Sync from SUSE:SLFO:Main openldap2 revision 797c98628f627d4fef10264beba567c3

This commit is contained in:
Adrian Schröter 2024-05-03 17:29:47 +02:00
commit e860a18861
28 changed files with 5433 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

View File

@ -0,0 +1,12 @@
diff -ur openldap-2.6.2.orig/include/ldap_defaults.h openldap-2.6.2/include/ldap_defaults.h
--- openldap-2.6.2.orig/include/ldap_defaults.h 2022-05-04 16:55:23.000000000 +0200
+++ openldap-2.6.2/include/ldap_defaults.h 2022-05-23 12:55:05.059335200 +0200
@@ -40,7 +40,7 @@
/* default ldapi:// socket */
#ifndef LDAPI_SOCK
-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi"
#endif
/*

101
0005-pie-compile.dif Normal file
View File

@ -0,0 +1,101 @@
From 60edf86023da15db7be5935c85826e16d2b78648 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Fri, 12 Nov 2010 09:39:11 +0100
Subject: pie compile
diff --git a/build/top.mk b/build/top.mk
index 38ce146d7..d7fee4ec2 100644
--- a/build/top.mk
+++ b/build/top.mk
@@ -111,7 +111,7 @@ OL_VERSIONED_SYMBOLS = @OL_VERSIONED_SYMBOLS@
LTSTATIC = @LTSTATIC@
LTLINK = $(LIBTOOL) --mode=link \
- $(CC) $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
+ $(CC) -pie $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=compile \
$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
@@ -120,7 +120,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(SYMBOL_VERSION_FLAGS)
LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
+ $(CC) $(LT_CFLAGS) $(PIE_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD)
@@ -214,7 +214,7 @@ LLOADD_LIBS = @BALANCER_LIBS@ $(LEVENT_LIBS)
# Our Defaults
CC = $(AC_CC)
DEFS = $(LDAP_INCPATH) $(XINCPATH) $(XDEFS) $(AC_DEFS) $(DEFINES)
-CFLAGS = $(AC_CFLAGS) $(DEFS)
+CFLAGS = -fPIE $(AC_CFLAGS) $(DEFS)
LDFLAGS = $(LDAP_LIBPATH) $(AC_LDFLAGS) $(XLDFLAGS)
LIBS = $(XLIBS) $(XXLIBS) $(AC_LIBS) $(XXXLIBS)
diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in
index 71400ca1b..6427165c6 100644
--- a/servers/slapd/back-ldap/Makefile.in
+++ b/servers/slapd/back-ldap/Makefile.in
@@ -26,6 +26,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-ldap"
BUILD_MOD = @BUILD_LDAP@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_LDAP@_DEFS)
diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in
index 225c8dd19..2f07c067b 100644
--- a/servers/slapd/back-ldif/Makefile.in
+++ b/servers/slapd/back-ldif/Makefile.in
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-ldif"
BUILD_MOD = yes
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(yes_DEFS)
diff --git a/servers/slapd/back-mdb/Makefile.in b/servers/slapd/back-mdb/Makefile.in
index 6d64824da..9bbf8747d 100644
--- a/servers/slapd/back-mdb/Makefile.in
+++ b/servers/slapd/back-mdb/Makefile.in
@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/liblmdb
BUILD_OPT = "--enable-mdb"
BUILD_MOD = @BUILD_MDB@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_MDB@_DEFS)
MOD_LIBS = $(MDB_LIBS)
diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in
index 200a1c65c..6b2afffb9 100644
--- a/servers/slapd/back-monitor/Makefile.in
+++ b/servers/slapd/back-monitor/Makefile.in
@@ -30,6 +30,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-monitor"
BUILD_MOD = yes
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(yes_DEFS)
diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in
index 71d74a171..60b44afd8 100644
--- a/servers/slapd/back-relay/Makefile.in
+++ b/servers/slapd/back-relay/Makefile.in
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-relay"
BUILD_MOD = @BUILD_RELAY@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_RELAY@_DEFS)

View File

@ -0,0 +1,26 @@
From d4b247e43fe1ea1b3713f3d8f493422d5adcc537 Mon Sep 17 00:00:00 2001
From: HouzuoGuo <guohouzuo@gmail.com>
Date: Fri, 13 Mar 2015 16:14:10 +0100
Subject: [PATCH] In monitor backend, do not return Connection0 entries as they
are created for internal use only.
---
servers/slapd/back-monitor/conn.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c
index 4d327f243..c4d3c6237 100644
--- a/servers/slapd/back-monitor/conn.c
+++ b/servers/slapd/back-monitor/conn.c
@@ -456,6 +456,11 @@ monitor_subsys_conn_create(
c != NULL;
c = connection_next( c, &connindex ) )
{
+ /* Connection 0 is created by connection_client_setup for internal use only */
+ if (c->c_connid == 0) {
+ continue;
+ }
+
monitor_entry_t *mp;
/* ignore outbound for now, nothing to show */

View File

@ -0,0 +1,16 @@
diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
index 6bdf3151d..56212151b 100644
--- a/libraries/liblmdb/mdb.c
+++ b/libraries/liblmdb/mdb.c
@@ -4692,6 +4692,11 @@ mdb_env_close0(MDB_env *env, int excl)
if (env->me_flags & MDB_ENV_TXKEY) {
pthread_key_delete(env->me_txkey);
+
+ // No need to call desctructor anymore, as all pid
+ // values are cleared below.
+ env->me_txkey = NULL;
+
#ifdef _WIN32
/* Delete our key from the global list */
for (i=0; i<mdb_tls_nkeys; i++)

25
README.module-loading Normal file
View File

@ -0,0 +1,25 @@
All of the OpenLDAP backends (except back-config) and overlays are now
compiled as dynamic modules in our packages. If you want to use any of
these in your setup make sure to put the correct "olcModuleLoad" or
"moduleload" statements in your configuration.
For details please see the slapd-config(5) and slapd.conf(5) manpages
(depending on which config mechanism you use).
For a list of the included dynamic modules list all modules files:
ls /usr/lib*/openldap/*.so
Or just the backend files:
ls /usr/lib*/openldap/back_*.so
Documentations for the overlays can be found in the respective man pages or
the OpenLDAP Administration Guide which is part of the "openldap2-doc"
package.
Backend man-pages:
man 5 slapo-<back_name>
Overlays man-pages:
man 5 slapo-<name>

3
_multibuild Normal file
View File

@ -0,0 +1,3 @@
<multibuild>
<package>contrib</package>
</multibuild>

BIN
addonschema.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

6
baselibs.conf Normal file
View File

@ -0,0 +1,6 @@
libldap2
provides "openldap2-client-<targettype> = <version>"
obsoletes "openldap2-client-<targettype> <= <version>"
openldap2-devel
requires -openldap2-<targettype>
requires "libldap2-<targettype> = <version>"

