SHA256
1
0
forked from jengelh/openldap2
Dominique Leuenberger 2021-10-21 08:21:23 +00:00 committed by Git OBS Bridge
parent d3e6f06f80
commit ff084bce11
18 changed files with 769 additions and 191 deletions

View File

@ -0,0 +1,66 @@
From 348588561c694784a8106871b0d5fe578007ea4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
Date: Fri, 26 Oct 2018 16:40:23 +0200
Subject: [PATCH] ITS#8866 slapo-unique to return filter used in diagnostic
message
---
servers/slapd/overlays/unique.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c
index ed62d03b8..a7723cf5d 100644
--- a/servers/slapd/overlays/unique.c
+++ b/servers/slapd/overlays/unique.c
@@ -965,6 +965,8 @@ unique_search(
slap_callback cb = { NULL, NULL, NULL, NULL }; /* XXX */
unique_counter uq = { NULL, 0 };
int rc;
+ char *errmsg;
+ int errmsgsize;
Debug(LDAP_DEBUG_TRACE, "==> unique_search %s\n", key->bv_val, 0, 0);
@@ -998,24 +1000,29 @@ unique_search(
nop->o_bd = on->on_info->oi_origdb;
rc = nop->o_bd->be_search(nop, &nrs);
filter_free_x(nop, nop->ors_filter, 1);
- op->o_tmpfree( key->bv_val, op->o_tmpmemctx );
if(rc != LDAP_SUCCESS && rc != LDAP_NO_SUCH_OBJECT) {
op->o_bd->bd_info = (BackendInfo *) on->on_info;
send_ldap_error(op, rs, rc, "unique_search failed");
- return(rs->sr_err);
- }
-
- Debug(LDAP_DEBUG_TRACE, "=> unique_search found %d records\n", uq.count, 0, 0);
+ rc = rs->sr_err;
+ } else if(uq.count) {
+ Debug(LDAP_DEBUG_TRACE, "=> unique_search found %d records\n", uq.count, 0, 0);
- if(uq.count) {
+ errmsgsize = sizeof("non-unique attributes found with ") + key->bv_len;
+ errmsg = op->o_tmpalloc(errmsgsize, op->o_tmpmemctx);
+ snprintf( errmsg, errmsgsize, "non-unique attributes found with %s", key->bv_val );
op->o_bd->bd_info = (BackendInfo *) on->on_info;
- send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION,
- "some attributes not unique");
- return(rs->sr_err);
+ send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, errmsg);
+ op->o_tmpfree(errmsg, op->o_tmpmemctx);
+ rc = rs->sr_err;
+ } else {
+ Debug(LDAP_DEBUG_TRACE, "=> unique_search found no records\n", 0, 0, 0);
+ rc = SLAP_CB_CONTINUE;
}
- return(SLAP_CB_CONTINUE);
+ op->o_tmpfree( key->bv_val, op->o_tmpmemctx );
+
+ return(rc);
}
static int
--
2.19.1

