- +Tue Mar 20 17:08:37 CET 2007 - rguenther@suse.de + +- removed krb5-devel BuildRequires (support via cyrus-sasl) + +------------------------------------------------------------------- +Thu Mar 15 14:29:22 CET 2007 - rhafer@suse.de + +- added Service definitions for SuSEfirewall2 (Bug #251654) + +------------------------------------------------------------------- +Thu Feb 22 16:50:18 CET 2007 - rhafer@suse.de + +- Updated to Version 2.3.34. Most important changes: + * Fixed libldap missing get_option(TLS CipherSuite) (ITS#4815) + * Fixed ldapmodify printing error from ldap_result() (ITS#4812) + * Fixed slapadd LDIF parsing (ITS#4817) + * Fixed slapd libltdl link ordering (ITS#4830) + * Fixed slapd syncrepl memory leaks (ITS#4805) + * Fixed slapd dynacl/ACI compatibility with 2.1 + * Fixed slapd-bdb/hdb be_entry_get with aliases/referrals + (ITS#4810) + * Fixed slapd-ldap more response handling bugs (ITS#4782) + * Fixed slapd-ldap C-API code tests (ITS#4808) + * Fixed slapd-monitor NULL printf (ITS#4811) + * Fixed slapo-chain spurious additional info in response + (ITS#4828) + * Fixed slapo-syncprov presence list (ITS#4813) + * Fixed slapo-syncprov contextCSN checkpoint again (ITS#4720) + * Added slapo-ppolicy cn=config support (ITS#4836) + * Added slapo-auditlog cn=config support + +------------------------------------------------------------------- +Fri Jan 26 14:26:51 CET 2007 - rhafer@suse.de + +- Updated to Version 2.3.33. Most important changes: + * Fixed slapd-ldap chase-referrals switch (ITS#4557) + * Fixed slapd-ldap bind behavior when idassert is always used + (ITS#4781) + * Fixed slapd-ldap response handling bugs (ITS#4782) + * Fixed slapd-ldap idassert mode=self anonymous ops (ITS#4798) + * Fixed slapd-ldap/meta privileged connections handling + (ITS#4791) + * Fixed slapd-meta retrying (ITS#4594, 4762) + * Fixed slapo-chain referral DN use (ITS#4776) + * Fixed slapo-dynlist dangling pointer after entry free + (ITS#4801) + * Fixed libldap ldap_pvt_put_filter syntax checks (ITS#4648) + +------------------------------------------------------------------- +Fri Jan 12 11:04:22 CET 2007 - rhafer@suse.de + +- Updated to Version 2.3.32. Most important changes: + * Fixed libldap unchased referral leak (ITS#4545) + * Fixed libldap tls callback (ITS#4723) + * Fixed slapd memleak on failed bind (ITS#4771) + * Fixed slapd connections_shutdown assert + * Fixed slapd add redundant duplicate value check (ITS#4600) + * Fixed slapd ACL set memleak (ITS#4780) + * Fixed slapd syncrepl shutdown hang (ITS#4790) + +------------------------------------------------------------------- +Fri Nov 17 10:25:44 CET 2006 - rhafer@suse.de + +- Fix for a flaw in libldap's strval2strlen() function when processing the + authcid string of certain Bind Requests, which could allow attackers to + cause an affected application to crash (especially the OpenLDAP Server), + creating a denial of service condition (Bug#221154,ITS#4740) + +------------------------------------------------------------------- +Tue Nov 14 16:18:34 CET 2006 - rhafer@suse.de + +- Additional back-perl fixes from CVS. The first revision of the + patch did not fix the problem completely (Bug#207618, ITS#4751) + +------------------------------------------------------------------- +Fri Oct 27 16:46:43 CEST 2006 - rhafer@suse.de + +- cyrus-sasl configuration moved from %{_libdir}/sasl2 to + /etc/sasl2/ (Bug: #206414) + +------------------------------------------------------------------- +Wed Oct 4 15:56:11 CEST 2006 - rhafer@suse.de + +- Add $network to Should-Start/Should-Stop in init scripts + (Bug: #206823) +- Imported latest back-perl changes from CVS, to fix back-perl + initialization (Bug: #207618) + +------------------------------------------------------------------- +Tue Aug 22 16:27:25 CEST 2006 - rhafer@suse.de + +- Updated to Version 2.3.27 + * Fixed libldap dnssrv bug with "not present" positive statement + (ITS#4610) + * Fixed libldap dangling pointer issue (ITS#4405) + * Fixed slapd incorrect rebuilding of replica URI (ITS#4633) + * Fixed slapd DN X.509 normalization crash (ITS#4644) + * Fixed slapd-monitor operations order via callbacks (ITS#4631) + * Fixed slapo-accesslog purge task during shutdown + * Fixed slapo-ppolicy handling of default policy (ITS#4634) + * Fixed slapo-ppolicy logging verbosity when using default policy + * Fixed slapo-syncprov incomplete sync on restart issues (ITS#4622) + +------------------------------------------------------------------- +Wed Aug 2 11:08:23 CEST 2006 - rhafer@suse.de + +- Updated to Version 2.3.25 + * Add libldap_r TLS concurrency workaround (ITS#4583) + * Fixed slapd acl selfwrite bug (ITS#4587) + * Fixed various syncrepl and slapo-syncprov bugs (ITS#4582, 4622, + 4534,4613, 4589) + * Fixed slapd-bdb/hdb lock bug with virtual root (ITS#4572) + * Fixed slapd-bdb/hdb modrdn new entry disappearing bug (ITS#4616) + * Fixed slapd-bdb/hdb cache job issue + * Fixed slapo-ppolicy password hashing bug (ITS#4575) + * Fixed slapo-ppolicy password modify pwdMustChange reset bug (ITS#4576) + * Fixed slapo-ppolicy control can be critical (ITS#4596) +- Enabled CLDAP (LDAP over UDP) support + +------------------------------------------------------------------ +Mon Jun 26 16:36:16 CEST 2006 - rhafer@suse.de + +- Updated to Version 2.3.24 + * Fixed slapd syncrepl timestamp bug (delta-sync/cascade) + (ITS#4567) + * Fixed slapd-bdb/hdb non-root users adding suffix/root entries + (ITS#4552) + * Re-fixed slapd-ldap improper free bug in exop (ITS#4550) + * Fixed slapd-ldif assert bug (ITS#4568) + * Fixed slapo-syncprov crash under glued database (ITS#4562) +- cleaned up SLES10 update specific stuff +- added "chain-return-error" feature from HEAD to chain overlay + (ITS#4570) + +------------------------------------------------------------------- +Thu Jun 22 14:46:58 CEST 2006 - schwab@suse.de + +- Don't use automake macros without using automake. + +------------------------------------------------------------------- +Wed May 24 09:52:03 CEST 2006 - rhafer@suse.de + +- Updated to Version 2.3.23 + * obsoletes the patches: libldap_ads-sasl-gssapi.dif, + slapd-epollerr.dif + * Fixed slapd-ldap improper free bug (ITS#4550) + * Fixed libldap referral input destroy issue (ITS#4533) + * Fixed libldap ldap_sort_entries tail bug (ITS#4536) + * Fixed slapd runqueue use of freed memory (ITS#4517) + * Fixed slapd thread pool init issue (ITS#4513) + * Fixed slapd-bdb/hdb pre/post-read freeing (ITS#4532) + * Fixed slapd-bdb/hdb pre/post-read unavailable issue (ITS#4538) + * Fixed slapd-bdb/hdb referral issue (ITS#4548) + * Fixed slapo-ppolicy BER tags issue (ITS#4528) + * Fixed slapo-ppolicy rebind bug (ITS#4516) + * For more details see the CHANGES file +- Install CHANGES file to /usr/share/doc/packages/openldap2 + +------------------------------------------------------------------- +Wed May 10 10:20:16 CEST 2006 - rhafer@suse.de + +- Really apply the patch for Bug#160566 +- slapd could crash while processing queries with pre-/postread + controls (Bug#173877, ITS#4532) + +------------------------------------------------------------------- +Fri Mar 24 13:48:52 CET 2006 - rhafer@suse.de + +- Backported fix from CVS for occasional crashes in referral + chasing code (as used in e.g. back-meta/back-ldap). + (Bug: #160566, ITS: #4448) + +------------------------------------------------------------------- +Mon Mar 13 16:23:32 CET 2006 - rhafer@suse.de + +- openldap2 must obsolete -back-monitor and -back-ldap to have them + removed during update (Bug: #157576) + +------------------------------------------------------------------- +Fri Feb 17 12:58:13 CET 2006 - rhafer@suse.de + +- Add "external" to the list of supported SASL mechanisms + (Bug: #151771) + +------------------------------------------------------------------- +Thu Feb 16 11:45:20 CET 2006 - rhafer@suse.de + +- Error out when conversion from old configfile to config database + fails (Bug: #135484,#135490 ITS: #4407) + +------------------------------------------------------------------- +Mon Feb 13 14:45:43 CET 2006 - rhafer@suse.de + +- Don't ignore non-read/write epoll events (Bug: #149993, + ITS: #4395) +- Added update message to /usr/share/update-messages/en/ and enable + it, when update did not succeed. + +------------------------------------------------------------------- +Thu Feb 9 11:43:56 CET 2006 - rhafer@suse.de + +- OPENLDAP_CHOWN_DIRS honors databases defined in include files + (Bug: #135473) +- Fixed version numbers in README.update +- Fixed GSSAPI binds against Active Directory (Bug: #149390) + +------------------------------------------------------------------- +Fri Feb 3 11:32:27 CET 2006 - rhafer@suse.de + +- Cleaned up update procedure +- man-pages updates and fixes (Fate: #6365) + +------------------------------------------------------------------- +Fri Jan 27 09:15:33 CET 2006 - rhafer@suse.de + +- Updated to 2.3.19 (Bug #144371) + +------------------------------------------------------------------- +Fri Jan 27 02:16:56 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Jan 25 18:17:51 CET 2006 - rhafer@suse.de + +- Updated Admin Guide to latest version +- build slapcat from openldap-2.2.24 and install it to + /usr/sbin/openldap-2.2-slapcat to be able to migrate from + OpenLDAP 2.2. +- removed slapd-backbdb-dbupgrade which is no longer needed +- attempt to dump/reload bdb databases in %{post} +- Update notes in README.update + +------------------------------------------------------------------- +Fri Jan 13 10:36:44 CET 2006 - rhafer@suse.de + +- New sysconfig variable OPENLDAP_KRB5_KEYTAB +- Cleanup in default configuration and init scripts + +------------------------------------------------------------------- +Wed Jan 11 10:13:52 CET 2006 - rhafer@suse.de + +- Updated to 2.3.17 +- Remove OPENLDAP_RUN_DB_RECOVER from sysconfig file in %post + slapd does now automatically recover the database if needed +- Removed unneeded README.SuSE +- Small adjustments to the default DB_CONFIG file + +------------------------------------------------------------------- +Mon Jan 9 11:48:10 CET 2006 - rhafer@suse.de + +- Updated to 2.3.16 + +------------------------------------------------------------------- +Mon Dec 19 13:55:35 CET 2005 - rhafer@suse.de + +- Fixed filelist (slapd-hdb man-page was missing) + +------------------------------------------------------------------- +Fri Dec 9 10:04:28 CET 2005 - rhafer@suse.de + +- Fixed build on x86_64 + +------------------------------------------------------------------- +Wed Dec 7 10:48:57 CET 2005 - rhafer@suse.de + +- Merged -back-ldap and -back-monitor subpackages into the main + package and don't build them as dynamic modules anymore. +- updated to OpenLDAP 2.3.13 + +------------------------------------------------------------------- +Mon