42
fixup-modulepath.sh Normal file
View File

@ -0,0 +1,42 @@
#!/bin/bash
source /usr/lib/openldap/update-crc
conf_dir='/etc/openldap/slapd.d'
tgt_ldif="${conf_dir}/cn=config.ldif"
if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ]
then
exit 0
fi
# Make sure slapd.service is not running.
slapd_running=1
# Don't check if no systemd, we could be in a container.
if [ -f "/usr/bin/systemctl" ]; then
/usr/bin/systemctl is-active --quiet slapd.service
slapd_running=$?
fi
if [ $slapd_running -eq 0 ]; then
echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..."
exit 1
fi
# Remove the module path.
sed -n -i '/olcModulePath/!p' ${tgt_ldif}
res=$?
if [ $res -ne 0 ]
then
echo "Failed to remove olcModulePath in ${tgt_ldif}"
exit 1
else
do_update_crc ${tgt_ldif}
echo "Updated crc of ${tgt_ldif}"
fi

2
ldap-user.conf Normal file
View File

@ -0,0 +1,2 @@
# Type Name ID GECOS [HOME]
u ldap - "User for OpenLDAP" /var/lib/ldap

BIN
openldap-2.6.4.tgz (Stored with Git LFS) Normal file

Binary file not shown.

16
openldap-2.6.4.tgz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEPOJptTmLyLeFZF6Yf2fV/Rzhy84FAmPkFcsACgkQf2fV/Rzh
y84clA/8C30COyp5lKWvqiBIVjQHe8ZSLEWML8j6g7IbYcHm7uLIqADjzlaE0MCI
YV2SfDFjom+OUFkQmzGNmYeyjpBV5yK5n5js0M1zSF2OPoapNoSZtnv0yXIUZ/Ee
M1njsiMYuYWX0KWg4tYVbdLSm2iWH1d5zbGgyAecSQCFHZ/nQnZo+OWbRel06dCz
ewkANAlUIIrsGEkKjKUetFOOuJiwb8r8KeXpYVijig7f/csoo7H78i4Pdmi3QzJ5
D/TMHKx64ljes1n6ZHtm55lbkiuJTw3t4XnK9NhsKwr9zNlq+qI3ggJyK6xOQiQq
05IjPMVp8kV1u117Xb9SlRwlfR/00jPwTdepuAK9OyxVS3CclS8Gh6Lm8ztwwTee
C+eqwGhZNH7/twfq3TUHfWUl4LyclX02zxvljo3lcb3JIA7JWp8coi2EEeofOIlf
oXKdyR4zA0Iey8LfBuyRC/smZoggdpzr0jIE5Z5Q97hTt4Rm5U4ZDe2GRfUTR82g
Pz+VdBI/aCKlnDHqH912w4Tg62UeJiPfnLuWuCc7A0MNR2LAe7JKASdEaTb6t51N
uzmxPYOlAixvGcjCg38Sc0877FXE1ss3RUnDyx+mCK2phEsWO69SdL4uz5E9Xdve
0VbfO84pmN/+Gj5FfE93rJzTYjjySj80oANiqBAcA7P21pOttRg=
=UfjX
-----END PGP SIGNATURE-----

3531
openldap2.changes Normal file

File diff suppressed because it is too large Load Diff

2
openldap2.conf Normal file
View File

@ -0,0 +1,2 @@
# openldap needs a directory in /var/lib/:
d /var/lib/ldap 0750 ldap ldap -

BIN
openldap2.keyring Normal file

Binary file not shown.