View File

@ -5,28 +5,28 @@ Subject: pie compile
diff --git a/build/top.mk b/build/top.mk
index 38ce146d7..d7fee4ec2 100644
index 633c9a4..c67289d 100644
--- a/build/top.mk
+++ b/build/top.mk
@@ -111,7 +111,7 @@ OL_VERSIONED_SYMBOLS = @OL_VERSIONED_SYMBOLS@
@@ -107,7 +107,7 @@ LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)
LTSTATIC = @LTSTATIC@
LTLINK = $(LIBTOOL) --mode=link \
- $(CC) $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
+ $(CC) -pie $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=compile \
$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
@@ -120,7 +120,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(SYMBOL_VERSION_FLAGS)
@@ -116,7 +116,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)
LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
+ $(CC) $(LT_CFLAGS) $(PIE_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD)
@@ -214,7 +214,7 @@ LLOADD_LIBS = @BALANCER_LIBS@ $(LEVENT_LIBS)
@@ -206,7 +206,7 @@ SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LI
# Our Defaults
CC = $(AC_CC)
DEFS = $(LDAP_INCPATH) $(XINCPATH) $(XDEFS) $(AC_DEFS) $(DEFINES)
@ -34,68 +34,98 @@ index 38ce146d7..d7fee4ec2 100644
+CFLAGS = -fPIE $(AC_CFLAGS) $(DEFS)
LDFLAGS = $(LDAP_LIBPATH) $(AC_LDFLAGS) $(XLDFLAGS)
LIBS = $(XLIBS) $(XXLIBS) $(AC_LIBS) $(XXXLIBS)
diff --git a/servers/slapd/back-bdb/Makefile.in b/servers/slapd/back-bdb/Makefile.in
index da7da0c..dcb6d92 100644
--- a/servers/slapd/back-bdb/Makefile.in
+++ b/servers/slapd/back-bdb/Makefile.in
@@ -33,6 +33,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-bdb"
BUILD_MOD = @BUILD_BDB@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_BDB@_DEFS)
MOD_LIBS = $(BDB_LIBS)
diff --git a/servers/slapd/back-hdb/Makefile.in b/servers/slapd/back-hdb/Makefile.in
index 5af828f..6f43f7b 100644
--- a/servers/slapd/back-hdb/Makefile.in
+++ b/servers/slapd/back-hdb/Makefile.in
@@ -37,6 +37,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-hdb"
BUILD_MOD = @BUILD_HDB@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_HDB@_DEFS)
MOD_LIBS = $(BDB_LIBS)
diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in
index 71400ca1b..6427165c6 100644
index 392d92e..3a0663d 100644
--- a/servers/slapd/back-ldap/Makefile.in
+++ b/servers/slapd/back-ldap/Makefile.in
@@ -26,6 +26,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-ldap"
BUILD_MOD = @BUILD_LDAP@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_LDAP@_DEFS)
diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in
index 225c8dd19..2f07c067b 100644
index 5e4abc1..1e8c454 100644
--- a/servers/slapd/back-ldif/Makefile.in
+++ b/servers/slapd/back-ldif/Makefile.in
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-ldif"
BUILD_MOD = yes
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(yes_DEFS)
diff --git a/servers/slapd/back-mdb/Makefile.in b/servers/slapd/back-mdb/Makefile.in
index 6d64824da..9bbf8747d 100644
index 9b01d2a..e37520a 100644
--- a/servers/slapd/back-mdb/Makefile.in
+++ b/servers/slapd/back-mdb/Makefile.in
@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/liblmdb
@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/libmdb
BUILD_OPT = "--enable-mdb"
BUILD_MOD = @BUILD_MDB@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_MDB@_DEFS)
MOD_LIBS = $(MDB_LIBS)
diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in
index 200a1c65c..6b2afffb9 100644
index 9aecdbc..11c962c 100644
--- a/servers/slapd/back-monitor/Makefile.in
+++ b/servers/slapd/back-monitor/Makefile.in
@@ -30,6 +30,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-monitor"
BUILD_MOD = yes
BUILD_MOD = @BUILD_MONITOR@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(yes_DEFS)
MOD_DEFS = $(@BUILD_MONITOR@_DEFS)
diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in
index 71d74a171..60b44afd8 100644
index 90ea4b3..ff2f429 100644
--- a/servers/slapd/back-relay/Makefile.in
+++ b/servers/slapd/back-relay/Makefile.in
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-relay"
BUILD_MOD = @BUILD_RELAY@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_RELAY@_DEFS)
--
1.7.10.4

View File

@ -0,0 +1,29 @@
From 895fa6d9b49344e1a92f7df3ed65458519e22f98 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Tue, 5 Oct 2010 14:20:22 +0200
Subject: Recover on DB version change
If the libdb Version changed try to recover the database. Note: This will
only succeed if only the format of transaction logs changed.
diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c
index ac5a6d5..fea5cb4 100644
--- a/servers/slapd/back-bdb/init.c
+++ b/servers/slapd/back-bdb/init.c
@@ -330,6 +330,13 @@ shm_retry:
rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome,
flags | do_recover, bdb->bi_dbenv_mode );
+ if ( rc == DB_VERSION_MISMATCH ) {
+ Debug( LDAP_DEBUG_ANY,
+ LDAP_XSTRING(bdb_db_open) ": bdb version change detected "
+ "trying to recover\n", 0, 0, 0 );
+ rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome,
+ flags | DB_RECOVER, bdb->bi_dbenv_mode );
+ }
if ( rc ) {
/* Regular open failed, probably a missing shm environment.
* Start over, do a recovery.
--
1.7.10.4