Nov 28 16:56:21 CET 2005 - rhafer@suse.de + +- updated to OpenLDAP 2.3.12 + +------------------------------------------------------------------- +Wed Oct 26 11:34:24 CEST 2005 - rhafer@suse.de + +- updated to OpenLDAP 2.3.11 +- removed the "LDAP_DEPRECATED" workaround + +------------------------------------------------------------------- +Mon Sep 26 09:51:11 CEST 2005 - rhafer@suse.de + +- Add "LDAP_DEPRECATED" to ldap.h for now + +------------------------------------------------------------------- +Fri Sep 23 14:41:14 CEST 2005 - rhafer@suse.de + +- updated to OpenLDAP 2.3.7 + +------------------------------------------------------------------- +Tue Aug 16 14:08:49 CEST 2005 - rhafer@suse.de + +- allow start_tls while chasing referrals (Bug #94355, ITS #3791) + +------------------------------------------------------------------- +Mon Jul 4 11:42:08 CEST 2005 - rhafer@suse.de + +- devel-subpackage requires openldap2-client of the same version + (Bugzilla: #93579) + +------------------------------------------------------------------- +Thu Jun 30 17:55:22 CEST 2005 - uli@suse.de + +- build with -fPIE (not -fpie) to avoid GOT overflow on s390* + +------------------------------------------------------------------- +Wed Jun 22 16:26:42 CEST 2005 - rhafer@suse.de + +- build the server packages with -fpie/-pie + +------------------------------------------------------------------- +Wed Jun 15 16:43:25 CEST 2005 - rhafer@suse.de + +- updated to 2.2.27 + +------------------------------------------------------------------- +Wed May 25 13:58:57 CEST 2005 - rhafer@suse.de + +- libldap-gethostbyname_r.dif: Use gethostbyname_r instead of + gethostbyname in libldap. Should fix host lookups through + nss_ldap (Bugzilla: #76173) + +------------------------------------------------------------------- +Fri May 13 12:27:05 CEST 2005 - rhafer@suse.de + +- Updated to 2.2.26 +- made /%{_libdir}]/sasl2/slapd.conf %config(noreplace) + +------------------------------------------------------------------- +Thu Apr 28 09:42:30 CEST 2005 - rhafer@suse.de + +- Added /%{_libdir}]/sasl2/slapd.conf to avoid warnings about + unconfigured OTP mechanism (Bugzilla: #80588) + +------------------------------------------------------------------- +Tue Apr 12 15:02:24 CEST 2005 - rhafer@suse.de + +- added minimal timeout to startproc in init-script to let it + report the "failed" status correctly in case of misconfiguration + (Bugzilla: #76393) + +------------------------------------------------------------------- +Mon Apr 4 16:41:32 CEST 2005 - rhafer@suse.de + +- crl-check.dif: Implements CRL checking on client and server side +- use different base ports for differnt values of BUILD_INCARNATION + (/.buildenv) to allow parallel runs of the test-suite on a single + machine + +------------------------------------------------------------------- +Mon Apr 4 15:33:19 CEST 2005 - uli@suse.de + +- force yielding-select test to yes (test occasionally hangs QEMU) + +------------------------------------------------------------------- +Fri Apr 1 13:16:49 CEST 2005 - uli@suse.de + +- disable test suite on ARM (hangs QEMU) + +------------------------------------------------------------------- +Tue Mar 29 14:21:50 CEST 2005 - rhafer@suse.de + +- updated to 2.2.24 +- enabled back-hdb + +------------------------------------------------------------------- +Wed Mar 2 13:44:23 CET 2005 - rhafer@suse.de + +- syncrepl.dif: merged latest syncrepl fixes (Bugzilla: #65928) +- libldap-reinit-fdset.dif: Re-init fd_sets when select is + interupted (Bugzilla #50076, ITS: #3524) + +------------------------------------------------------------------- +Thu Feb 17 14:28:02 CET 2005 - rhafer@suse.de + +- checkproc_before_recover.dif: Check if slapd is stopped before + running db_recover from the init script. (Bugzilla: #50962) + +------------------------------------------------------------------- +Tue Feb 1 14:30:13 CET 2005 - rhafer@suse.de + +- Cleanup back-bdb databases in %post, db-4.3 changed the + transaction log format again. +- cosmetic fixes in init script + +------------------------------------------------------------------- +Tue Jan 25 15:57:55 CET 2005 - rhafer@suse.de + +- updated to 2.2.23 +- cleaned up #neededforbuild +- package should also build on older SuSE Linux releases now +- increased killproc timeout in init-script (Bugzilla: #47227) + +------------------------------------------------------------------- +Thu Jan 13 15:09:28 CET 2005 - rhafer@suse.de + +- updated to 2.2.20 +- Removed unneeded dependencies + +------------------------------------------------------------------- +Fri Dec 10 12:58:58 CET 2004 - kukuk@suse.de + +- don't install *.la files + +------------------------------------------------------------------- +Wed Nov 10 16:38:10 CET 2004 - rhafer@suse.de + +- updated to 2.2.18 +- use kerberos-devel-packages in neededforbuild + +------------------------------------------------------------------- +Fri Sep 24 17:55:10 CEST 2004 - ro@suse.de + +- re-arranged specfile to sequence (header (package/descr)* rest) + so the checking parser is not confused ... + +------------------------------------------------------------------- +Fri Sep 24 13:59:40 CEST 2004 - rhafer@suse.de + +- Added pre_checkin.sh to generate a separate openldap2-client + spec-file from which the openldap2-client and openldap2-devel + subpackages are built. Should reduce build time for libldap as + the test-suite is only executed in openldap2.spec. + +------------------------------------------------------------------- +Fri Sep 10 13:24:44 CEST 2004 - rhafer@suse.de + +- libldap-result.dif: ldapsearch was hanging in select() when + retrieving results from eDirectory through a StartTLS protected + connection (Bugzilla #44942) + +------------------------------------------------------------------- +Mon Aug 9 23:43:18 CEST 2004 - dobey@suse.de + +- added ntlm support + +------------------------------------------------------------------- +Tue Aug 3 14:48:25 CEST 2004 - rhafer@suse.de + +- updated to 2.2.16 +- Updated ACLs in slapd_conf.dif to disable default read access + to the "userPKCS12" Attribute +- rc-check-conn.diff: When starting slapd wait until is accepts + connections, or 10 seconds at maximum (Bugzilla #41354) +- Backported -o slp={on|off} feature from OpenLDAP Head and added + new sysconfig variable (OPENLDAP_REGISTER_SLP) to be able + to switch SLP registration on and off. (Bugzilla #39865) +- removed unneeded README.update + +------------------------------------------------------------------- +Fri Apr 30 16:46:50 CEST 2004 - rhafer@suse.de + +- updated to 2.2.11 +- remove SLES8 update specific stuff +- Bugzilla #39652: Updated slapd_conf.dif to contain basic access + control +- Bugzilla #39468: Added missing items to yast.schema +- fixed strict-aliasing compiler warnings (strict-aliasing.dif) + +------------------------------------------------------------------- +Thu Apr 29 15:13:31 CEST 2004 - coolo@suse.de + +- build with several jobs if available + +------------------------------------------------------------------- +Mon Apr 19 12:13:41 CEST 2004 - rhafer@suse.de + +- ldapi_url.dif: Fixed paths for LDAPI-socket, pid-file and + args-file (Bugzilla #38790) +- ldbm_modrdn.dif: Fixed back-ldbm modrdn indexing bug (ITS #3059, + Bugzilla #38915) +- modify_check_duplicates.dif: check for duplicate attribute + values in modify requests (ITS #3066/#3097, Bugzilla #38607) +- updated and renamed yast2userconfig.schema to yast.schema as it + contains more that only user configuration now +- syncrepl.dif: addtional fixes for syncrepl (ITS #3055, #3056) +- test_syncrepl_timeout: increased sleep timeout in syncrepl + testsuite + +------------------------------------------------------------------- +Thu Apr 1 15:05:15 CEST 2004 - rhafer@suse.de + +- added "TLS_REQCERT allow" to /etc/openldap/ldap.conf, to make + START_TLS work without access to the CA Certificate. + (Bugzilla: #37393) + +------------------------------------------------------------------- +Fri Mar 26 15:30:12 CET 2004 - rhafer@suse.de + +- fixed filelist +- check-build.sh (build on kernel >= 2.6.4 hosts only) +- yast2user.schema / slapd.conf fixed (#37076) +- don't check for TLS-options is init-script anymore (#33560) +- fixed various typos in README.update + +------------------------------------------------------------------- +Wed Mar 17 13:21:45 CET 2004 - rhafer@suse.de + +- fixed build of openldap-2.1-slapcat (using correct db41 include + files, build backends as on sles8) +- attempt to update bdb database and reindex ldbm database in %{post} +- Update notes in README.update +- better default configuration (including default DB_CONFIG file) +- misc updates for the YaST schema +- fixed crasher in syncrepl-code (syncrepl.dif) + +------------------------------------------------------------------- +Tue Mar 16 16:15:49 CET 2004 - schwab@suse.de + +- Fix type mismatch. + +------------------------------------------------------------------- +Tue Mar 2 19:50:18 CET 2004 - rhafer@suse.de + +- updated to 2.2.6 +- build a openldap-2.1-slapcat from 2.1.25 sources to be able to + migrate from SLES8 and SL 9.0 + +------------------------------------------------------------------- +Thu Feb 19 17:25:12 CET 2004 - ro@suse.de + +- added check-build.sh (build on 2.6 hosts only) + +------------------------------------------------------------------- +Thu Feb 5 17:38:52 CET 2004 - rhafer@suse.de + +- updated to 2.2.5 +- adjusted rfc2307bis.schema to support UTF-8 values in most + attributes +- enabled proxycache-overlay (wiht fix to work with back-ldbm) + +------------------------------------------------------------------- +Tue Jan 13 11:31:03 CET 2004 - rhafer@suse.de + +- updated to 2.2.4 +- updated Admin Guide to most recent version + +------------------------------------------------------------------- +Sat Jan 10 10:19:26 CET 2004 - adrian@suse.de + +- add %defattr +- fix build as user + +------------------------------------------------------------------- +Mon Dec 8 16:46:03 CET 2003 - rhafer@suse.de + +- updated to 2.1.25 +- small fixes for the YaST user schema + +------------------------------------------------------------------- +Tue Nov 11 15:20:05 CET 2003 - rhafer@suse.de + +- enabled SLP-support + +------------------------------------------------------------------- +Fri Oct 17 22:14:24 CEST 2003 - kukuk@suse.de + +- Remove unused des from neededforbuild + +------------------------------------------------------------------- +Tue Sep 2 16:04:05 CEST 2003 - mt@suse.de + +- Bugzilla #29859: fixed typo in sysconfig metadata, + usage of OPENLDAP_LDAPS_INTERFACES in init script +- added /usr/lib/sasl2/slapd.conf permissions handling +- added sysconfig variable OPENLDAP_SLAPD_PARAMS="" + to support additional slapd start parameters +- added