609
openldap2.spec Normal file
View File

@ -0,0 +1,609 @@
#
# spec file
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define run_test_suite 0
%define slapdrundir %{_rundir}/slapd
%define flavor @BUILD_FLAVOR@%{nil}
%if "%flavor" == "contrib"
%define name_suffix -%{flavor}-src
%else
%define name_suffix %{nil}
%endif
Name: openldap2%{name_suffix}
Summary: An open source implementation of the Lightweight Directory Access Protocol
License: OLDAP-2.8
Group: Productivity/Networking/LDAP/Servers
Version: 2.6.4
Release: 0
URL: https://www.openldap.org
Source0: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source1: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz.asc
Source2: openldap2.keyring
Source4: sasl-slapd.conf
Source5: README.module-loading
Source6: schema2ldif
Source7: baselibs.conf
Source9: addonschema.tar.gz
Source12: slapd.conf.example
Source13: start
Source14: slapd.service
Source16: sysconfig.openldap
Source18: openldap2.conf
Source19: ldap-user.conf
Source20: fixup-modulepath.sh
Source21: slapd-ldif-update-crc.sh
Source22: update-crc.sh
Source23: slapd.conf
Source24: slapd.conf.olctemplate
Patch1: reproducible.patch
Patch3: 0003-LDAPI-socket-location.dif
Patch5: 0005-pie-compile.dif
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch16: 0016-Clear-shared-key-only-in-close-function.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: argon2-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: db-devel
BuildRequires: groff
BuildRequires: libopenssl-devel
BuildRequires: libtool
%if 0%{?suse_version} < 1600
BuildRequires: openslp-devel
%endif
BuildRequires: sysuser-tools
BuildRequires: unixODBC-devel
# avoid cycle with krb5
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(systemd)
%if "%flavor" == "contrib"
BuildRequires: gcc-c++
BuildRequires: openldap2-devel
%endif
%if %{suse_version} < 1500
%{?systemd_requires}
%endif
Requires: /usr/bin/awk
Requires: libldap2 = %{version}
Recommends: cyrus-sasl
Conflicts: openldap
PreReq: %fillup_prereq
%sysusers_requires
%description
OpenLDAP is a client and server reference implementation of the
Lightweight Directory Access Protocol v3 (LDAPv3).
The server provides several database backends and overlays.
%package back-perl
Summary: OpenLDAP Perl Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}
Requires: perl = %{perl_version}
%description back-perl
The OpenLDAP Perl back-end allows you to execute Perl code specific to
different LDAP operations.
%package back-sock
Summary: OpenLDAP Socket Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}
Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz
%description back-sock
The OpenLDAP socket back-end allows you to handle LDAP requests and
results with an external process listening on a Unix domain socket.
%package back-meta
Summary: OpenLDAP Meta Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}
Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz
%description back-meta
The OpenLDAP Meta back-end is able to perform basic LDAP proxying with
respect to a set of remote LDAP servers. The information contained in
these servers can be presented as belonging to a single Directory
Information Tree (DIT).
%package back-sql
Summary: OpenLDAP SQL Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}
%description back-sql
The primary purpose of this OpenLDAP backend is to present information
stored in a Relational (SQL) Database as an LDAP subtree without the need
to do any programming.
%package -n libldap-data
Summary: Configuration file for system-wide defaults for all uses of libldap
Group: Productivity/Networking/LDAP/Clients
BuildArch: noarch
%description -n libldap-data
The subpackage contains a configuration file used to set system-wide defaults
to be applied with all usages of libldap.
%package contrib
Summary: OpenLDAP Contrib Modules
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}
%description contrib
Various overlays found in contrib/:
addpartial Intercepts ADD requests, applies changes to existing entries
allop
allowed Generates attributes indicating access rights
autogroup
authzid implements RFC 3829 support
cloak
datamorph store enumerated values and fixed size integers
denyop
lastbind writes last bind timestamp to entry
noopsrch handles no-op search control
pw-sha2 generates/validates SHA-2 password hashes
pw-pbkdf2 generates/validates PBKDF2 password hashes
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
trace traces overlay invocation
variant allows attributes/values to be shared between several entries
vc implements the verify credentials extended operation
%package doc
Summary: OpenLDAP Documentation
Group: Documentation/Other
Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README
BuildArch: noarch
%description doc
The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts.
%package client
Summary: OpenLDAP client utilities
Group: Productivity/Networking/LDAP/Clients
Requires: libldap2 = %{version}
%description client
OpenLDAP client utilities such as ldapadd, ldapsearch, ldapmodify.
%package devel
Summary: Libraries, Header Files and Documentation for OpenLDAP
# bug437293
Group: Development/Libraries/C and C++
%ifarch ppc64
Obsoletes: openldap2-devel-64bit
%endif
#
Conflicts: openldap-devel
Requires: libldap2 = %{version}
Recommends: cyrus-sasl-devel
%description devel
This package provides the OpenLDAP libraries, header files, and
documentation.
%package devel-static
Summary: Static libraries for the OpenLDAP libraries
Group: Development/Libraries/C and C++
Requires: cyrus-sasl-devel
Requires: libopenssl-devel
Requires: openldap2-devel = %version
%description devel-static
This package provides the static versions of the OpenLDAP libraries
for development.
%package -n libldap2
Summary: OpenLDAP Client Libraries
Group: Productivity/Networking/LDAP/Clients
Recommends: libldap-data >= %{version}
%description -n libldap2
This package contains the OpenLDAP client libraries.
%package -n libldapcpp-devel
Summary: C++ wrapper around openLDAP API
Group: Development/Libraries/C and C++
Requires: libldapcpp0 = %{version}
Requires: openldap2-devel
%description -n libldapcpp-devel
This package contains files needed for development with the LDAP C++
library.
%package -n libldapcpp0
Summary: C++ wrapper around openLDAP API
Group: Development/Libraries/C and C++
Provides: ldapcpplib = %{version}
Obsoletes: ldapcpplib <= 0.0.5
%description -n libldapcpp0
This package provides a C++ library for accessing LDAP (Version 3)
Servers
%prep
%setup -q -a 9 -n openldap-%{version}
%patch1 -p1
%patch3 -p1
%patch5 -p1
%patch8 -p1
%patch16 -p1
cp %{SOURCE5} .
%build
%if "%flavor" == "contrib"
cd contrib/ldapc++
%configure --disable-static
%make_build
%else
%global _lto_cflags %{_lto_cflags} -ffat-lto-objects
export CFLAGS="%{optflags} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DLDAP_USE_NON_BLOCKING_TLS"
export STRIP=""
./configure \
--prefix=/usr \
--sysconfdir=%{_sysconfdir} \
--libdir=%{_libdir} \
--libexecdir=%{_libdir} \
--localstatedir=%{slapdrundir} \
--enable-wrappers=no \
--enable-spasswd \
--enable-modules \
--enable-shared \
--enable-dynamic \
--with-tls=openssl \
--with-cyrus-sasl \
--enable-crypt \
--enable-ipv6=yes \
--enable-dynacl \
--enable-aci \
--enable-ldap=mod \
--enable-meta=mod \
--enable-perl=mod \
--enable-sock=mod \
--enable-sql=mod \
--enable-mdb=mod \
--enable-relay=mod \
%if 0%{?suse_version} < 1600
--enable-slp \
%endif
--enable-overlays=mod \
--enable-syncprov=mod \
--enable-ppolicy=mod \
--with-yielding-select \
--with-argon2=libargon2 \
|| cat config.log
make depend
%make_build
# Build selected contrib overlays
for SLAPO_NAME in addpartial allowed allop autogroup authzid datamorph lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace variant vc
do
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
done
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
# Create ldap user
%sysusers_generate_pre %{SOURCE19} ldap
%endif
%check
%if %run_test_suite
# calculate the base port to be use in the test-suite
SLAPD_BASEPORT=10000
if [ -f /.buildenv ] ; then
. /.buildenv
SLAPD_BASEPORT=$(($SLAPD_BASEPORT + ${BUILD_INCARNATION:-0} * 10))
fi
export SLAPD_BASEPORT
%ifnarch %arm alpha
rm -f tests/scripts/test019-syncreplication-cascade
rm -f tests/scripts/test022-ppolicy
rm -f tests/scripts/test023-refint
rm -f tests/scripts/test033-glue-syncrepl
#rm -f tests/scripts/test036-meta-concurrency
#rm -f tests/scripts/test039-glue-ldap-concurrency