View File

@ -9,10 +9,10 @@ Subject: [PATCH] In monitor backend, do not return Connection0 entries as they
1 file changed, 5 insertions(+)
diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c
index 4d327f243..c4d3c6237 100644
index c1995b0..2d27738 100644
--- a/servers/slapd/back-monitor/conn.c
+++ b/servers/slapd/back-monitor/conn.c
@@ -456,6 +456,11 @@ monitor_subsys_conn_create(
@@ -454,6 +454,11 @@ monitor_subsys_conn_create(
c != NULL;
c = connection_next( c, &connindex ) )
{
@ -22,5 +22,8 @@ index 4d327f243..c4d3c6237 100644
+ }
+
monitor_entry_t *mp;
if ( conn_create( mi, c, &e, ms ) != SLAP_CB_CONTINUE
--
2.1.4
/* ignore outbound for now, nothing to show */

View File

@ -0,0 +1,80 @@
diff --git a/servers/slapd/back-bdb/filterindex.c b/servers/slapd/back-bdb/filterindex.c
index 71e3ea4..bafef72 100644
--- a/servers/slapd/back-bdb/filterindex.c
+++ b/servers/slapd/back-bdb/filterindex.c
@@ -741,7 +741,7 @@ equality_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_equality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -858,7 +858,7 @@ approx_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_approx_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -978,7 +978,7 @@ substring_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_substring_candidates: (%s) not indexed\n",
sub->sa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -1095,7 +1095,7 @@ inequality_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_inequality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
diff --git a/servers/slapd/back-mdb/filterindex.c b/servers/slapd/back-mdb/filterindex.c
index 58c1cc8..20c58b7 100644
--- a/servers/slapd/back-mdb/filterindex.c
+++ b/servers/slapd/back-mdb/filterindex.c
@@ -709,7 +709,7 @@ equality_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_equality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -825,7 +825,7 @@ approx_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_approx_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -944,7 +944,7 @@ substring_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_substring_candidates: (%s) not indexed\n",
sub->sa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -1060,7 +1060,7 @@ inequality_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_inequality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;

View File

@ -0,0 +1,130 @@
From b026c9236e6b11c158e69572a28eb0efb174234b Mon Sep 17 00:00:00 2001
From: HouzuoGuo <guohouzuo@gmail.com>
Date: Wed, 17 Feb 2016 16:10:05 +0100
Subject: [PATCH] Fix incorrect calculation of consecutive number of characters
in a class, when the input is shorter than 6 chars or consecutive chars
appear at the beginning of input
diff --git a/check_password.c b/check_password.c
index 0d9f901..acf8eda 100644
--- a/check_password.c
+++ b/check_password.c
@@ -355,18 +355,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
int min_quality = DEFAULT_QUALITY;
int use_cracklib = DEFAULT_CRACKLIB;
- /** bail out early as cracklib will reject passwords shorter
- * than 6 characters
- */
-
nLen = strlen (pPasswd);
- if ( nLen < 6) {
- mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1);
- sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
- goto fail;
- }
if (read_config_file() == -1) {
syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
@@ -392,46 +381,38 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
*/
if ( max_consecutive_per_class != 0 ) {
- int consec_chars = 1;
- char type[10] = "unkown";
- char prev_type[10] = "unknown";
+ char prev_type = '\0';
+ char this_type = ' ';
+ i = 0;
+ int consec_chars = 0;
for ( i = 0; i < nLen; i++ ) {
-
if ( islower(pPasswd[i]) ) {
- strncpy(type,"lower",10);
+ this_type = 'l';
}
else if ( isupper(pPasswd[i]) ) {
- strncpy(type,"upper",10);
+ this_type = 'u';
}
else if ( isdigit(pPasswd[i]) ) {
- strncpy(type,"digit",10);
+ this_type = 'd';
}
else if ( ispunct(pPasswd[i]) ) {
- strncpy(type,"punct",10);
+ this_type = 'p';
}
else {
- strncpy(type,"unknown",10);
- }
-
- if ( consec_chars > max_consecutive_per_class ) {
- mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(CONSEC_FAIL_SZ) +
- strlen(pEntry->e_name.bv_val));
- sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val);
- goto fail;
+ this_type = ' ';
}
-
- if ( strncmp(type,prev_type,10) == 0 ) {
- consec_chars++;
+ if (this_type == prev_type) {
+ ++consec_chars;
+ } else if (i > 0) {
+ consec_chars = 0;
}
- else {
- if (strncmp("unknown",prev_type,8) != 0) {
- consec_chars = 1;
- }
- else {
- consec_chars++;
- }
- strncpy(prev_type,type,10);
+ prev_type = this_type;
+ if ( consec_chars >= max_consecutive_per_class ) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+ strlen(CONSEC_FAIL_SZ) +
+ strlen(pEntry->e_name.bv_val));
+ sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val);
+ goto fail;
}
}
}
diff --git a/check_password_test.c b/check_password_test.c
index 626d719..d33bd80 100644
--- a/check_password_test.c
+++ b/check_password_test.c
@@ -90,7 +90,6 @@ void setconf(
}
int main(void) {
-
// Empty Config, equiv to:
// 5,3,1,0,0,0,0
setconf(-1,-1,-1,-1,-1,-1,-1);
@@ -109,5 +108,16 @@ int main(void) {
testpass("Test 2.1", "Simp1e", 1);
testpass("Test 2.2", "SimPle", 1);
testpass("Test 2.1", "Simp1e!", 0);
+
+ setconf(1,0,0,0,0,0,0);
+ testpass("a", "Ab1,", 0);
+ testpass("a", "AAb1,", 1);
+ testpass("a", "Abb1,", 1);
+
+ setconf(3,0,0,0,0,0,0);
+ testpass("a", "AAAbbb111,,,", 0);
+ testpass("a", "AAAAbbb111,,,,", 1);
+ testpass("a", "AAAbbbb111,,,", 1);
+
return 0;
}
--
2.7.1