sysconfig variable OPENLDAP_START_LDAPI=NO/yes + for ldapi:/// (LDAP over IPC) URLs + +------------------------------------------------------------------- +Thu Aug 14 17:12:35 CEST 2003 - rhafer@suse.de + +- added activation metadata to sysconfig template (Bugzilla #28911) +- removed lint from specfile + +------------------------------------------------------------------- +Thu Aug 7 18:37:16 CEST 2003 - rhafer@suse.de + +- added %stop_on_removal and %restart_on_update calls +- bdb_addcnt.dif fixes a possible endless loop in id2entry() +- addonschema.tar.gz: some extra Schema files (YaST, RFC2307bis) + +------------------------------------------------------------------- +Wed Jul 16 19:27:39 CEST 2003 - rhafer@suse.de + +- removed fillup_only and call fillup_and_insserv correctly +- new Options in sysconfig.openldap: OPENLDAP_LDAP_INTERFACES, + OPENLDAP_LDAPS_INTERFACES and OPENLDAP_RUN_DB_RECOVER + +------------------------------------------------------------------- +Tue Jul 1 15:42:03 CEST 2003 - rhafer@suse.de + +- updated to 2.1.22 +- updated Admin Guide to most recent version +- build librewrite with -fPIC + +------------------------------------------------------------------- +Mon Jun 16 16:29:03 CEST 2003 - rhafer@suse.de + +- updated to 2.1.21 + +------------------------------------------------------------------- +Wed Jun 11 17:08:11 CEST 2003 - ro@suse.de + +- fixed requires lines + +------------------------------------------------------------------- +Mon May 26 16:00:43 CEST 2003 - rhafer@suse.de + +- don't link back-ldap against librewrite.a, it's already linked + into slapd (package should build on non-i386 Archs again) + +------------------------------------------------------------------- +Fri May 23 14:35:49 CEST 2003 - rhafer@suse.de + +- fixed dynamic build of back-ldap +- new subpackage back-ldap + +------------------------------------------------------------------- +Tue May 20 11:04:50 CEST 2003 - rhafer@suse.de + +- updated to version 2.1.20 +- enabled dynamic backend modules +- new subpackages back-perl, back-meta and back-monitor +- remove unpacked files from BuildRoot + +------------------------------------------------------------------- +Fri May 9 14:23:45 CEST 2003 - rhafer@suse.de + +- updated to version 2.1.19 + +------------------------------------------------------------------- +Wed Apr 16 00:34:31 CEST 2003 - ro@suse.de + +- fixed requires for devel-package ... + +------------------------------------------------------------------- +Tue Apr 15 10:18:11 CEST 2003 - ro@suse.de + +- fixed neededforbuild + +------------------------------------------------------------------- +Thu Feb 13 12:13:23 CET 2003 - kukuk@suse.de + +- Enable IPv6 again + +------------------------------------------------------------------- +Tue Feb 11 19:02:14 CET 2003 - rhafer@suse.de + +- added /etc/openldap to filelist + +------------------------------------------------------------------- +Mon Feb 3 16:42:47 CET 2003 - rhafer@suse.de + +- switch default backend to ldbm + +------------------------------------------------------------------- +Sun Feb 2 23:58:34 CET 2003 - ro@suse.de + +- fixed requires for devel package (cyrus-sasl2-devel) + +------------------------------------------------------------------- +Fri Jan 31 08:58:39 CET 2003 - rhafer@suse.de + +- liblber.dif: Fixes two bugs in liblber by which remote attackers + could crash the LDAP server (Bugzilla #22469, OpenLDAP ITS #2275 + and #2280) + +------------------------------------------------------------------- +Tue Jan 14 11:53:11 CET 2003 - choeger@suse.de + +- build using sasl2 + +------------------------------------------------------------------- +Mon Jan 13 12:23:31 CET 2003 - rhafer@suse.de + +- updated to version 2.1.12 +- added metadata to sysconfig template (Bug: #22666) + +------------------------------------------------------------------- +Thu Nov 28 14:42:06 CET 2002 - rhafer@suse.de + +- updated to version 2.1.8 +- added additional fix of 64bit archs +- added secpatch.dif to fix setuid issues in libldap + +------------------------------------------------------------------- +Fri Sep 6 11:11:07 CEST 2002 - rhafer@suse.de + +- fix for Bugzilla ID #18981, chown to OPENLDAP_USER didn't work + with multiple database backend directories + +------------------------------------------------------------------- +Mon Sep 2 18:02:03 CEST 2002 - rhafer@suse.de + +- removed damoenstart_ipv6.diff and disabled IPv6 support due to + massive problems with nss_ldap + +------------------------------------------------------------------- +Mon Aug 26 19:37:32 CEST 2002 - rhafer@suse.de + +- ldap_user.dif: slapd is now run a the user/group ldap (Bugzilla + ID#17697) + +------------------------------------------------------------------- +Fri Aug 23 13:54:15 CEST 2002 - rhafer@suse.de + +- updated to version 2.1.4, which fixes tons of bugs +- added damoenstart_ipv6.diff (slapd was not starting when + configured to listen on IPv4 and IPv6 interfaces, as done by the + start script) +- added README.SuSE with some hints about the bdb-backend +- updated filelist to include only the man pages of the backends, + that were built + +------------------------------------------------------------------- +Thu Aug 15 15:56:09 CEST 2002 - rhafer@suse.de + +- removed termcap and readline from neededforbuild + +------------------------------------------------------------------- +Thu Aug 8 11:21:36 CEST 2002 - rhafer@suse.de + +- enabled {CRYPT} passwords +- update filelist (added new manpages) + +------------------------------------------------------------------- +Thu Jul 25 15:58:03 CEST 2002 - rhafer@suse.de + +- patches for 64 bit architectures + +------------------------------------------------------------------- +Fri Jul 19 11:28:28 CEST 2002 - rhafer@suse.de + +- update to 2.1.3 + +------------------------------------------------------------------- +Fri Jul 5 13:26:17 CEST 2002 - kukuk@suse.de + +- fix openldap2-devel requires + +------------------------------------------------------------------- +Thu Jul 4 10:29:03 CEST 2002 - rhafer@suse.de + +- switched back from cyrus-sasl2 to cyrus-sasl + +------------------------------------------------------------------- +Wed Jul 3 13:30:23 CEST 2002 - rhafer@suse.de + +- updated to OpenLDAP 2.1.2 +- added the OpenLDAP Administration Guide +- enabled additional backends (ldap, meta, monitor) + +------------------------------------------------------------------- +Mon Jun 10 21:59:35 CEST 2002 - olh@suse.de + +- hack build/ltconfig to build shared libs on ppc64 + +------------------------------------------------------------------- +Wed Jun 5 18:25:51 CEST 2002 - rhafer@suse.de + +- created /etc/sysconfig/openldap and OPENLDAP_START_LDAPS variable + to enable ldap over ssl support + +------------------------------------------------------------------- +Thu Mar 7 16:27:15 CET 2002 - rhafer@suse.de + +- Fix for Bugzilla ID#14569 (added cyrus-sasl-devel openssl-devel + to the "Requires" Section of the -devel subpackage) + +------------------------------------------------------------------- +Mon Feb 18 13:06:10 CET 2002 - rhafer@suse.de + +- updated to the latest STABLE release (2.0.23) which fixes some + nasty bugs see ITS #1562,#1582,#1577,#1578 + +------------------------------------------------------------------- +Thu Feb 7 14:13:25 CET 2002 - rhafer@suse.de + +- updated to the latest release (which fixes a index corruption + bug) +- cleanup in neededforbuild +- small fixes for the init-scripts + +------------------------------------------------------------------- +Thu Jan 17 13:51:28 CET 2002 - rhafer@suse.de + +- updated to the latest stable release (2.0.21) + +------------------------------------------------------------------- +Wed Jan 16 18:36:12 CET 2002 - egmont@suselinux.hu + +- removed periods and colons from startup/shutdown messages + +------------------------------------------------------------------- +Tue Jan 15 15:31:09 CET 2002 - rhafer@suse.de + +- updated to v2.0.20 (which fixes a security hole in ACL + processing) + +------------------------------------------------------------------- +Fri Jan 11 15:54:51 CET 2002 - rhafer@suse.de + +- converted archive to bzip2 +- makes use of %{_libdir} now +- set CFLAGS to -O0 for archs ia64, s390(x) and alpha otherwise + the test suite fails on these archs +- changed slapd.conf to store the database under /var/lib/ldap + (this patch was missing in the last versions by accident) + +------------------------------------------------------------------- +Mon Jan 7 16:41:32 CET 2002 - rhafer@suse.de + +- update to v2.0.19 + +------------------------------------------------------------------- +Thu Dec 6 14:51:56 CET 2001 - rhafer@suse.de + +- eliminated START_LDAP, START_SLURPD variables in rc.config +- created separate init script for slurpd +- moved init scripts from dif to separate source tgz + +------------------------------------------------------------------- +Fri Oct 26 10:36:06 CEST 2001 - choeger@suse.de + +- update to v2.0.18 + +------------------------------------------------------------------- +Mon Oct 15 10:00:06 CEST 2001 - choeger@suse.de + +- update to v2.0.17 + added a sleep to the restart section + moved some manpages to the client package + +------------------------------------------------------------------- +Mon Oct 1 18:38:14 CEST 2001 - choeger@suse.de + +- update to v2.0.15 + +------------------------------------------------------------------- +Wed Sep 12 09:53:03 CEST 2001 - choeger@suse.de + +- backported the full bugfix from openldap-2.0.14 + +------------------------------------------------------------------- +Tue Sep 11 11:36:20 CEST 2001 - choeger@suse.de + +- Bugfix for slurpd millionth second bug (ITS#1323) + +------------------------------------------------------------------- +Mon Sep 10 09:06:40 CEST 2001 - choeger@suse.de + +- moved ldapfilter.conf ldaptemplates.conf ldapsearchprefs.conf + to openldap2-client package + +------------------------------------------------------------------- +Mon Sep 3 09:31:21 CEST 2001 - choeger@suse.de + +- update to version 2.0.12 + +------------------------------------------------------------------- +Mon Jul 2 10:52:22 CEST 2001 - choeger@suse.de + +- bugfix: init script was not LSB compliant, Bugzilla ID#9072 + +------------------------------------------------------------------- +Tue Jun 19 16:18:54 CEST 2001 - ro@suse.de + +- fixed for autoconf again + +------------------------------------------------------------------- +Fri Jun 15 10:23:24 CEST 2001 - choeger@suse.de + +- update to 2.0.11 +- removed autoconf in specfile, because it doesn't work + +------------------------------------------------------------------- +Wed May 23 11:43:08 CEST 2001 - choeger@suse.de + +- update to version 2.0.10 (minor