rm -f tests/scripts/test043-delta-syncrepl
#rm -f tests/scripts/test045-syncreplication-proxied
rm -f tests/scripts/test048-syncrepl-multiproxy
rm -f tests/scripts/test050-syncrepl-multimaster
rm -f tests/scripts/test058-syncrepl-asymmetric
make SLAPD_DEBUG=0 test
%endif
%endif
%install
%if "%flavor" == "contrib"
cd contrib/ldapc++
%make_install
%else
mkdir -p %{buildroot}%{_libdir}/openldap
mkdir -p %{buildroot}/usr/lib/openldap
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}%{_unitdir}
make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
# Additional symbolic link to slapd executable in /usr/sbin/
ln -s %{_libdir}/slapd %{buildroot}%{_sbindir}/slapd
# Install selected contrib overlays
for SLAPO_NAME in addpartial allowed allop autogroup authzid datamorph lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace variant vc
do
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
done
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
install -m 755 %{SOURCE13} %{buildroot}/usr/lib/openldap/start
install -m 644 %{SOURCE14} %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{_sysconfdir}/openldap/slapd.d
mkdir -p %{buildroot}%{_sysconfdir}/sasl2
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sasl2/slapd.conf
install -m 755 -d %{buildroot}/var/lib/ldap
chmod a+x %{buildroot}%{_libdir}/liblber.so*
chmod a+x %{buildroot}%{_libdir}/libldap.so*
install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
mkdir -p %{buildroot}%{_tmpfilesdir}/
install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/
install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath
install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc
mkdir -p %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE16} %{buildroot}%{_fillupdir}/sysconfig.openldap
install -m 644 *.ldif %{buildroot}%{_sysconfdir}/openldap/schema
install -m 644 *.schema %{buildroot}%{_sysconfdir}/openldap/schema
# Install default and sample configuration files
install -m 644 %{SOURCE23} %{buildroot}%{_sysconfdir}/openldap
install -m 644 %{SOURCE24} %{buildroot}%{_sysconfdir}/openldap
install -m 644 %{SOURCE12} %{buildroot}%{_sysconfdir}/openldap
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
rm -rf doc/guide/release
%define DOCDIR %{_defaultdocdir}/%{name}
# Install default database optimisation
install -d %{buildroot}%{DOCDIR}/adminguide \
%{buildroot}%{DOCDIR}/images \
%{buildroot}%{DOCDIR}/drafts
install -m 644 doc/guide/admin/* %{buildroot}%{DOCDIR}/adminguide
install -m 644 doc/guide/images/*.gif %{buildroot}%{DOCDIR}/images
install -m 644 doc/drafts/* %{buildroot}%{DOCDIR}/drafts
install -m 644 ANNOUNCEMENT \
COPYRIGHT \
README \
CHANGES \
%{SOURCE5} \
%{buildroot}%{DOCDIR}
install -m 644 servers/slapd/slapd.ldif \
%{buildroot}%{DOCDIR}/slapd.ldif.default
rm -f %{buildroot}/etc/openldap/schema/README
rm -f %{buildroot}/etc/openldap/slapd.ldif*
mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
rm -f %{buildroot}%{_libdir}/openldap/*.a
rm -f %{buildroot}/usr/share/man/man5/slapd-dnssrv.5
rm -f %{buildroot}/usr/share/man/man5/slapd-ndb.5
rm -f %{buildroot}/usr/share/man/man5/slapd-null.5
rm -f %{buildroot}/usr/share/man/man5/slapd-passwd.5
rm -f %{buildroot}/usr/share/man/man5/slapd-shell.5
rm -f %{buildroot}/usr/share/man/man5/slapd-tcl.5
# Remove *.la files, libtool does not handle this correct
# Keep .la files for modules in the openldap subdirectory, which are consumed
# in this form.
rm -f %{buildroot}%{_libdir}/*.la
# Provide a libldap_r for backwards-compatibility with OpenLDAP < 2.5.
ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
%endif
%pre -f ldap.pre
%service_add_pre slapd.service
%post
%{fillup_only -n openldap ldap}
%tmpfiles_create %{name}.conf
%service_add_post slapd.service
%post -n libldap2 -p /sbin/ldconfig
%postun -n libldap2 -p /sbin/ldconfig
%preun
%service_del_preun slapd.service
%postun
%service_del_postun slapd.service
%if "%flavor" == "contrib"
%files -n libldapcpp-devel
%doc contrib/ldapc++/README
%_includedir/*.h
%_libdir/libldapcpp.la
%_libdir/libldapcpp.so
%files -n libldapcpp0
%_libdir/libldapcpp.so.0
%_libdir/libldapcpp.so.0.0.0
%else
%files
%config %{_sysconfdir}/openldap/schema/*.schema
%config %{_sysconfdir}/openldap/schema/*.ldif
%config(noreplace) /etc/sasl2/slapd.conf
%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf
%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.olctemplate
%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.default
%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.example
%dir %{_libdir}/openldap
%dir /usr/lib/openldap
%dir %{_sysconfdir}/sasl2
%dir %{_sysconfdir}/openldap
%dir %attr(0770, ldap, ldap) %{_sysconfdir}/openldap/slapd.d
%dir %{_sysconfdir}/openldap/schema
%{_fillupdir}/sysconfig.openldap
%{_sbindir}/slap*
%{_sbindir}/rcslapd
%{_libdir}/openldap/back_ldap*
%{_libdir}/openldap/back_mdb*
%{_libdir}/openldap/back_relay*
%{_libdir}/openldap/accesslog*
%{_libdir}/openldap/auditlog*
%{_libdir}/openldap/autoca*
%{_libdir}/openldap/collect*
%{_libdir}/openldap/constraint*
%{_libdir}/openldap/dds*
%{_libdir}/openldap/deref*
%{_libdir}/openldap/dyngroup*
%{_libdir}/openldap/dynlist*
%{_libdir}/openldap/homedir*
%{_libdir}/openldap/memberof*
%{_libdir}/openldap/otp*
%{_libdir}/openldap/pcache*
%{_libdir}/openldap/ppolicy*
%{_libdir}/openldap/remoteauth*
%{_libdir}/openldap/refint*
%{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm*
%{_libdir}/openldap/seqmod*
%{_libdir}/openldap/sssvlv*
%{_libdir}/openldap/syncprov*
%{_libdir}/openldap/translucent*
%{_libdir}/openldap/unique*
%{_libdir}/openldap/valsort*
%{_libdir}/slapd
/usr/lib/openldap/start
/usr/lib/openldap/update-crc
/usr/lib/openldap/fixup-modulepath
%{_unitdir}/slapd.service
%{_tmpfilesdir}/%{name}.conf
%{_sysusersdir}/ldap-user.conf
%dir %attr(0750, ldap, ldap) %{_sharedstatedir}/ldap
%ghost %attr(0750, ldap, ldap) %{slapdrundir}
%doc %{_mandir}/man8/sl*
%doc %{_mandir}/man8/lloadd.*
%doc %{_mandir}/man5/lloadd.conf.*
%doc %{_mandir}/man5/slapd.*
%doc %{_mandir}/man5/slapd-asyncmeta.*
%doc %{_mandir}/man5/slapd-config.*
%doc %{_mandir}/man5/slapd-ldap.*
%doc %{_mandir}/man5/slapd-ldif.*
%doc %{_mandir}/man5/slapd-mdb.*
%doc %{_mandir}/man5/slapd-monitor.*
%doc %{_mandir}/man5/slapd-pw-*
%doc %{_mandir}/man5/slapd-relay.*
%doc %{_mandir}/man5/slapd-wt.*
%doc %{_mandir}/man5/slapo-*
%doc %{_mandir}/man5/slappw-argon2.*
%dir %{DOCDIR}
%doc %{DOCDIR}/ANNOUNCEMENT
%doc %{DOCDIR}/COPYRIGHT
%license LICENSE
%doc %{DOCDIR}/README*
%doc %{DOCDIR}/CHANGES
%doc %{DOCDIR}/slapd.ldif.default
%files back-perl
%{_libdir}/openldap/back_perl*
%doc %{_mandir}/man5/slapd-perl.*
%files back-sock
%{_libdir}/openldap/back_sock*
%doc %{_mandir}/man5/slapd-sock.*
%files back-meta
%{_libdir}/openldap/back_meta*
%doc %{_mandir}/man5/slapd-meta.*
%files back-sql
%{_libdir}/openldap/back_sql*
%doc %{_mandir}/man5/slapd-sql.*
%doc servers/slapd/back-sql/examples
%doc servers/slapd/back-sql/docs/bugs
%doc servers/slapd/back-sql/docs/install
%files -n libldap-data
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%doc %{_mandir}/man5/ldap.conf*
%{_sysconfdir}/openldap/ldap.conf.default
%files doc
%dir %{DOCDIR}
%doc %{DOCDIR}/drafts
%doc %{DOCDIR}/adminguide
%doc %{DOCDIR}/images
%files contrib
%{_libdir}/openldap/addpartial.*
%{_libdir}/openldap/allop.*
%{_libdir}/openldap/allowed.*
%{_libdir}/openldap/authzid.*
%{_libdir}/openldap/autogroup.*
%{_libdir}/openldap/cloak.*
%{_libdir}/openldap/datamorph.*
%{_libdir}/openldap/denyop.*
%{_libdir}/openldap/lastbind.*
%{_libdir}/openldap/noopsrch.*
%{_libdir}/openldap/pw-pbkdf2.*
%{_libdir}/openldap/pw-sha2.*
%{_libdir}/openldap/smbk5pwd.*
%{_libdir}/openldap/trace.*
%{_libdir}/openldap/variant.*
%{_libdir}/openldap/vc.*
%files client
%doc %{_mandir}/man1/ldap*
%doc %{_mandir}/man5/ldif.*
%dir /etc/openldap
/usr/sbin/schema2ldif
/usr/bin/ldapadd
/usr/bin/ldapcompare
/usr/bin/ldapdelete
/usr/bin/ldapexop
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldapsearch
/usr/bin/ldappasswd
/usr/bin/ldapurl
/usr/bin/ldapvc
/usr/bin/ldapwhoami
%files -n libldap2
%{_libdir}/liblber.so.*
%{_libdir}/libldap.so.*
%files devel
%doc %{_mandir}/man3/ber*
%doc %{_mandir}/man3/lber*
%doc %{_mandir}/man3/ld_errno*
%doc %{_mandir}/man3/ldap*
%{_includedir}/*.h
%{_libdir}/liblber.so
%{_libdir}/libldap*.so
%{_libdir}/pkgconfig/*.pc
%files devel-static
%_libdir/liblber.a
%_libdir/libldap*.a
%endif # !flavor:contrib
%changelog