View File

@ -1,6 +1,6 @@
libldap-2_5-0
libldap-2_4-2
provides "openldap2-client-<targettype> = <version>"
obsoletes "openldap2-client-<targettype> <= <version>"
openldap2-devel
requires -openldap2-<targettype>
requires "libldap-2_5-0-<targettype> = <version>"
requires "libldap-2_4-2-<targettype> = <version>"

3
openldap-2.4.59.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:99f37d6747d88206c470067eda624d5e48c1011e943ec0ab217bae8712e22f34
size 5886272

16
openldap-2.4.59.tgz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEPOJptTmLyLeFZF6Yf2fV/Rzhy84FAmC5T1oACgkQf2fV/Rzh
y85Ukw//S/hsn6w62rKkwJtFl6zcCI5TlmbsKQdGVszhuqP2g58ZiJ2tzM/eucDK
w7nustTdccBmWsIfBc5HONzXhDwZxTm65GBH6p/dsJuzruVw4M/e6l799tSbsVR3
WsYxTWBKJ8MpqBtzvH/TV4HCCTk2YkhdxKirKbo7wfuNpsVN8iodhGayg/DJHZVQ
idE6mpejyBU3CPk0ZE2oixOxlr6ij4KNQ7fnpjE0055EuuKLzQsuJsitSDDSG1o/
UPyNzrBkjxzZlxmnO6olQ5AS/H7qgFRv77/ChPd7+AErvyrp0nDU4Rv6pkv3DHVM
tL+ZBEETx7DUatpOjqO0mZ2+fkbMtSB0HQt9js9yRBoA1YdVWtnUYQ5jyCpz6xED
TpMRnzCsXxeG7xWOGCKG1aZ3vIPo8wVbKjdWLvgjCzNHK4jZXy5ilZOo1SE0OtMo
BfDzKse/OI8yM2CaHbKiJwYO0AssgwRwP4umOnYiSFIdKSHEvbObGePSCQZyLivc
nG6jXIxG2e6xc4yCAHiyEyt3n/rcHJBgeqCHzQOkNZVAHcpbjk19R0PPS/08lKvh
MoO9DiuLlNOLJQM56xhSsfCLr7dJzFAyH+n1EQUHZ/H7m4voakuGi2c5adtHc4IP
0CyI3xjHABCSnqqiRuz9JYZZwRnyy126MbtozUZVdlAiib8/JQs=
=Nc3V
-----END PGP SIGNATURE-----

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:366ea1c3b24202de4481978b632128c0cfe4148d4ae13cabf93a1f38c56472dc
size 6437833