fixes) + +------------------------------------------------------------------- +Tue May 22 11:33:58 CEST 2001 - choeger@suse.de + +- update to version 2.0.9 + +------------------------------------------------------------------- +Mon Apr 23 15:55:32 CEST 2001 - choeger@suse.de + +- removed kerberos support +- added aci support + +------------------------------------------------------------------- +Fri Apr 20 11:52:14 CEST 2001 - choeger@suse.de + +- added kerberos support + +------------------------------------------------------------------- +Thu Apr 5 13:47:51 CEST 2001 - choeger@suse.de + +- moved section 5 and 8 manpages to the server part of package + +------------------------------------------------------------------- +Wed Mar 14 18:17:50 CET 2001 - kukuk@suse.de + +- Move *.so links into -devel package +- -devel requires -client + +------------------------------------------------------------------- +Thu Mar 8 10:51:05 CET 2001 - choeger@suse.de + +- split up into openldap2-client and -devel + +------------------------------------------------------------------- +Tue Feb 27 11:20:53 CET 2001 - ro@suse.de + +- changed neededforbuild to + +------------------------------------------------------------------- +Fri Feb 23 00:10:25 CET 2001 - ro@suse.de + +- added readline/readline-devel to neededforbuild (split from bash) + +------------------------------------------------------------------- +Thu Jan 4 14:03:17 CET 2001 - choeger@suse.de + +- bugfix: slapd.conf rename /var/lib/openldap-ldbm to + /var/lib/ldap + init script: use $remote_fs + +------------------------------------------------------------------- +Tue Jan 2 10:38:20 CET 2001 - olh@suse.de + +- use script name in %post + +------------------------------------------------------------------- +Thu Dec 7 15:01:53 CET 2000 - choeger@suse.de + +- bugfix from Andreas Jaeger: + workaround for glibc2.2, detach + +------------------------------------------------------------------- +Fri Dec 1 15:23:45 CET 2000 - ro@suse.de + +- hacked configure for apparently broken pthread + +------------------------------------------------------------------- +Fri Dec 1 02:28:54 CET 2000 - ro@suse.de + +- fixed spec + +------------------------------------------------------------------- +Thu Nov 23 11:27:07 CET 2000 - choeger@suse.de + +- made configs %config(noreplace) (Bug 4112) +- fixed neededforbuild + +------------------------------------------------------------------- +Wed Nov 22 11:37:22 CET 2000 - choeger@suse.de + +- adopted new init scheme + +------------------------------------------------------------------- +Wed Nov 15 16:24:48 CET 2000 - choeger@suse.de + +- fixed neededforbuild + +------------------------------------------------------------------- +Fri Nov 10 16:32:57 CET 2000 - choeger@suse.de + +- added buildroot + +------------------------------------------------------------------- +Tue Nov 7 18:52:54 CET 2000 - choeger@suse.de + +- long package name +- new version, 2.0.7 + +------------------------------------------------------------------- +Fri Oct 6 11:35:47 CEST 2000 - choeger@suse.de + +- first package of openldap2 (v2.0.6) diff --git a/openldap2.conf b/openldap2.conf new file mode 100644 index 0000000..bf5c535 --- /dev/null +++ b/openldap2.conf @@ -0,0 +1,2 @@ +# openldap needs a directory in /var/lib/: +d /var/lib/ldap 0750 ldap ldap - diff --git a/openldap2.keyring b/openldap2.keyring new file mode 100644 index 0000000000000000000000000000000000000000..3a5c92ab801a3211403fb1b1f6ce7500a3668345 GIT binary patch literal 2259 zcmV;^2rT!R0u2OT+Kc}I5CFS;b+s;#dcv~TcNmyY`w9t=OI&RnrcQ1^7fSAA^fzvq zRXr|w`E1k)a|v^gUD$?}Y=9E<*+lc~S>N|@Lhi!xDbJ&9|HKXTHm6Ub@NR&yU)mNpWmgEL_FL#&c8Wu>y?B+qN>BUGKM~IKni|8Xu_j{(6PdzQD=r79))VM z<+NMwAKGDzV~?&wpi^O@iOi1c0VjkBwnG6itY$jMp`BG_ z<(JDN^~RNRbsd-~R@{_87j??ISzom0yhtp*3z>j|-@|0=S(E?2iyZb<@F%mBwjr zD57k+M!HYGI6bHJzTgCaoQ1&wVUV#ZBF#QDIY(ms@Qn{}6#+d+6Px zD8=E!+*=~OMJ2hgG&kr_s~-{vXv-qUDI@UH%7cTsI#8#)(ThmbA7RCvcc-WmQM|qA z;Vr=@1>L!BlgnPEknihIp^3rw$Pr5I_YBt(m>V3aNF_^Ixoo0`7onV|uuQoSi?X7C zSMJ|bIHHT1LwgE-t5(PLdb(g*;D&FsA7waRuR6QwnwdwVSr33FZyEvI!Z%hflWm_w zTB?H0@r|Xnq&!o77E%->4~%T`XYrR#aj@vO(7Y)_Xo#RIsp`W{FkSg@;V{{avH>-xO}Dut@Rk9mV$L0$$r zX~#M|F7~M(H-n4f9o8!zT8B=|TdE`ugS2I1ktzy;{x-Lz;>I>9%_5~^b&#jqv~Wz< z!P*vq-eYm0`kM2FgS|yc{<7onG~x*>w&2GU&D(0iJoVe${rC4P&JO97hC-;;D0;k- zm15+cMA!Ka_F(dvGK07mG$fHGJmKet%5{I*09Z@HsTm?g8V=~ zePA%)J2KnB9p^pQg}6<7;pWg=W3NEqYgz441@Q4R;xC1X5{*^3X38$3&7xzbrNmzK z%SvBINnLr|p_)3wXC!X3OtQt8zbv-XzJa$Mbd&r=qRK%dlI%|iATHVO=J+)=N^f>k zBb*W0lSNH|1alQd6~eDNAX~M4mo*6OF#_;QN7$@a8OYGT^7>p-VdcfCOJ-b7{7a0; z+fR)r5BNv>)%xp9Tju~&x)ZlOLtC`GmRCj501*KI0f_=O1Q-Dd03a421U%wtwKyn2@rp0)%_gd%g!6i5CEoMu&%wDL`Dzb4o=BVV-@+4;lqCz=wiITFF^{|o+26Ruf*VW+wr6j9 z%G<*RivW(j2Zr<&wbkJi1ve(Oaw4$vhUEJ+1<08&q|xa%pBj$~O^2oQS|%+Ul^5zC zLK1T=H!} zl1^?73IgV(iocgTlt4!HmnWLb@ba3<+W|)1OwF??Yv(tI+Jl_b0x;85MQ;EA literal 0 HcmV?d00001 diff --git a/openldap2.spec b/openldap2.spec new file mode 100644 index 0000000..68bbc0b --- /dev/null +++ b/openldap2.spec @@ -0,0 +1,609 @@ +# +# spec file +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define run_test_suite 0 +%define slapdrundir %{_rundir}/slapd +%define flavor @BUILD_FLAVOR@%{nil} +%if "%flavor" == "contrib" +%define name_suffix -%{flavor}-src +%else +%define name_suffix %{nil} +%endif + +Name: openldap2%{name_suffix} +Summary: An open source implementation of the Lightweight Directory Access Protocol +License: OLDAP-2.8 +Group: Productivity/Networking/LDAP/Servers +Version: 2.6.4 +Release: 0 +URL: https://www.openldap.org +Source0: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz +Source1: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz.asc +Source2: openldap2.keyring +Source4: sasl-slapd.conf +Source5: README.module-loading +Source6: schema2ldif +Source7: baselibs.conf +Source9: addonschema.tar.gz +Source12: slapd.conf.example +Source13: start +Source14: slapd.service +Source16: sysconfig.openldap +Source18: openldap2.conf +Source19: ldap-user.conf +Source20: fixup-modulepath.sh +Source21: slapd-ldif-update-crc.sh +Source22: update-crc.sh +Source23: slapd.conf +Source24: slapd.conf.olctemplate +Patch1: reproducible.patch +Patch3: 0003-LDAPI-socket-location.dif +Patch5: 0005-pie-compile.dif +Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch +Patch16: 0016-Clear-shared-key-only-in-close-function.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: argon2-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: db-devel +BuildRequires: groff +BuildRequires: libopenssl-devel +BuildRequires: libtool +%if 0%{?suse_version} < 1600 +BuildRequires: openslp-devel +%endif +BuildRequires: sysuser-tools +BuildRequires: unixODBC-devel +# avoid cycle with krb5 +BuildRequires: pkgconfig(krb5) +BuildRequires: pkgconfig(systemd) +%if "%flavor" == "contrib" +BuildRequires: gcc-c++ +BuildRequires: openldap2-devel +%endif +%if %{suse_version} < 1500 +%{?systemd_requires} +%endif +Requires: /usr/bin/awk +Requires: libldap2 = %{version} +Recommends: cyrus-sasl +Conflicts: openldap +PreReq: %fillup_prereq +%sysusers_requires + +%description +OpenLDAP is a client and server reference implementation of the +Lightweight Directory Access Protocol v3 (LDAPv3). + +The server provides several database backends and overlays. + +%package back-perl +Summary: OpenLDAP Perl Back-End +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version} +Requires: perl = %{perl_version} + +%description back-perl +The OpenLDAP Perl back-end allows you to execute Perl code specific to +different LDAP operations. + +%package back-sock +Summary: OpenLDAP Socket Back-End +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version} +Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz + +%description back-sock +The OpenLDAP socket back-end allows you to handle LDAP requests and +results with an external process listening on a Unix domain socket. + +%package back-meta +Summary: OpenLDAP Meta Back-End +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version} +Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz + +%description back-meta +The OpenLDAP Meta back-end is able to perform basic LDAP proxying with +respect to a set of remote LDAP servers. The information contained in +these servers can be presented as belonging to a single Directory +Information Tree (DIT). + +%package back-sql +Summary: OpenLDAP SQL Back-End +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version} + +%description back-sql +The primary purpose of this OpenLDAP backend is to present information +stored in a Relational (SQL) Database as an LDAP subtree without the need +to do any programming. + +%package -n libldap-data +Summary: Configuration file for system-wide defaults for all uses of libldap +Group: Productivity/Networking/LDAP/Clients +BuildArch: noarch + +%description -n libldap-data +The subpackage contains a configuration file used to set system-wide defaults +to be applied with all usages of libldap. + +%package contrib +Summary: OpenLDAP Contrib Modules +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version} + +%description contrib +Various overlays found in contrib/: +addpartial Intercepts ADD requests, applies changes to existing entries +allop +allowed Generates attributes indicating access rights +autogroup +authzid implements RFC 3829 support +cloak +datamorph store enumerated values and fixed size integers +denyop +lastbind writes last bind timestamp to entry +noopsrch handles no-op search control +pw-sha2 generates/validates SHA-2 password hashes +pw-pbkdf2 generates/validates PBKDF2 password hashes +smbk5pwd generates Samba3 password hashes (heimdal krb disabled) +trace traces overlay invocation +variant allows attributes/values to be shared between several entries +vc implements the verify credentials extended operation + +%package doc +Summary: OpenLDAP Documentation +Group: Documentation/Other +Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README +BuildArch: noarch + +%description doc +The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts. + +%package client +Summary: OpenLDAP client utilities +Group: Productivity/Networking/LDAP/Clients +Requires: libldap2 = %{version} + +%description client +OpenLDAP client utilities such as ldapadd, ldapsearch, ldapmodify. + +%package devel +Summary: Libraries, Header Files and Documentation for OpenLDAP +# bug437293 +Group: Development/Libraries/C and C++ +%ifarch ppc64 +Obsoletes: openldap2-devel-64bit +%endif +# +Conflicts: openldap-devel +Requires: libldap2 = %{version} +Recommends: cyrus-sasl-devel + +%description devel +This package provides the OpenLDAP libraries, header files, and +documentation. + +%package devel-static +Summary: Static libraries for the OpenLDAP libraries +Group: Development/Libraries/C and C++ +Requires: cyrus-sasl-devel +Requires: libopenssl-devel +Requires: openldap2-devel = %version + +%description devel-static +This package provides the static versions of the OpenLDAP libraries +for development. + +%package -n libldap2 +Summary: OpenLDAP Client Libraries +Group: Productivity/Networking/LDAP/Clients +Recommends: libldap-data >= %{version} + +%description -n libldap2 +This package contains the OpenLDAP client libraries. + +%package -n libldapcpp-devel +Summary: C++ wrapper around openLDAP API +Group: Development/Libraries/C and C++ +Requires: libldapcpp0 = %{version} +Requires: openldap2-devel + +%description -n libldapcpp-devel +This package contains files needed for development with the LDAP C++ +library. + +%package -n libldapcpp0 +Summary: C++ wrapper around openLDAP API +Group: Development/Libraries/C and C++ +Provides: ldapcpplib = %{version} +Obsoletes: ldapcpplib <= 0.0.5 + +%description -n libldapcpp0 +This package provides a C++ library for accessing LDAP (Version 3) +Servers + +%prep +%setup -q -a 9 -n openldap-%{version} +%patch1 -p1 +%patch3 -p1 +%patch5 -p1 +%patch8 -p1 +%patch16 -p1 +cp %{SOURCE5} . + +%build +%if "%flavor" == "contrib" +cd contrib/ldapc++ +%configure --disable-static +%make_build +%else +%global _lto_cflags %{_lto_cflags} -ffat-lto-objects +export CFLAGS="%{optflags} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DLDAP_USE_NON_BLOCKING_TLS" +export STRIP="" +./configure \ + --prefix=/usr \ + --sysconfdir=%{_sysconfdir} \ + --libdir=%{_libdir} \ + --libexecdir=%{_libdir} \ + --localstatedir=%{slapdrundir} \ + --enable-wrappers=no \ + --enable-spasswd \ + --enable-modules \ + --enable-shared \ + --enable-dynamic \ + --with-tls=openssl \ + --with-cyrus-sasl \ + --enable-crypt \ + --enable-ipv6=yes \ + --enable-dynacl \ + --enable-aci \ + --enable-ldap=mod \ + --enable-meta=mod \ + --enable-perl=mod \ + --enable-sock=mod \ + --enable-sql=mod \ + --enable-mdb=mod \ + --enable-relay=mod \ +%if 0%{?suse_version} < 1600 + --enable-slp \ +%endif + --enable-overlays=mod \ + --enable-syncprov=mod \ + --enable-ppolicy=mod \ + --with-yielding-select \ + --with-argon2=libargon2 \ + || cat config.log +make depend +%make_build +# Build selected contrib overlays +for SLAPO_NAME in addpartial allowed allop autogroup authzid datamorph lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace variant vc +do + make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" +done +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB="" + +# Create ldap user +%sysusers_generate_pre %{SOURCE19} ldap +%endif + +%check +%if %run_test_suite +# calculate the base port to be use in the test-suite +SLAPD_BASEPORT=10000 +if [ -f /.buildenv ] ; then + . /.buildenv + SLAPD_BASEPORT=$(($SLAPD_BASEPORT + ${BUILD_INCARNATION:-0} * 10)) +fi +export SLAPD_BASEPORT +%ifnarch %arm alpha +rm -f tests/scripts/test019-syncreplication-cascade +rm -f tests/scripts/test022-ppolicy +rm -f tests/scripts/test023-refint +rm -f tests/scripts/test033-glue-syncrepl +#rm -f tests/scripts/test036-meta-concurrency +#rm -f tests/scripts/test039-glue-ldap-concurrency +rm -f tests/scripts/test043-delta-syncrepl +#rm -f tests/scripts/test045-syncreplication-proxied +rm -f tests/scripts/test048-syncrepl-multiproxy +rm -f tests/scripts/test050-syncrepl-multimaster +rm -f tests/scripts/test058-syncrepl-asymmetric +make SLAPD_DEBUG=0 test +%endif +%endif + +%install +%if "%flavor" == "contrib" +cd contrib/ldapc++ +%make_install +%else +mkdir -p %{buildroot}%{_libdir}/openldap +mkdir -p %{buildroot}/usr/lib/openldap +mkdir -p %{buildroot}%{_sbindir} +mkdir -p %{buildroot}%{_unitdir} +make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +# Additional symbolic link to slapd executable in /usr/sbin/ +ln -s %{_libdir}/slapd %{buildroot}%{_sbindir}/slapd +# Install selected contrib overlays +for SLAPO_NAME in addpartial allowed allop autogroup authzid datamorph lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace variant vc +do + make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +done +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +install -m 755 %{SOURCE13} %{buildroot}/usr/lib/openldap/start +install -m 644 %{SOURCE14} %{buildroot}%{_unitdir} +mkdir -p %{buildroot}%{_sysconfdir}/openldap/slapd.d +mkdir -p %{buildroot}%{_sysconfdir}/sasl2 +install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sasl2/slapd.conf +install -m 755 -d %{buildroot}/var/lib/ldap +chmod a+x %{buildroot}%{_libdir}/liblber.so* +chmod a+x %{buildroot}%{_libdir}/libldap.so* +install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif +mkdir -p %{buildroot}%{_tmpfilesdir}/ +install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/ +mkdir -p %{buildroot}%{_sysusersdir} +install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/ + +install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath +install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc +install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc + +mkdir -p %{buildroot}%{_fillupdir} +install -m 644 %{SOURCE16} %{buildroot}%{_fillupdir}/sysconfig.openldap +install -m 644 *.ldif %{buildroot}%{_sysconfdir}/openldap/schema +install -m 644 *.schema %{buildroot}%{_sysconfdir}/openldap/schema +# Install default and sample configuration files +install -m 644 %{SOURCE23} %{buildroot}%{_sysconfdir}/openldap +install -m 644 %{SOURCE24} %{buildroot}%{_sysconfdir}/openldap +install -m 644 %{SOURCE12} %{buildroot}%{_sysconfdir}/openldap +find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete +rm -rf doc/guide/release + +%define DOCDIR %{_defaultdocdir}/%{name} +# Install default database optimisation +install -d %{buildroot}%{DOCDIR}/adminguide \ + %{buildroot}%{DOCDIR}/images \ + %{buildroot}%{DOCDIR}/drafts +install -m 644 doc/guide/admin/* %{buildroot}%{DOCDIR}/adminguide +install -m 644 doc/guide/images/*.gif %{buildroot}%{DOCDIR}/images +install -m 644 doc/drafts/* %{buildroot}%{DOCDIR}/drafts +install -m 644 ANNOUNCEMENT \ + COPYRIGHT \ + README \ + CHANGES \ + %{SOURCE5} \ + %{buildroot}%{DOCDIR} +install -m 644 servers/slapd/slapd.ldif \ + %{buildroot}%{DOCDIR}/slapd.ldif.default +rm -f %{buildroot}/etc/openldap/schema/README +rm -f %{buildroot}/etc/openldap/slapd.ldif* +mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples + +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd + +rm -f %{buildroot}%{_libdir}/openldap/*.a +rm -f %{buildroot}/usr/share/man/man5/slapd-dnssrv.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-ndb.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-null.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-passwd.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-shell.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-tcl.5 +# Remove *.la files, libtool does not handle this correct +# Keep .la files for modules in the openldap subdirectory, which are consumed +# in this form. +rm -f %{buildroot}%{_libdir}/*.la + +# Provide a libldap_r for backwards-compatibility with OpenLDAP < 2.5. +ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so" +%endif + +%pre -f ldap.pre +%service_add_pre slapd.service + +%post +%{fillup_only -n openldap ldap} +%tmpfiles_create %{name}.conf +%service_add_post slapd.service + +%post -n libldap2 -p /sbin/ldconfig +%postun -n libldap2 -p /sbin/ldconfig + +%preun +%service_del_preun slapd.service + +%postun +%service_del_postun slapd.service + +%if "%flavor" == "contrib" +%files -n libldapcpp-devel +%doc contrib/ldapc++/README +%_includedir/*.h +%_libdir/libldapcpp.la +%_libdir/libldapcpp.so + +%files -n libldapcpp0 +%_libdir/libldapcpp.so.0 +%_libdir/libldapcpp.so.0.0.0 + +%else + +%files +%config %{_sysconfdir}/openldap/schema/*.schema +%config %{_sysconfdir}/openldap/schema/*.ldif +%config(noreplace) /etc/sasl2/slapd.conf +%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf +%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.olctemplate +%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.default +%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.example +%dir %{_libdir}/openldap +%dir /usr/lib/openldap +%dir %{_sysconfdir}/sasl2 +%dir %{_sysconfdir}/openldap +%dir %attr(0770, ldap, ldap) %{_sysconfdir}/openldap/slapd.d +%dir %{_sysconfdir}/openldap/schema +%{_fillupdir}/sysconfig.openldap +%{_sbindir}/slap* +%{_sbindir}/rcslapd +%{_libdir}/openldap/back_ldap* +%{_libdir}/openldap/back_mdb* +%{_libdir}/openldap/back_relay* +%{_libdir}/openldap/accesslog* +%{_libdir}/openldap/auditlog* +%{_libdir}/openldap/autoca* +%{_libdir}/openldap/collect* +%{_libdir}/openldap/constraint* +%{_libdir}/openldap/dds* +%{_libdir}/openldap/deref* +%{_libdir}/openldap/dyngroup* +%{_libdir}/openldap/dynlist* +%{_libdir}/openldap/homedir* +%{_libdir}/openldap/memberof* +%{_libdir}/openldap/otp* +%{_libdir}/openldap/pcache* +%{_libdir}/openldap/ppolicy* +%{_libdir}/openldap/remoteauth* +%{_libdir}/openldap/refint* +%{_libdir}/openldap/retcode* +%{_libdir}/openldap/rwm* +%{_libdir}/openldap/seqmod* +%{_libdir}/openldap/sssvlv* +%{_libdir}/openldap/syncprov* +%{_libdir}/openldap/translucent* +%{_libdir}/openldap/unique* +%{_libdir}/openldap/valsort* +%{_libdir}/slapd +/usr/lib/openldap/start +/usr/lib/openldap/update-crc +/usr/lib/openldap/fixup-modulepath +%{_unitdir}/slapd.service +%{_tmpfilesdir}/%{name}.conf +%{_sysusersdir}/ldap-user.conf +%dir %attr(0750, ldap, ldap) %{_sharedstatedir}/ldap +%ghost %attr(0750, ldap, ldap) %{slapdrundir} +%doc %{_mandir}/man8/sl* +%doc %{_mandir}/man8/lloadd.* +%doc %{_mandir}/man5/lloadd.conf.* +%doc %{_mandir}/man5/slapd.* +%doc %{_mandir}/man5/slapd-asyncmeta.* +%doc %{_mandir}/man5/slapd-config.* +%doc %{_mandir}/man5/slapd-ldap.* +%doc %{_mandir}/man5/slapd-ldif.* +%doc %{_mandir}/man5/slapd-mdb.* +%doc %{_mandir}/man5/slapd-monitor.* +%doc %{_mandir}/man5/slapd-pw-* +%doc %{_mandir}/man5/slapd-relay.* +%doc %{_mandir}/man5/slapd-wt.* +%doc %{_mandir}/man5/slapo-* +%doc %{_mandir}/man5/slappw-argon2.* +%dir %{DOCDIR} +%doc %{DOCDIR}/ANNOUNCEMENT +%doc %{DOCDIR}/COPYRIGHT +%license LICENSE +%doc %{DOCDIR}/README* +%doc %{DOCDIR}/CHANGES +%doc %{DOCDIR}/slapd.ldif.default + +%files back-perl +%{_libdir}/openldap/back_perl* +%doc %{_mandir}/man5/slapd-perl.* + +%files back-sock +%{_libdir}/openldap/back_sock* +%doc %{_mandir}/man5/slapd-sock.* + +%files back-meta +%{_libdir}/openldap/back_meta* +%doc %{_mandir}/man5/slapd-meta.* + +%files back-sql +%{_libdir}/openldap/back_sql* +%doc %{_mandir}/man5/slapd-sql.* +%doc servers/slapd/back-sql/examples +%doc servers/slapd/back-sql/docs/bugs +%doc servers/slapd/back-sql/docs/install + +%files -n libldap-data +%config(noreplace) %{_sysconfdir}/openldap/ldap.conf +%doc %{_mandir}/man5/ldap.conf* +%{_sysconfdir}/openldap/ldap.conf.default + +%files doc +%dir %{DOCDIR} +%doc %{DOCDIR}/drafts +%doc %{DOCDIR}/adminguide +%doc %{DOCDIR}/images + +%files contrib +%{_libdir}/openldap/addpartial.