13
reproducible.patch Normal file
View File

@ -0,0 +1,13 @@
Index: openldap-2.6.3/build/mkversion
===================================================================
--- openldap-2.6.3.orig/build/mkversion
+++ openldap-2.6.3/build/mkversion
@@ -77,7 +77,7 @@ static const char copyright[] =
"COPYING RESTRICTIONS APPLY\n";
$static $const char $SYMBOL[] =
-"@(#) \$$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \$\n"
+"@(#) \$$PACKAGE: $APPLICATION $VERSION \$\n"
"\t$WHOWHERE\n";
__EOF__

1
sasl-slapd.conf Normal file
View File

@ -0,0 +1 @@
mech_list: gssapi digest-md5 cram-md5 external

53
schema2ldif Normal file
View File

@ -0,0 +1,53 @@
#!/bin/bash
#
# This is a simple tool to convert OpenLDAP Schema files to
# LDIF suitable for usage with OpenLDAP's dynamic configuration
# backend (cn=config)
#
# usage:
# schema2ldif <input file>
#
# The generated LDIF is printed to stdout.
#
if [ -z "$1" ]; then
echo 'usage: schema2ldif <input file>'
exit;
fi
cn=`basename $1 .schema`
echo "dn: cn=$cn,cn=schema,cn=config";
echo "objectclass: olcSchemaConfig";
echo "cn: $cn";
/usr/bin/awk '
BEGIN {
buffer = "";
width=78 ;
}
function wrap(data)
{
if (length(data) > 0) {
do {
print substr(data,0,width);
data = " " substr(data, width+1);
}
while (length(data) > 1 )
};
}
/^[\t ]*$/ {wrap(buffer); buffer=""; print "#"; next; }
/^#.*$/ { wrap(buffer); buffer=""; print $0; next }
/^[\t ]+/ { gsub("^[\t ]+",""); buffer = buffer " " $0; next; }
{
wrap(buffer);
$1 = tolower($1) ;
gsub("^objectclass$","olcObjectclasses:",$1)
gsub("^attributetype$","olcAttributeTypes:",$1)
gsub("^attributetypes$","olcAttributeTypes:",$1)
gsub("^objectidentifier$","olcObjectIdentifier:",$1)
buffer = $0;
}
END { wrap(buffer); print "" }
' "$@"

33
slapd-ldif-update-crc.sh Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
# Script to fix the crc of openldap slapd.d ldifs.
source /usr/lib/openldap/update-crc
if [ -z ${1} ]; then
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
exit 1
fi
if [ ! -f "${1}" ]; then
echo "File ${1} does not exist?"
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
exit 1
fi
# Make sure slapd.service is not running.
slapd_running=1
# Don't check if no systemd, we could be in a container.
if [ -f "/usr/bin/systemctl" ]; then
/usr/bin/systemctl is-active --quiet slapd.service
slapd_running=$?
fi
if [ $slapd_running -eq 0 ]; then
echo "Unable to update crc of '${1}' while slapd.service is running ..."
exit 1
fi
do_update_crc ${1}
echo "Updated crc of ${1}"

86
slapd.conf Normal file
View File

@ -0,0 +1,86 @@
# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon.
#
# OpenLDAP daemon (slapd.service) supports two configuration styles:
# - Simple configuration with this file
# - Online configuration (OLC)
#
# You may choose the configuration style by setting it in:
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap"
# If the value is set to "files", this configuration file will be used.
# If the value is set to "ldap", this configuration file will be entirely ignored, and
# the OLC configuration from /etc/openldap/slapd.d will be loaded.
#
# If you decide to use online configuration, please read the additional instructions in:
# /etc/openldap/slapd.conf.olctemplate
#
# Feel free to customise this file according to your needs, and start OpenLDAP
# server daemon by executing:
# systemctl start slapd.service
#
# To verify that LDAP service is running properly, try the following command:
# ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts
#
# See slapd.conf(5) for details on configuration options.
# See /etc/openldap/slapd.conf.example for more examples.
# This file should NOT be world readable.
#
pidfile /run/slapd/slapd.pid
argsfile /run/slapd/slapd.args
# The following schema files are often useful
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
# Load backend modules such as database engines
moduleload back_mdb.la
# Very important: define ACL to authorise client access
# The default settings permit rootdn to read and write, while other users
# may read the entire database or change their own password.
# If no ACL is present, everyone will be allowed to read the database.
# rootdn can always read and write everything.
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# Define a LDAP database
database mdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Please avoid using clear text for root password
# See slappasswd(8) for instructions on creating a salted+hashed password
rootpw secret
# The database directory must exist prior to the start of OpenLDAP daemon
# The directory should be owned by ldap user and permission 0700 is recommended
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
# Using TLS to secure communication between LDAP clients and the server is strongly recommended.
# To enable TLS, you will need CA certificate, server certificate, and certificate key, and
# write down their paths below, make sure the files are readable by user "ldap".
# The server will then support StartTLS on standard port 389.
# To also serve LDAPS on port 636, set OPENLDAP_START_LDAPS="yes" in /etc/sysconfig/openldap.
#TLSProtocolMin 3.1
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
#TLSCACertificateFile /my/ca.crt
#TLSCertificateFile /my/tls.crt
#TLSCertificateKeyFile /my/tls.key