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEPOJptTmLyLeFZF6Yf2fV/Rzhy84FAmFkcEoACgkQf2fV/Rzh
y8642w/+LW2cDia/IhFIw2xErl3YMm0lZU/FocJhwhDHr4dVZ4PmNLoO6Wx0rhlP
kFX37le0yRhuOatxpytOTYjWqEXsBX31PrzdZs7JjOZ+V+6SEBgEz6+znRQQGyAP
M1Ovja0ic67wk2F9qpKiuyXhzg9Ng1HFwrnx7wWOZUNWhg8jBZUUECNDVHwtjhu+
U32cuLPTFBRceLkHikQhVMmY0L/iu0WHuuEiPv8pDYP6E5GcN39oCPN+HigW1b3e
VJ6Gk7eXYS9i94po1S+TTOt7mc7U9xAWXuvBAur/a+A6ll7oq5DrZkX/pZIBIzvX
N6IP/k6o5jTZTVE8OVp6Hk1sd61xZGIquq6olTQyb0Wk6sRRqraxuzq897OuSNma
8XmtX86Gb5BkWYtub71C2u44fc9w7zMmIz5XBbGdyRB4aH7pe2n9ibZ2+sCXClq9
uSGR8iJ74+7+qn12Lr5wvlHa/p0cVI5armGk4rqQIk9UnBAt1Qn0I2nQai9OJMwj
AgoayK6+YHXIJ0rqi5j5p7Vfx3B+P+bbxL9vEgd5oUXWe0sC5tCyId0GZNjDUMoT
ykCf4sDmkb/DcV+Rap8g4wBpuDaYcBHc3hrRjoNPjs7FuRvdH5jIpuEmtfaflKvs
7lWu8f7UfhhkrwoC+l47c3XaOoMx7Xh+2dK2MbrT2tmT/Y8nqP4=
=NKlB
-----END PGP SIGNATURE-----

24
openldap-r-only.dif Normal file
View File

@ -0,0 +1,24 @@
From: Jan Engelhardt <jengelh@inai.de>
Date: 2017-07-04 13:53:32.386698982 +0200
Build all own programs exclusively with libldap_r and not libldap.
References: http://bugzilla.redhat.com/1370065
References: http://bugzilla.opensuse.org/996551
---
build/top.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: openldap-2.4.45/build/top.mk
===================================================================
--- openldap-2.4.45.orig/build/top.mk
+++ openldap-2.4.45/build/top.mk
@@ -171,7 +171,7 @@ LDAP_LIBLUNICODE_A = $(LDAP_LIBDIR)/libl
LDAP_LIBLUTIL_A = $(LDAP_LIBDIR)/liblutil/liblutil.a
LDAP_L = $(LDAP_LIBLUTIL_A) \
- $(LDAP_LIBLDAP_LA) $(LDAP_LIBLBER_LA)
+ $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
SLAPD_L = $(LDAP_LIBLUNICODE_A) $(LDAP_LIBREWRITE_A) \
$(LDAP_LIBLUTIL_A) $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)