* +%{_libdir}/openldap/allop.* +%{_libdir}/openldap/allowed.* +%{_libdir}/openldap/authzid.* +%{_libdir}/openldap/autogroup.* +%{_libdir}/openldap/cloak.* +%{_libdir}/openldap/datamorph.* +%{_libdir}/openldap/denyop.* +%{_libdir}/openldap/lastbind.* +%{_libdir}/openldap/noopsrch.* +%{_libdir}/openldap/pw-pbkdf2.* +%{_libdir}/openldap/pw-sha2.* +%{_libdir}/openldap/smbk5pwd.* +%{_libdir}/openldap/trace.* +%{_libdir}/openldap/variant.* +%{_libdir}/openldap/vc.* + +%files client +%doc %{_mandir}/man1/ldap* +%doc %{_mandir}/man5/ldif.* +%dir /etc/openldap +/usr/sbin/schema2ldif +/usr/bin/ldapadd +/usr/bin/ldapcompare +/usr/bin/ldapdelete +/usr/bin/ldapexop +/usr/bin/ldapmodify +/usr/bin/ldapmodrdn +/usr/bin/ldapsearch +/usr/bin/ldappasswd +/usr/bin/ldapurl +/usr/bin/ldapvc +/usr/bin/ldapwhoami + +%files -n libldap2 +%{_libdir}/liblber.so.* +%{_libdir}/libldap.so.* + +%files devel +%doc %{_mandir}/man3/ber* +%doc %{_mandir}/man3/lber* +%doc %{_mandir}/man3/ld_errno* +%doc %{_mandir}/man3/ldap* +%{_includedir}/*.h +%{_libdir}/liblber.so +%{_libdir}/libldap*.so +%{_libdir}/pkgconfig/*.pc + +%files devel-static +%_libdir/liblber.a +%_libdir/libldap*.a + +%endif # !flavor:contrib + +%changelog diff --git a/reproducible.patch b/reproducible.patch new file mode 100644 index 0000000..0f562f8 --- /dev/null +++ b/reproducible.patch @@ -0,0 +1,13 @@ +Index: openldap-2.6.3/build/mkversion +=================================================================== +--- openldap-2.6.3.orig/build/mkversion ++++ openldap-2.6.3/build/mkversion +@@ -77,7 +77,7 @@ static const char copyright[] = + "COPYING RESTRICTIONS APPLY\n"; + + $static $const char $SYMBOL[] = +-"@(#) \$$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \$\n" ++"@(#) \$$PACKAGE: $APPLICATION $VERSION \$\n" + "\t$WHOWHERE\n"; + + __EOF__ diff --git a/sasl-slapd.conf b/sasl-slapd.conf new file mode 100644 index 0000000..5536bf8 --- /dev/null +++ b/sasl-slapd.conf @@ -0,0 +1 @@ +mech_list: gssapi digest-md5 cram-md5 external diff --git a/schema2ldif b/schema2ldif new file mode 100644 index 0000000..12f2748 --- /dev/null +++ b/schema2ldif @@ -0,0 +1,53 @@ +#!/bin/bash +# +# This is a simple tool to convert OpenLDAP Schema files to +# LDIF suitable for usage with OpenLDAP's dynamic configuration +# backend (cn=config) +# +# usage: +# schema2ldif +# +# The generated LDIF is printed to stdout. +# + +if [ -z "$1" ]; then + echo 'usage: schema2ldif ' + exit; +fi + +cn=`basename $1 .schema` + +echo "dn: cn=$cn,cn=schema,cn=config"; +echo "objectclass: olcSchemaConfig"; +echo "cn: $cn"; + +/usr/bin/awk ' +BEGIN { + buffer = ""; + width=78 ; +} +function wrap(data) +{ + if (length(data) > 0) { + do { + print substr(data,0,width); + data = " " substr(data, width+1); + } + while (length(data) > 1 ) + }; +} +/^[\t ]*$/ {wrap(buffer); buffer=""; print "#"; next; } +/^#.*$/ { wrap(buffer); buffer=""; print $0; next } +/^[\t ]+/ { gsub("^[\t ]+",""); buffer = buffer " " $0; next; } +{ + wrap(buffer); + $1 = tolower($1) ; + gsub("^objectclass$","olcObjectclasses:",$1) + gsub("^attributetype$","olcAttributeTypes:",$1) + gsub("^attributetypes$","olcAttributeTypes:",$1) + gsub("^objectidentifier$","olcObjectIdentifier:",$1) + buffer = $0; +} +END { wrap(buffer); print "" } +' "$@" + diff --git a/slapd-ldif-update-crc.sh b/slapd-ldif-update-crc.sh new file mode 100644 index 0000000..957bea1 --- /dev/null +++ b/slapd-ldif-update-crc.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# Script to fix the crc of openldap slapd.d ldifs. +source /usr/lib/openldap/update-crc + +if [ -z ${1} ]; then + echo "Usage: ${0} /etc/openldap/slapd.d/" + exit 1 +fi + +if [ ! -f "${1}" ]; then + echo "File ${1} does not exist?" + echo "Usage: ${0} /etc/openldap/slapd.d/" + exit 1 +fi + +# Make sure slapd.service is not running. +slapd_running=1 + +# Don't check if no systemd, we could be in a container. +if [ -f "/usr/bin/systemctl" ]; then + /usr/bin/systemctl is-active --quiet slapd.service + slapd_running=$? +fi + +if [ $slapd_running -eq 0 ]; then + echo "Unable to update crc of '${1}' while slapd.service is running ..." + exit 1 +fi + +do_update_crc ${1} + +echo "Updated crc of ${1}" + diff --git a/slapd.conf b/slapd.conf new file mode 100644 index 0000000..6f847c3 --- /dev/null +++ b/slapd.conf @@ -0,0 +1,86 @@ +# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon. +# +# OpenLDAP daemon (slapd.service) supports two configuration styles: +# - Simple configuration with this file +# - Online configuration (OLC) +# +# You may choose the configuration style by setting it in: +# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap" +# If the value is set to "files", this configuration file will be used. +# If the value is set to "ldap", this configuration file will be entirely ignored, and +# the OLC configuration from /etc/openldap/slapd.d will be loaded. +# +# If you decide to use online configuration, please read the additional instructions in: +# /etc/openldap/slapd.conf.olctemplate +# +# Feel free to customise this file according to your needs, and start OpenLDAP +# server daemon by executing: +# systemctl start slapd.service +# +# To verify that LDAP service is running properly, try the following command: +# ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts + +# +# See slapd.conf(5) for details on configuration options. +# See /etc/openldap/slapd.conf.example for more examples. +# This file should NOT be world readable. +# + +pidfile /run/slapd/slapd.pid +argsfile /run/slapd/slapd.args + +# The following schema files are often useful +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/rfc2307bis.schema +include /etc/openldap/schema/yast.schema + +# Load backend modules such as database engines +moduleload back_mdb.la + +# Very important: define ACL to authorise client access +# The default settings permit rootdn to read and write, while other users +# may read the entire database or change their own password. +# If no ACL is present, everyone will be allowed to read the database. +# rootdn can always read and write everything. +access to dn.base="" + by * read + +access to dn.base="cn=Subschema" + by * read + +access to attrs=userPassword,userPKCS12 + by self write + by * auth + +access to attrs=shadowLastChange + by self write + by * read + +access to * + by * read + +# Define a LDAP database +database mdb +suffix "dc=my-domain,dc=com" +rootdn "cn=Manager,dc=my-domain,dc=com" +# Please avoid using clear text for root password +# See slappasswd(8) for instructions on creating a salted+hashed password +rootpw secret +# The database directory must exist prior to the start of OpenLDAP daemon +# The directory should be owned by ldap user and permission 0700 is recommended +directory /var/lib/ldap +# Indices to maintain +index objectClass eq + +# Using TLS to secure communication between LDAP clients and the server is strongly recommended. +# To enable TLS, you will need CA certificate, server certificate, and certificate key, and +# write down their paths below, make sure the files are readable by user "ldap". +# The server will then support StartTLS on standard port 389. +# To also serve LDAPS on port 636, set OPENLDAP_START_LDAPS="yes" in /etc/sysconfig/openldap. +#TLSProtocolMin 3.1 +#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH +#TLSCACertificateFile /my/ca.crt +#TLSCertificateFile /my/tls.crt +#TLSCertificateKeyFile /my/tls.key diff --git a/slapd.conf.example b/slapd.conf.example new file mode 100644 index 0000000..87e484b --- /dev/null +++ b/slapd.conf.example @@ -0,0 +1,354 @@ +############################################################################ +# See slapd.conf(5) for details on configuration options. +# This file SHOULD NOT be world readable. +# +# Important note: +# You surely have to adjust some settings to meet your (security) +# requirements. +# At least you should replace suffix "dc=example,dc=com" by +# something meaningful for your setup. +# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos +# KDC then you MUST add decent ACLs for protecting user credentials! +# +# Read the man pages before changing something! +# +# You can debug the config by running (as root while slapd stopped): +# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535 +############################################################################ + +#--------------------------------------------------------------------------- +# slapd global parameters +#--------------------------------------------------------------------------- + +# serverID must be unique across all provider replicas +# for using multi-master replication (MMR) +serverID 99 + +# only alter this when you know what you're doing +#threads 4 + +# Run-time files +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +# for more debugging set: +#loglevel config stats stats2 +loglevel stats + +#--------------------------------------------------------------------------- +# Load runtime loadable modules +#--------------------------------------------------------------------------- + +# Load additional backend modules installed by package 'openldap2' +# The following backends are statically built-in and therefore don't have +# to be loaded here: +# config, ldif, monitor, bdb, hdb, ldap, mdb, relay +#moduleload back_bdb +#moduleload back_hdb +moduleload back_mdb +#moduleload back_meta +#moduleload back_sock + +# Load additional overlay modules installed by package 'openldap2' +# The following overlay are statically built-in and therefore don't have +# to be loaded here: +# ppolicy, syncprov +#moduleload accesslog +#moduleload constraint +#moduleload dds +#moduleload deref +#moduleload dynlist +#moduleload memberof +moduleload refint +#moduleload sssvlv +#moduleload translucent +moduleload unique +#moduleload valsort + +# Load additional overlay modules installed by package 'openldap2-contrib' +#moduleload allowed +#moduleload lastbind +#moduleload noopsrch +#moduleload pw-pbkdf2 +#moduleload pw-sha2 +#moduleload smbk5pwd + +#--------------------------------------------------------------------------- +# Include schema files +#--------------------------------------------------------------------------- + +# Schema files installed by package 'openldap2' +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/rfc2307bis.schema +include /etc/openldap/schema/ppolicy.schema +#include /etc/openldap/schema/yast.schema + +# Schema file installed by package 'dhcp-server' +#include /etc/openldap/schema/dhcp.schema + +# Schema file installed by package 'samba' +#include /etc/openldap/schema/samba3.schema + +# Schema file installed by package 'krb5-plugin-kdb-ldap' +#include /usr/share/doc/packages/krb5/kerberos.schema + +#--------------------------------------------------------------------------- +# Transport Layer