354
slapd.conf.example Normal file
View File

@ -0,0 +1,354 @@
############################################################################
# See slapd.conf(5) for details on configuration options.
# This file SHOULD NOT be world readable.
#
# Important note:
# You surely have to adjust some settings to meet your (security)
# requirements.
# At least you should replace suffix "dc=example,dc=com" by
# something meaningful for your setup.
# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos
# KDC then you MUST add decent ACLs for protecting user credentials!
#
# Read the man pages before changing something!
#
# You can debug the config by running (as root while slapd stopped):
# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
############################################################################
#---------------------------------------------------------------------------
# slapd global parameters
#---------------------------------------------------------------------------
# serverID must be unique across all provider replicas
# for using multi-master replication (MMR)
serverID 99
# only alter this when you know what you're doing
#threads 4
# Run-time files
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# for more debugging set:
#loglevel config stats stats2
loglevel stats
#---------------------------------------------------------------------------
# Load runtime loadable modules
#---------------------------------------------------------------------------
# Load additional backend modules installed by package 'openldap2'
# The following backends are statically built-in and therefore don't have
# to be loaded here:
# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
#moduleload back_bdb
#moduleload back_hdb
moduleload back_mdb
#moduleload back_meta
#moduleload back_sock
# Load additional overlay modules installed by package 'openldap2'
# The following overlay are statically built-in and therefore don't have
# to be loaded here:
# ppolicy, syncprov
#moduleload accesslog
#moduleload constraint
#moduleload dds
#moduleload deref
#moduleload dynlist
#moduleload memberof
moduleload refint
#moduleload sssvlv
#moduleload translucent
moduleload unique
#moduleload valsort
# Load additional overlay modules installed by package 'openldap2-contrib'
#moduleload allowed
#moduleload lastbind
#moduleload noopsrch
#moduleload pw-pbkdf2
#moduleload pw-sha2
#moduleload smbk5pwd
#---------------------------------------------------------------------------
# Include schema files
#---------------------------------------------------------------------------
# Schema files installed by package 'openldap2'
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/ppolicy.schema
#include /etc/openldap/schema/yast.schema
# Schema file installed by package 'dhcp-server'
#include /etc/openldap/schema/dhcp.schema
# Schema file installed by package 'samba'
#include /etc/openldap/schema/samba3.schema
# Schema file installed by package 'krb5-plugin-kdb-ldap'
#include /usr/share/doc/packages/krb5/kerberos.schema
#---------------------------------------------------------------------------
# Transport Layer Security (TLS) configuration
#---------------------------------------------------------------------------
# require at least TLS 1.0 and highly secure ciphers
#TLSProtocolMin 3.1
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
# TLS certificate and key files
#TLSCACertificateFile /etc/ssl/ca-bundle.pem
#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
#TLSDHParamFile /etc/openldap/ssl.key/dhparam
#---------------------------------------------------------------------------
# Password hashing
#---------------------------------------------------------------------------
#password-hash {CRYPT}
# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
#password-crypt-salt-format "$6$%.12s"
#---------------------------------------------------------------------------
# Security requirements
#---------------------------------------------------------------------------
#disallow bind_anon
#require bind LDAPv3 strong
# SSF value for ldapi://
localSSF 256
# minimum required SSF value (security strength factor)
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#security ssf=128 update_ssf=256 simple_bind=128
security ssf=0
#---------------------------------------------------------------------------
# Global access control (ACLs)
#---------------------------------------------------------------------------
# Root DSE: allow anyone to read it
access to
dn.base=""
by * read
# Sub schema sub entry: allow anyone to read it
access to
dn.base="cn=Subschema"
by * read
#---------------------------------------------------------------------------
# Authz-DN mappings
#---------------------------------------------------------------------------
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
# System user root is mapped to the rootdn in database dc=example,dc=com
# which has also read access on config and monitor databases
authz-regexp
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
# Map local system user to LDAP entry
# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
authz-regexp
"gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
"ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
# this maps the attribute uid to a LDAP entry
# if one of the typical password-based SASL mechs was used
authz-regexp
"uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
"ldap:///dc=example,dc=com??sub?(uid=$1)"
# this maps the attribute uid to a LDAP entry
# if one of the Kerberos based SASL mechs was used
#authz-regexp
# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
#authz-regexp
# "(.+)"
# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
#===========================================================================
# Database specific configuration sections below
# Required order of databases:
# config (first), ...others..., monitor (last)
#===========================================================================
#---------------------------------------------------------------------------
# cn=config // Configuration database (always first!)
# see slapd-config(5)
#---------------------------------------------------------------------------
database config
# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
# For local config access by root use LDAPI with SASL/EXTERNAL instead
# (see above).
#rootpw secret
access to
dn.subtree="cn=config"
by dn.exact="cn=root,dc=example,dc=com" manage
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
by * none
#---------------------------------------------------------------------------
# dc=example,dc=com // Example MDB database to be used by normal clients
# see slapd-mdb(5)
#---------------------------------------------------------------------------
database mdb
suffix "dc=example,dc=com"
# rootdn has to be set for overlays' internal operations
rootdn "cn=root,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
rootpw secret
# The database directory MUST exist prior to running slapd and
# SHOULD only be accessible by the slapd user 'ldap'.
# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
directory /var/lib/ldap/example-db
# Permissions of database files created
mode 0600
# extra information to be available in cn=monitor for this database
monitoring on
# Perform ACL checks on the content of a new entry being added
add_content_acl on
# backend-specific database parameters
checkpoint 1024 5
# 100 MB (you can raise the limit later)
maxsize 104857600
# Indices to maintain
#
# Whenever you change indexing configuration you have to re-run slapindex
# while slapd being stopped!
# Don't forget to fix ownership/permissions of newly generated index files
# afterwards!
# set always!
index objectClass eq
# for typical address book use
index cn,sn,givenName,mail eq,sub
# for user management
index uid,uidNumber,gidNumber eq
# for authz-regexp mapping of Kerberos principal name
#index krbPrincipalName,krbPrincipalAlias eq
# for authz-regexp mapping of client cert subject DNs
#index seeAlso eq
# for syncrepl
index entryUUID,entryCSN eq
# access control lists (ACLs) for dc=example,dc=com
# see slapd.access(5) for details on access control lists (ACLs)
# full read access also to 'userPassword' for group of replicas
# and control is forwarded to subsequent ACLs
access to
dn.subtree=dc=example,dc=com
by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
by * break
# write-only access to 'userPassword' for user, auth access else
access to
attrs=userPassword
by self =w
by * auth
# 'userPKCS' must only be accessible by self
access to
attrs=userPKCS12
by self write
by * none
# No access to history of passwords
#access to
# attrs=pwdHistory
# by * none
# Catch-all ACL for the rest
access to
dn.subtree=dc=example,dc=com
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
by self read
by users read
by * auth
# see slapo-ppolicy(5)
overlay ppolicy
# Default password policy entry
#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
# Hash clear-text userPassword values sent in with add/modify operations
#ppolicy_hash_cleartext
# Return AccountLocked error code to client
#ppolicy_use_lockout
# see slapo-refint(5)
overlay refint
refint_attributes member seeAlso
refint_nothing cn=dummy
# Check sub-tree wide uniqueness of certain attributes
# see slapo-unique(5)
# you have to add eq-index for efficient uniqueness check!
# Note that filter part is currently ignored because of OpenLDAP ITS#6825
overlay unique
unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
#overlay syncprov
#mirrormode on
#---------------------------------------------------------------------------
# cn=monitor // Monitoring database (always last!)
# see slapd-monitor(5)
#---------------------------------------------------------------------------
database monitor
access to
dn.subtree="cn=monitor"
by dn.exact="cn=root,dc=example,dc=com" write
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
by users read