View File

@ -1,99 +1,3 @@
-------------------------------------------------------------------
Mon Oct 11 18:46:13 UTC 2021 - Michael Ströder <michael@stroeder.com>
- update to 2.5.8
OpenLDAP 2.5.8 Release (2021/10/11)
Fixed libldap ldap_int_tls_connect: isdigit() requires unsigned char (ITS#9668)
Fixed libldap memory leak in ldap_get_option LDAP_OPT_X_TLS_PEERCERT (ITS#9696)
Fixed slapd to allow normalized values for namingContexts in cn=monitor (ITS#8341)
Fixed slapd to normalize the suffix in rootDSE (ITS#9664)
Fixed slapd slapadd to avoid destroying configDB prematurely (ITS#9678)
Fixed slapd to not spam logs with lastbind information (ITS#9156)
Fixed slapd slaptest migration to correctly set olcTSLVerifyClient (ITS#9711)
Fixed slapd-mdb multival delete handling (ITS#9712)
Fixed slapd-sql ldap_entry_objectclass table for mariadb/mysql (ITS#9679)
Fixed slapd-wt multiple issues (ITS#9463)
Fixed slapd-wt to close cache db correctly (ITS#9631)
Fixed slapo-ppolicy to restore OpenLDAP 2.4 compatibilty (ITS#9671)
Fixed slapo-syncprov to free uuid list when finished replaying sessionlog (ITS#6467)
Build
Fixed libldap result.c compilation on musl systems (ITS#9648)
Fixed slapd duplicate definition of peerbv (ITS#9659)
Fixed test suite with memberof modular builds (ITS#9464)
Contrib
Added man page for ppm contrib module (ITS#9644)
Fix crash when pwdCheckModuleArg is not defined for ppm (ITS#9656)
Documentation
Fixed guide download link for heimdal (ITS#9669)
Fixed guide documentation for TLSECName (ITS#9687)
Fixed guide documentation missing tags (ITS#9693)
Fixed guide loadbalancer typo (ITS#9699)
Fixed guide synprov-nopresent redundant text (ITS#9689)
Fixed guide various typos and fix config alignment (ITS#9706)
Removed ppolicy.schema from servers/slapd/schema/README (ITS#9156)
Fixed slapd.conf(5)/slapd-config(5) to document default for database monitoring (ITS#9674)
Fixed slapd-meta(5)/slapd-asyncmeta(5) verbiage for try-propagate (ITS#9646)
Fixed slapo-syncprov(5) to note entryCSN indexing is highly recommended (ITS#9688)
-------------------------------------------------------------------
Tue Aug 24 13:04:36 UTC 2021 - Philipp Wagner <mail@philipp-wagner.com>
- Update to upstream version 2.5.7
Fixed lloadd client state tracking (ITS#9624)
Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611)
Fixed slapd-ldif duplicate controls response (ITS#9497)
Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621)
Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958)
Fixed slapd-mdb idlexp maximum size handling (ITS#9637)
Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628)
Fixed slapd-sql to add support for ppolicy attributes (ITS#9629)
Fixed slapd-sql to close transactions after bind and search (ITS#9630)
Fixed slapo-accesslog to make reqMod optional (ITS#9569)
Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625)
Documentation
slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637)
slapo-accesslog(5) note that reqMod is optional (ITS#9569)
Add ldapvc(1) man page (ITS#9549)
Add guide section on load balancer (ITS#9443)
Updated guide to document multiprovider as replacement for mirrormode (ITS#9200)
Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200)
Updated guide to document removal of deprecated options from client tools (ITS#9200)
-------------------------------------------------------------------
Fri Jul 30 13:30:05 UTC 2021 - Philipp Wagner <mail@philipp-wagner.com>
- Major version update to 2.5.6
See https://www.openldap.org/software/release/announce.html for a list of
changes.
- The threaded version of the OpenLDAP libraries, libldap_r, has been merged
with libldap with 2.5. Removed all related downstream changes, including the
openldap-r-only.dif patch.
Introduce a new compatibility symlink in the other direction: libldap_r
pointing to libldap.
- Removed the ppolicy-check-password module. It is unmaintained and does not
build any more. As part of that also remove the patch
patch 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch, which
is applied to this module.
- Removed patch 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
Fixed upstream in 2.5 (ITS#8866)
- Updated patch 0005-pie-compile.dif
Removed the hunks on back-bdb and back-hdb, which are retired backends in 2.5.
- Removed patch 0007-Recover-on-DB-version-change.dif
The back-bdb backend was retired.