Security (TLS) configuration +#--------------------------------------------------------------------------- + +# require at least TLS 1.0 and highly secure ciphers +#TLSProtocolMin 3.1 +#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH + +# TLS certificate and key files +#TLSCACertificateFile /etc/ssl/ca-bundle.pem +#TLSCertificateFile /etc/openldap/ssl.crt/server.crt +#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key + +# For enabling Perfect Forward Secrecy (PFS), see dhparam(1) +#TLSDHParamFile /etc/openldap/ssl.key/dhparam + +#--------------------------------------------------------------------------- +# Password hashing +#--------------------------------------------------------------------------- + +#password-hash {CRYPT} +# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations +#password-crypt-salt-format "$6$%.12s" + +#--------------------------------------------------------------------------- +# Security requirements +#--------------------------------------------------------------------------- + +#disallow bind_anon +#require bind LDAPv3 strong + +# SSF value for ldapi:// +localSSF 256 + +# minimum required SSF value (security strength factor) +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 +#security ssf=128 update_ssf=256 simple_bind=128 +security ssf=0 + +#--------------------------------------------------------------------------- +# Global access control (ACLs) +#--------------------------------------------------------------------------- + +# Root DSE: allow anyone to read it +access to + dn.base="" + by * read + +# Sub schema sub entry: allow anyone to read it +access to + dn.base="cn=Subschema" + by * read + +#--------------------------------------------------------------------------- +# Authz-DN mappings +#--------------------------------------------------------------------------- + +# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used +# System user root is mapped to the rootdn in database dc=example,dc=com +# which has also read access on config and monitor databases +authz-regexp + "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth" + "cn=root,dc=example,dc=com" + +# Map local system user to LDAP entry +# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used +authz-regexp + "gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth" + "ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))" + +# this maps the attribute uid to a LDAP entry +# if one of the typical password-based SASL mechs was used +authz-regexp + "uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth" + "ldap:///dc=example,dc=com??sub?(uid=$1)" + +# this maps the attribute uid to a LDAP entry +# if one of the Kerberos based SASL mechs was used +#authz-regexp +# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth" +# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))" + +# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used +#authz-regexp +# "(.+)" +# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))" + + +#=========================================================================== +# Database specific configuration sections below +# Required order of databases: +# config (first), ...others..., monitor (last) +#=========================================================================== + + +#--------------------------------------------------------------------------- +# cn=config // Configuration database (always first!) +# see slapd-config(5) +#--------------------------------------------------------------------------- + +database config + +# Cleartext passwords, especially for the rootdn, should +# be avoid! See slappasswd(8) and slapd.conf(5) for details. +# Best thing is not to set rootpw at all! +# For local config access by root use LDAPI with SASL/EXTERNAL instead +# (see above). +#rootpw secret + +access to + dn.subtree="cn=config" + by dn.exact="cn=root,dc=example,dc=com" manage + by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read + by * none + + +#--------------------------------------------------------------------------- +# dc=example,dc=com // Example MDB database to be used by normal clients +# see slapd-mdb(5) +#--------------------------------------------------------------------------- + +database mdb + +suffix "dc=example,dc=com" + +# rootdn has to be set for overlays' internal operations +rootdn "cn=root,dc=example,dc=com" + +# Cleartext passwords, especially for the rootdn, should +# be avoid! See slappasswd(8) and slapd.conf(5) for details. +# Best thing is not to set rootpw at all! +rootpw secret + +# The database directory MUST exist prior to running slapd and +# SHOULD only be accessible by the slapd user 'ldap'. +# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db +directory /var/lib/ldap/example-db + +# Permissions of database files created +mode 0600 + +# extra information to be available in cn=monitor for this database +monitoring on + +# Perform ACL checks on the content of a new entry being added +add_content_acl on + +# backend-specific database parameters +checkpoint 1024 5 +# 100 MB (you can raise the limit later) +maxsize 104857600 + +# Indices to maintain +# +# Whenever you change indexing configuration you have to re-run slapindex +# while slapd being stopped! +# Don't forget to fix ownership/permissions of newly generated index files +# afterwards! + +# set always! +index objectClass eq + +# for typical address book use +index cn,sn,givenName,mail eq,sub + +# for user management +index uid,uidNumber,gidNumber eq + +# for authz-regexp mapping of Kerberos principal name +#index krbPrincipalName,krbPrincipalAlias eq + +# for authz-regexp mapping of client cert subject DNs +#index seeAlso eq + +# for syncrepl +index entryUUID,entryCSN eq + +# access control lists (ACLs) for dc=example,dc=com +# see slapd.access(5) for details on access control lists (ACLs) + +# full read access also to 'userPassword' for group of replicas +# and control is forwarded to subsequent ACLs +access to + dn.subtree=dc=example,dc=com + by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read + by * break + +# write-only access to 'userPassword' for user, auth access else +access to + attrs=userPassword + by self =w + by * auth + +# 'userPKCS' must only be accessible by self +access to + attrs=userPKCS12 + by self write + by * none + +# No access to history of passwords +#access to +# attrs=pwdHistory +# by * none + +# Catch-all ACL for the rest +access to + dn.subtree=dc=example,dc=com + by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage + by self read + by users read + by * auth + +# see slapo-ppolicy(5) +overlay ppolicy +# Default password policy entry +#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com +# Hash clear-text userPassword values sent in with add/modify operations +#ppolicy_hash_cleartext +# Return AccountLocked error code to client +#ppolicy_use_lockout + +# see slapo-refint(5) +overlay refint +refint_attributes member seeAlso +refint_nothing cn=dummy + +# Check sub-tree wide uniqueness of certain attributes +# see slapo-unique(5) +# you have to add eq-index for efficient uniqueness check! +# Note that filter part is currently ignored because of OpenLDAP ITS#6825 +overlay unique +unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub" +unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))" +#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub" +#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub" +#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub" +#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub" + +#overlay syncprov +#mirrormode on + + +#--------------------------------------------------------------------------- +# cn=monitor // Monitoring database (always last!) +# see slapd-monitor(5) +#--------------------------------------------------------------------------- + +database monitor + +access to + dn.subtree="cn=monitor" + by dn.exact="cn=root,dc=example,dc=com" write + by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write + by users read diff --git a/slapd.conf.olctemplate b/slapd.conf.olctemplate new file mode 100644 index 0000000..90ae51f --- /dev/null +++ b/slapd.conf.olctemplate @@ -0,0 +1,46 @@ +# This file (slapd.conf.olctemplate) is a template for creating the initial +# online configuration for OpenLDAP server daemon. +# +# In order to use online configuration for OpenLDAP server daemon, make sure to set: +# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="ldap" +# +# Before starting the OpenLDAP daemon (slapd.conf) with onlne configuration for +# the very first time, you have to prepare the online configuration directory +# from this template file - first, make necessary customisations if you wish, and then +# run: +# cd /etc/openldap && slaptest -f slapd.conf.olctemplate -F slapd.d +# +# Then you may start OpenLDAP daemon: +# systemctl start slapd.service +# +# To verify that LDAP service is running properly, try the following command: +# ldapsearch -x -D cn=admin,cn=config -w secret -b cn=config + +# +# See slapd.conf(5) for details on configuration options. +# See /etc/openldap/slapd.conf.example for more examples. +# This file should NOT be world readable. +# + +pidfile /run/slapd/slapd.pid +argsfile /run/slapd/slapd.args + +# The following schema files are often useful +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/rfc2307bis.schema +include /etc/openldap/schema/yast.schema + +# Load backend modules such as database engines +# modulepath /usr/lib64/openldap +# moduleload back_mdb.la +# moduleload back_hdb.la +# moduleload back_bdb.la + +# Define the config database that holds all online configurations +database config +rootdn "cn=admin,cn=config" +# Please avoid using clear text for root password +# See slappasswd(8) for instructions on creating a salted+hashed password +rootpw secret diff --git a/slapd.service b/slapd.service new file mode 100644 index 0000000..6d5af0b --- /dev/null +++ b/slapd.service @@ -0,0 +1,28 @@ +[Unit] +Description=OpenLDAP Server Daemon +After=syslog.target network.target + +[Service] +Type=forking +ExecStart=/usr/lib/openldap/start + +# Hardening to prevent security escalation. +## Future hardening for FS protection. +# ProtectSystem=full +# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap + +RestrictSUIDSGID=true +NoNewPrivileges=true +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target + diff --git a/start b/start new file mode 100644 index 0000000..8233a7c --- /dev/null +++ b/start @@ -0,0 +1,174 @@ +#! /bin/bash +# Copyright (c) 1997-2000 SuSE GmbH Nuernberg, Germany. +# Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany. +# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# Author: Carsten Hoeger +# Ralf Haferkamp +# + +test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap + +SLAPD_BIN=/usr/sbin/slapd +LDAP_URLS="" +LDAPS_URLS="" +LDAPI_URLS="" +SLAPD_CONFIG_ARG="-F /etc/openldap/slapd.d" +SLAPD_PID_DIR="/var/run/slapd/" + +test -x $SLAPD_BIN || exit 5 + +function init_ldap_listener_urls(){ + case "$OPENLDAP_START_LDAP" in + [Yy][Ee][Ss]) + if [ -n "$OPENLDAP_LDAP_INTERFACES" ] + then + for iface in $OPENLDAP_LDAP_INTERFACES ;do + LDAP_URLS="$LDAP_URLS ldap://$iface" + done + else + LDAP_URLS="ldap:///" + fi + ;; + esac +} + +function init_ldapi_listener_urls(){ + case "$OPENLDAP_START_LDAPI" in + [Yy][Ee][Ss]) + if [ -n "$OPENLDAP_LDAPI_INTERFACES" ] + then + for iface in $OPENLDAP_LDAPI_INTERFACES ;do + esc_iface=`echo "$iface" | sed -e s'/\\//\\%2f/'g` + LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface" + done + else + LDAPI_URLS="ldapi:///" + fi + ;; + esac +} + +function init_ldaps_listener_urls(){ + case "$OPENLDAP_START_LDAPS" in + [Yy][Ee][Ss]) + if [ -n "$OPENLDAP_LDAPS_INTERFACES" ] + then + for iface in $OPENLDAP_LDAPS_INTERFACES ;do + LDAPS_URLS="$LDAPS_URLS ldaps://$iface" + done + else + LDAPS_URLS="ldaps:///" + fi + ;; + esac +} + +function check_connection(){ + SLAPD_TIMEOUT=10 + START=$( date +%s) + while [ $(( $( date +%s) - ${START} )) -lt ${SLAPD_TIMEOUT} ]; do + ldapsearch -x -H "$LDAP_URLS $LDAPI_URLS $LDAPS_URLS" -b "" -s base &>/dev/null + LDAPSEARCH_RC=$? + if [ ${LDAPSEARCH_RC} -ge 0 ] && [ ${LDAPSEARCH_RC} -le 80 ] ; then break + else sleep 1 + fi + done +} + +depth=0; + +function chown_database_dirs_bconfig() { + ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}') + for dir in $(realpath ${ldapdir}); do + if [[ $dir =~ ^/var/lib/ldap$|^/var/lib/ldap/.* ]]; then + [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ + chown -h -R $OPENLDAP_USER $dir 2>/dev/null + [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ + chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null + else + echo "Skipping chown -h of external directory for security reasons. You must manually run:" + echo "# chown -h -R $OPENLDAP_USER $dir" + echo "# chgrp -h -R $OPENLDAP_GROUP $dir" + fi + done +} + +function chown_database_dirs() { + ldapdir=`grep ^directory $1 | awk '{print $2}'` + for dir in $ldapdir; do + [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ + chown -h -R $OPENLDAP_USER $dir 2>/dev/null + [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ + chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null + done + includes=`grep ^include $1 | awk '{print $2}'` + if [ $depth -le 50 ]; then + depth=$(( $depth + 1 )); + for i in $includes; do + chown_database_dirs "$i" ; + done + fi +} + +USER_CMD="" +GROUP_CMD="" +[ ! "x$OPENLDAP_USER" = "x" ] && USER_CMD="-u $OPENLDAP_USER" +[ ! "x$OPENLDAP_GROUP" = "x" ] && GROUP_CMD="-g $OPENLDAP_GROUP" +[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf" + + +# chown -h backend directories if OPENLDAP_CHOWN_DIRS ist set +if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then + if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then + if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then + chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null + chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null + chown_database_dirs_bconfig "/etc/openldap/slapd.d" + # assume back-config usage if slapd.conf is not present but slapd.d is + elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then + chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null + chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null + chown_database_dirs_bconfig "/etc/openldap/slapd.d" + else + chown_database_dirs "/etc/openldap/slapd.conf" + chgrp -h $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null + fi + if test -f /etc/sasl2/slapd.conf ; then + chgrp -h $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null + chmod 640 /etc/sasl2/slapd.conf 2>/dev/null + fi + if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then + keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/} + if test -f $keytabfile ; then + chgrp -h $OPENLDAP_GROUP $keytabfile 2>/dev/null + chmod g+r $keytabfile 2>/dev/null + fi + fi + fi +fi +if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then + export KRB5_KTNAME=$OPENLDAP_KRB5_KEYTAB +fi +case "$OPENLDAP_REGISTER_SLP" in + [Yy][Ee][Ss]) + SLAPD_SLP_REG="-o slp=on" + ;; + *) + SLAPD_SLP_REG="-o slp=off" + ;; +esac + +init_ldap_listener_urls +init_ldapi_listener_urls +init_ldaps_listener_urls + +if [ ! -d $SLAPD_PID_DIR ]; then + mkdir -p $SLAPD_PID_DIR + chown -h ldap:ldap $SLAPD_PID_DIR +fi +echo -n "Starting ldap-server" +exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \ + $SLAPD_CONFIG_ARG $USER_CMD $GROUP_CMD \ + $OPENLDAP_SLAPD_PARAMS $SLAPD_SLP_REG + diff --git a/sysconfig.openldap b/sysconfig.openldap new file mode 100644 index 0000000..2003387 --- /dev/null +++ b/sysconfig.openldap @@ -0,0 +1,158 @@ +## Path: Network/LDAP +## Description: Basic Configuration of the OpenLDAP Directory Server + +## Type: yesno +## Default: yes +## ServiceRestart: ldap +# +# If set to "no" the LDAP server will not accept any "normal" LDAP connections +# but just connections over "ldaps" or "ldapi". Setting this to "no" does only +# make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set +# "yes". +# +OPENLDAP_START_LDAP="yes" + +## Type: yesno +## Default: no +## ServiceRestart: ldap +# +# If set to "yes" the "ldap over ssl" feature of slapd will be enabled. Don't +# forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile" options +# to the /etc/openldap/slapd.conf (man slapd.conf). +# Note: Don't confuse this with "START_TLS", the preferred method for +# making encrypted LDAP connections, which is enabled as soon as You +# specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your config +# file +# +OPENLDAP_START_LDAPS="no" + +## Type: yesno +## Default: no +## ServiceRestart: ldap +# +# If set to "yes", "ldap over IPC" feature of slapd will be enabled. +# The ldap server creates a Unix domain socket as /var/run/slapd/ldapi. +# Default: no +# +OPENLDAP_START_LDAPI="yes" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# If not empty, additional parameters for slapd daemon. +# Default: "" +# +OPENLDAP_SLAPD_PARAMS="" + +## Type: string +## Default: ldap +## ServiceRestart: ldap +# +# specifies a user, as which the openldap server should be executed +# Default: ldap +# +OPENLDAP_USER="ldap" + +## Type: string +## Default: ldap +## ServiceRestart: ldap +# +# specifies a group, as which the openldap server should be executed +# Default: ldap +# +OPENLDAP_GROUP="ldap" + +## Type: yesno +## Default: yes +## ServiceRestart: ldap +# +# If set to "yes" the init scripts will change the owner/group of the +# different backend database directories (e.g. /var/lib/ldap) to the +# user/group specified above +# +OPENLDAP_CHOWN_DIRS="yes" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# Use this to specify the interfaces that the server such accept +# LDAP connections from. The values are specified in the format +#
:, where address is an IP address and port is the +# portnumber, the daemon should listen to (defaulting to 389). If this +# parameter is empty the server will attach to all interfaces. This +# parameter is only evaluated if "OPENLDAP_START_LDAP" is set to +# "yes" +# Default: "" +# +OPENLDAP_LDAP_INTERFACES="" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# Use this to specify the interfaces that the server such accept +# LDAPS connections from. The values are specified in the format +#
:, where address is an IP address and port is the +# portnumber, the daemon should listen to (defaulting to 636). If this +# parameter is empty the server will attach to all interfaces. This +# parameter is only evaluated if "OPENLDAP_START_LDAPS" is set to +# "yes" +# Default: "" +# +OPENLDAP_LDAPS_INTERFACES="" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# Use this to specify the paths of the Unix Domain Sockets that +# the server should create an accept incoming LDAPI connections +# on. This parameter is only evaluated if "OPENLDAP_START_LDAPI" +# is set to "yes". +# Default: "" +# +OPENLDAP_LDAPI_INTERFACES="" + +## Type: yesno +## Default: "yes" +## ServiceRestart: ldap +# +# If set to "no" the LDAP server will not try itself at a running SLP +# daemon. +# Default: "yes" +# +OPENLDAP_REGISTER_SLP="no" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# Set this to the name of the keytab, if you want to use a non-default +# Kerberos Keytab. If OPENLDAP_CHOWN_DIRS is set to "yes" the permissions of +# this file will be changed so that the group OPENLDAP_GROUP has read +# access to the file. +# Example: OPENLDAP_KRB5_KEYTAB="FILE:/etc/openldap/krb5.keytab +# Default: "" +# +OPENLDAP_KRB5_KEYTAB="" + +## Type: string +## Default: "files" +## ServiceRestart: ldap +# +# Here you can configure which of the configuration backends you want to +# use. Possible values are "files" for slapd.conf(5) styleconfiguration or +# "ldap" for the slapd-config(5) LDAP based configuration backend. +# +OPENLDAP_CONFIG_BACKEND="files" + +## Type: yesno +## Default: "yes" +## ServiceRestart: ldap +# +# Here you can configure if the slapd shall start with or without memory limit. +# +OPENLDAP_MEMORY_LIMIT="yes" + diff --git a/update-crc.sh b/update-crc.sh new file mode 100644 index 0000000..9718100 --- /dev/null +++ b/update-crc.sh @@ -0,0 +1,67 @@ +#!/bin/bash +# Script to fix the crc of openldap slapd.d ldifs. + +do_update_crc () { + if [ -z ${1} ]; then + echo "Invalid call to do_update_crc() - no filename provided" + exit 1 + fi + + tgt_ldif=$1 + + if [ ! -f "${tgt_ldif}" ]; then + echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?" + exit 1 + fi + + rm -f "${tgt_ldif}.crcbak" + mv "${tgt_ldif}" "${tgt_ldif}.crcbak" + + /usr/bin/awk ' +BEGIN { + # CRC-32 ZIP polynomial in reversed bit order. + POLY = 0xedb88320 + + # 8-bit character -> ordinal table. + for (i = 0; i < 256; i++) + ORD[sprintf("%c", i)] = i +} + +{ + # Remember each input line. + input[NR] = $0 + + # Verify the file header. + if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.") + exit 1 + if (NR == 2 && $0 !~ /# CRC32 ......../) + exit 1 +} + +# Calculate CRC-32. +function crc32(crc, string, i, j, c) { + crc = and(compl(crc), 0xffffffff) + for (i = 1; i <= length(string); i++) { + c = substr(string, i, 1) + crc = xor(crc, ORD[c]) + for (j = 0; j < 8; j++) + crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1) + } + crc = and(compl(crc), 0xffffffff) + return crc +} + +END { + # Calculate CRC-32 of the file and update it in the header. + crc = 0 + for (i = 3; i <= length(input); i++) + crc = crc32(crc, input[i] "\n") + input[2] = "# CRC32 " sprintf("%08x", crc) + + # Print the output. + for (i = 1; i <= length(input); i++) + print input[i] +}' "${tgt_ldif}.crcbak" > "${tgt_ldif}" + +} +