46
slapd.conf.olctemplate Normal file
View File

@ -0,0 +1,46 @@
# This file (slapd.conf.olctemplate) is a template for creating the initial
# online configuration for OpenLDAP server daemon.
#
# In order to use online configuration for OpenLDAP server daemon, make sure to set:
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="ldap"
#
# Before starting the OpenLDAP daemon (slapd.conf) with onlne configuration for
# the very first time, you have to prepare the online configuration directory
# from this template file - first, make necessary customisations if you wish, and then
# run:
# cd /etc/openldap && slaptest -f slapd.conf.olctemplate -F slapd.d
#
# Then you may start OpenLDAP daemon:
# systemctl start slapd.service
#
# To verify that LDAP service is running properly, try the following command:
# ldapsearch -x -D cn=admin,cn=config -w secret -b cn=config
#
# See slapd.conf(5) for details on configuration options.
# See /etc/openldap/slapd.conf.example for more examples.
# This file should NOT be world readable.
#
pidfile /run/slapd/slapd.pid
argsfile /run/slapd/slapd.args
# The following schema files are often useful
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
# Load backend modules such as database engines
# modulepath /usr/lib64/openldap
# moduleload back_mdb.la
# moduleload back_hdb.la
# moduleload back_bdb.la
# Define the config database that holds all online configurations
database config
rootdn "cn=admin,cn=config"
# Please avoid using clear text for root password
# See slappasswd(8) for instructions on creating a salted+hashed password
rootpw secret

28
slapd.service Normal file
View File

@ -0,0 +1,28 @@
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/usr/lib/openldap/start
# Hardening to prevent security escalation.
## Future hardening for FS protection.
# ProtectSystem=full
# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap
RestrictSUIDSGID=true
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target

174
start Normal file
View File

@ -0,0 +1,174 @@
#! /bin/bash
# Copyright (c) 1997-2000 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany.
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# Author: Carsten Hoeger
# Ralf Haferkamp
#
test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap
SLAPD_BIN=/usr/sbin/slapd
LDAP_URLS=""
LDAPS_URLS=""
LDAPI_URLS=""
SLAPD_CONFIG_ARG="-F /etc/openldap/slapd.d"
SLAPD_PID_DIR="/var/run/slapd/"
test -x $SLAPD_BIN || exit 5
function init_ldap_listener_urls(){
case "$OPENLDAP_START_LDAP" in
[Yy][Ee][Ss])
if [ -n "$OPENLDAP_LDAP_INTERFACES" ]
then
for iface in $OPENLDAP_LDAP_INTERFACES ;do
LDAP_URLS="$LDAP_URLS ldap://$iface"
done
else
LDAP_URLS="ldap:///"
fi
;;
esac
}
function init_ldapi_listener_urls(){
case "$OPENLDAP_START_LDAPI" in
[Yy][Ee][Ss])
if [ -n "$OPENLDAP_LDAPI_INTERFACES" ]
then
for iface in $OPENLDAP_LDAPI_INTERFACES ;do
esc_iface=`echo "$iface" | sed -e s'/\\//\\%2f/'g`
LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface"
done
else
LDAPI_URLS="ldapi:///"
fi
;;
esac
}
function init_ldaps_listener_urls(){
case "$OPENLDAP_START_LDAPS" in
[Yy][Ee][Ss])
if [ -n "$OPENLDAP_LDAPS_INTERFACES" ]
then
for iface in $OPENLDAP_LDAPS_INTERFACES ;do
LDAPS_URLS="$LDAPS_URLS ldaps://$iface"
done
else
LDAPS_URLS="ldaps:///"
fi
;;
esac
}
function check_connection(){
SLAPD_TIMEOUT=10
START=$( date +%s)
while [ $(( $( date +%s) - ${START} )) -lt ${SLAPD_TIMEOUT} ]; do
ldapsearch -x -H "$LDAP_URLS $LDAPI_URLS $LDAPS_URLS" -b "" -s base &>/dev/null
LDAPSEARCH_RC=$?
if [ ${LDAPSEARCH_RC} -ge 0 ] && [ ${LDAPSEARCH_RC} -le 80 ] ; then break
else sleep 1
fi
done
}
depth=0;
function chown_database_dirs_bconfig() {
ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}')
for dir in $(realpath ${ldapdir}); do
if [[ $dir =~ ^/var/lib/ldap$|^/var/lib/ldap/.* ]]; then
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
chown -h -R $OPENLDAP_USER $dir 2>/dev/null
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
else
echo "Skipping chown -h of external directory for security reasons. You must manually run:"
echo "# chown -h -R $OPENLDAP_USER $dir"
echo "# chgrp -h -R $OPENLDAP_GROUP $dir"
fi
done
}
function chown_database_dirs() {
ldapdir=`grep ^directory $1 | awk '{print $2}'`
for dir in $ldapdir; do
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
chown -h -R $OPENLDAP_USER $dir 2>/dev/null
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
done
includes=`grep ^include $1 | awk '{print $2}'`
if [ $depth -le 50 ]; then
depth=$(( $depth + 1 ));
for i in $includes; do
chown_database_dirs "$i" ;
done
fi
}
USER_CMD=""
GROUP_CMD=""
[ ! "x$OPENLDAP_USER" = "x" ] && USER_CMD="-u $OPENLDAP_USER"
[ ! "x$OPENLDAP_GROUP" = "x" ] && GROUP_CMD="-g $OPENLDAP_GROUP"
[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf"
# chown -h backend directories if OPENLDAP_CHOWN_DIRS ist set
if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then
chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
# assume back-config usage if slapd.conf is not present but slapd.d is
elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
else
chown_database_dirs "/etc/openldap/slapd.conf"
chgrp -h $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
fi
if test -f /etc/sasl2/slapd.conf ; then
chgrp -h $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
fi
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
if test -f $keytabfile ; then
chgrp -h $OPENLDAP_GROUP $keytabfile 2>/dev/null
chmod g+r $keytabfile 2>/dev/null
fi
fi
fi
fi
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
export KRB5_KTNAME=$OPENLDAP_KRB5_KEYTAB
fi
case "$OPENLDAP_REGISTER_SLP" in
[Yy][Ee][Ss])
SLAPD_SLP_REG="-o slp=on"
;;
*)
SLAPD_SLP_REG="-o slp=off"
;;
esac
init_ldap_listener_urls
init_ldapi_listener_urls
init_ldaps_listener_urls
if [ ! -d $SLAPD_PID_DIR ]; then
mkdir -p $SLAPD_PID_DIR
chown -h ldap:ldap $SLAPD_PID_DIR
fi
echo -n "Starting ldap-server"
exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \
$SLAPD_CONFIG_ARG $USER_CMD $GROUP_CMD \
$OPENLDAP_SLAPD_PARAMS $SLAPD_SLP_REG