- Removed patch 0011-openldap-re24-its7796.patch
Fixed upstream in 2.5 (ITS#7796)
- Remove non-existant configure arguments:
--enable-rewrite, --enable-monitor, --enable-lmpasswd
- Add the --enable-dynacl configure option, which is required for --enable-aci
- Add the --with-argon2 configure option and remove it from the contrib
modules, since it is now official (ITS#9453).
- Pass mandir to smbk5pwd to ensure the man page ends up in /usr/share.
- Include the new overlays in libdir/openldap in the packages.
- Add the pkgconfig files to the devel package.
- Remove compat macro for _fillupdir, which was introduced in Nov 2017 and
should be widely available now.
-------------------------------------------------------------------
Fri Jun 4 00:06:15 UTC 2021 - Michael Ströder <michael@stroeder.com>
@ -287,7 +191,7 @@ OpenLDAP 2.4.51 Release (2020/08/11)
-------------------------------------------------------------------
Mon Jun 8 12:46:34 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Revert changes to libexecdir
- Revert changes to libexecdir
-------------------------------------------------------------------
Sun Jun 7 10:20:45 UTC 2020 - Michael Ströder <michael@stroeder.com>
@ -544,7 +448,7 @@ Mon Nov 12 14:25:52 UTC 2018 - Dominique Leuenberger <dleuenberger@suse.com>
-------------------------------------------------------------------
Thu Nov 8 15:25:08 UTC 2018 - varkoly@suse.com
- bsc#1111388 openldap and /var/lib/ldap/DB_CONFIG* (transactional-update)
- bsc#1111388 openldap and /var/lib/ldap/DB_CONFIG* (transactional-update)
-------------------------------------------------------------------
Fri Oct 26 14:58:41 UTC 2018 - Michael Ströder <michael@stroeder.com>
@ -558,7 +462,7 @@ Fri Aug 17 07:46:47 UTC 2018 - ckowalczyk@suse.com
- Fix slapd segfaults in mdb_env_reader_dest
+ with patch 0016-Clear-shared-key-only-in-close-function.patch
+ (bsc#1089640)
+ (bsc#1089640)
-------------------------------------------------------------------
Fri Jun 29 16:23:22 UTC 2018 - michael@stroeder.com
@ -668,7 +572,7 @@ Mon Dec 11 22:51:03 UTC 2017 - michael@stroeder.com
-------------------------------------------------------------------
Thu Nov 23 13:36:52 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
@ -728,7 +632,7 @@ Tue Jun 6 13:47:18 UTC 2017 - hguo@suse.com
- There is no change made about the package itself, this is only
copying over some changelog texts from SLE package:
- bug#976172 owned by hguo@suse.com: openldap2 - missing
- bug#976172 owned by hguo@suse.com: openldap2 - missing
/usr/share/doc/packages/openldap2/guide/admin/guide.html
- bug#916914 owned by varkoly@suse.com: VUL-0: CVE-2015-1546:
openldap2: slapd crash in valueReturnFilter cleanup
@ -2074,7 +1978,7 @@ Wed Jun 11 13:03:29 CEST 2008 - rhafer@suse.de
-------------------------------------------------------------------
Fri May 16 13:24:11 CEST 2008 - rhafer@suse.de
- Support update from 2.3 releases (bnc#390247)
- Support update from 2.3 releases (bnc#390247)
-------------------------------------------------------------------
Thu May 8 08:55:00 CEST 2008 - rhafer@suse.de
@ -2161,7 +2065,7 @@ Wed Feb 20 09:49:30 CET 2008 - rhafer@suse.de
* Fixed slapd modrdn check for valid new DN (ITS#5344)
* Fixed slapd multi-step SASL binds (ITS#5298)
* Fixed slapd overlay ordering when moving to slapd.d (ITS#5284)
* Fixed slapd NULL printf (ITS#5264)
* Fixed slapd NULL printf (ITS#5264)
* Fixed slapd NULL set values (ITS#5286)
* Fixed slapd timestamp race condition (ITS#5370)
* Fixed slapd cn=config crash on delete (ITS#5343)
@ -2535,7 +2439,7 @@ Wed May 10 10:20:16 CEST 2006 - rhafer@suse.de
Fri Mar 24 13:48:52 CET 2006 - rhafer@suse.de
- Backported fix from CVS for occasional crashes in referral
chasing code (as used in e.g. back-meta/back-ldap).
chasing code (as used in e.g. back-meta/back-ldap).
(Bug: #160566, ITS: #4448)
-------------------------------------------------------------------
@ -2816,7 +2720,7 @@ Tue Aug 3 14:48:25 CEST 2004 - rhafer@suse.de
new sysconfig variable (OPENLDAP_REGISTER_SLP) to be able
to switch SLP registration on and off. (Bugzilla #39865)
- removed unneeded README.update
-------------------------------------------------------------------
Fri Apr 30 16:46:50 CEST 2004 - rhafer@suse.de
@ -3351,3 +3255,4 @@ Tue Nov 7 18:52:54 CET 2000 - choeger@suse.de
Fri Oct 6 11:35:47 CEST 2000 - choeger@suse.de
- first package of openldap2 (v2.0.6)