158
sysconfig.openldap Normal file
View File

@ -0,0 +1,158 @@
## Path: Network/LDAP
## Description: Basic Configuration of the OpenLDAP Directory Server
## Type: yesno
## Default: yes
## ServiceRestart: ldap
#
# If set to "no" the LDAP server will not accept any "normal" LDAP connections
# but just connections over "ldaps" or "ldapi". Setting this to "no" does only
# make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set
# "yes".
#
OPENLDAP_START_LDAP="yes"
## Type: yesno
## Default: no
## ServiceRestart: ldap
#
# If set to "yes" the "ldap over ssl" feature of slapd will be enabled. Don't
# forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile" options
# to the /etc/openldap/slapd.conf (man slapd.conf).
# Note: Don't confuse this with "START_TLS", the preferred method for
# making encrypted LDAP connections, which is enabled as soon as You
# specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your config
# file
#
OPENLDAP_START_LDAPS="no"
## Type: yesno
## Default: no
## ServiceRestart: ldap
#
# If set to "yes", "ldap over IPC" feature of slapd will be enabled.
# The ldap server creates a Unix domain socket as /var/run/slapd/ldapi.
# Default: no
#
OPENLDAP_START_LDAPI="yes"
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# If not empty, additional parameters for slapd daemon.
# Default: ""
#
OPENLDAP_SLAPD_PARAMS=""
## Type: string
## Default: ldap
## ServiceRestart: ldap
#
# specifies a user, as which the openldap server should be executed
# Default: ldap
#
OPENLDAP_USER="ldap"
## Type: string
## Default: ldap
## ServiceRestart: ldap
#
# specifies a group, as which the openldap server should be executed
# Default: ldap
#
OPENLDAP_GROUP="ldap"
## Type: yesno
## Default: yes
## ServiceRestart: ldap
#
# If set to "yes" the init scripts will change the owner/group of the
# different backend database directories (e.g. /var/lib/ldap) to the
# user/group specified above
#
OPENLDAP_CHOWN_DIRS="yes"
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Use this to specify the interfaces that the server such accept
# LDAP connections from. The values are specified in the format
# <address>:<port>, where address is an IP address and port is the
# portnumber, the daemon should listen to (defaulting to 389). If this
# parameter is empty the server will attach to all interfaces. This
# parameter is only evaluated if "OPENLDAP_START_LDAP" is set to
# "yes"
# Default: ""
#
OPENLDAP_LDAP_INTERFACES=""
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Use this to specify the interfaces that the server such accept
# LDAPS connections from. The values are specified in the format
# <address>:<port>, where address is an IP address and port is the
# portnumber, the daemon should listen to (defaulting to 636). If this
# parameter is empty the server will attach to all interfaces. This
# parameter is only evaluated if "OPENLDAP_START_LDAPS" is set to
# "yes"
# Default: ""
#
OPENLDAP_LDAPS_INTERFACES=""
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Use this to specify the paths of the Unix Domain Sockets that
# the server should create an accept incoming LDAPI connections
# on. This parameter is only evaluated if "OPENLDAP_START_LDAPI"
# is set to "yes".
# Default: ""
#
OPENLDAP_LDAPI_INTERFACES=""
## Type: yesno
## Default: "yes"
## ServiceRestart: ldap
#
# If set to "no" the LDAP server will not try itself at a running SLP
# daemon.
# Default: "yes"
#
OPENLDAP_REGISTER_SLP="no"
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Set this to the name of the keytab, if you want to use a non-default
# Kerberos Keytab. If OPENLDAP_CHOWN_DIRS is set to "yes" the permissions of
# this file will be changed so that the group OPENLDAP_GROUP has read
# access to the file.
# Example: OPENLDAP_KRB5_KEYTAB="FILE:/etc/openldap/krb5.keytab
# Default: ""
#
OPENLDAP_KRB5_KEYTAB=""
## Type: string
## Default: "files"
## ServiceRestart: ldap
#
# Here you can configure which of the configuration backends you want to
# use. Possible values are "files" for slapd.conf(5) styleconfiguration or
# "ldap" for the slapd-config(5) LDAP based configuration backend.
#
OPENLDAP_CONFIG_BACKEND="files"
## Type: yesno
## Default: "yes"
## ServiceRestart: ldap
#
# Here you can configure if the slapd shall start with or without memory limit.
#
OPENLDAP_MEMORY_LIMIT="yes"

67
update-crc.sh Normal file
View File

@ -0,0 +1,67 @@
#!/bin/bash
# Script to fix the crc of openldap slapd.d ldifs.
do_update_crc () {
if [ -z ${1} ]; then
echo "Invalid call to do_update_crc() - no filename provided"
exit 1
fi
tgt_ldif=$1
if [ ! -f "${tgt_ldif}" ]; then
echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?"
exit 1
fi
rm -f "${tgt_ldif}.crcbak"
mv "${tgt_ldif}" "${tgt_ldif}.crcbak"
/usr/bin/awk '
BEGIN {
# CRC-32 ZIP polynomial in reversed bit order.
POLY = 0xedb88320
# 8-bit character -> ordinal table.
for (i = 0; i < 256; i++)
ORD[sprintf("%c", i)] = i
}
{
# Remember each input line.
input[NR] = $0
# Verify the file header.
if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.")
exit 1
if (NR == 2 && $0 !~ /# CRC32 ......../)
exit 1
}
# Calculate CRC-32.
function crc32(crc, string, i, j, c) {
crc = and(compl(crc), 0xffffffff)
for (i = 1; i <= length(string); i++) {
c = substr(string, i, 1)
crc = xor(crc, ORD[c])
for (j = 0; j < 8; j++)
crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1)
}
crc = and(compl(crc), 0xffffffff)
return crc
}
END {
# Calculate CRC-32 of the file and update it in the header.
crc = 0
for (i = 3; i <= length(input); i++)
crc = crc32(crc, input[i] "\n")
input[2] = "# CRC32 " sprintf("%08x", crc)
# Print the output.
for (i = 1; i <= length(input); i++)
print input[i]
}' "${tgt_ldif}.crcbak" > "${tgt_ldif}"
}