View File

@ -16,8 +16,16 @@
#
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates
%endif
%define run_test_suite 0
%define version_main 2.5.8
%define version_main 2.4.59
%define name_ppolicy_check_module ppolicy-check-password
%define version_ppolicy_check_module 1.2
%define ppolicy_docdir %{_docdir}/openldap-%{name_ppolicy_check_module}-%{version_ppolicy_check_module}
%define slapdrundir %{_rundir}/slapd
Name: openldap2
@ -46,10 +54,19 @@ Source21: slapd-ldif-update-crc.sh
Source22: update-crc.sh
Source23: slapd.conf
Source24: slapd.conf.olctemplate
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
Patch3: 0003-LDAPI-socket-location.dif
Patch5: 0005-pie-compile.dif
Patch7: 0007-Recover-on-DB-version-change.dif
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch11: 0011-openldap-re24-its7796.patch
Patch15: openldap-r-only.dif
Patch16: 0016-Clear-shared-key-only-in-close-function.patch
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
Source201: %{name_ppolicy_check_module}.Makefile
Source202: %{name_ppolicy_check_module}.conf
Source203: %{name_ppolicy_check_module}.5
Patch200: 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: cyrus-sasl-devel
@ -68,7 +85,7 @@ BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%endif
Requires: /usr/bin/awk
Requires: libldap-2_5-0 = %{version_main}
Requires: libldap-2_4-2 = %{version_main}
Recommends: cyrus-sasl
Conflicts: openldap
PreReq: %fillup_prereq
@ -146,6 +163,7 @@ cloak
denyop
lastbind writes last bind timestamp to entry
noopsrch handles no-op search control
pw-argon2 generates/validates Argon2 password hashes
pw-sha2 generates/validates SHA-2 password hashes
pw-pbkdf2 generates/validates PBKDF2 password hashes
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
@ -163,7 +181,7 @@ The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts.
%package client
Summary: OpenLDAP client utilities
Group: Productivity/Networking/LDAP/Clients
Requires: libldap-2_5-0 = %{version_main}
Requires: libldap-2_4-2 = %{version_main}
%description client
OpenLDAP client utilities such as ldapadd, ldapsearch, ldapmodify.
@ -177,7 +195,7 @@ Obsoletes: openldap2-devel-64bit
%endif
#
Conflicts: openldap-devel
Requires: libldap-2_5-0 = %{version_main}
Requires: libldap-2_4-2 = %{version_main}
Recommends: cyrus-sasl-devel
%description devel
@ -195,23 +213,55 @@ Requires: openldap2-devel = %version
This package provides the static versions of the OpenLDAP libraries
for development.
%package -n libldap-2_5-0
%package -n libldap-2_4-2
Summary: OpenLDAP Client Libraries
Group: Productivity/Networking/LDAP/Clients
Recommends: libldap-data >= %{version_main}
%description -n libldap-2_5-0
%description -n libldap-2_4-2
This package contains the OpenLDAP client libraries.
%package ppolicy-check-password
Version: %{version_ppolicy_check_module}
Release: 0
Summary: Password quality check module for OpenLDAP
Group: Productivity/Networking/LDAP/Servers
URL: https://github.com/onyxpoint/ppolicy-check-password
BuildRequires: cracklib-devel
Requires: openldap2 = %version_main
Recommends: cracklib
Recommends: cracklib-dict-full
%description ppolicy-check-password
An implementation of password quality check module, based on the original
work done by LDAP Toolbox Project (https://ltd-project.org), that works
together with OpenLDAP password policy overlay (ppolicy), to enforce
password strength policies.
%prep
# Unpack and patch OpenLDAP 2.5
# Unpack ppolicy check module
%setup -b 200 -q -n %{name_ppolicy_check_module}-%{version_ppolicy_check_module}
%patch200 -p1
cd ..
# Compress the manual page of ppolicy check module
gzip -k %{S:203}
# Unpack and patch OpenLDAP 2.4
%setup -q -a 9 -n openldap-%{version_main}
%patch1 -p1
%patch3 -p1
%patch5 -p1
%patch7 -p1
%patch8 -p1
%patch11 -p1
%patch15 -p1
%patch16 -p1
cp %{SOURCE5} .
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
mv ../%{name_ppolicy_check_module}-%{version_ppolicy_check_module} contrib/slapd-modules/%{name_ppolicy_check_module}
cp %{S:201} contrib/slapd-modules/%{name_ppolicy_check_module}/Makefile
%build
%global _lto_cflags %{_lto_cflags} -ffat-lto-objects
export CFLAGS="%{optflags} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DLDAP_USE_NON_BLOCKING_TLS"
@ -231,10 +281,13 @@ export STRIP=""
--with-cyrus-sasl \
--enable-crypt \
--enable-ipv6=yes \
--enable-dynacl \
--enable-aci \
--enable-bdb=mod \
--enable-hdb=mod \
--enable-rewrite \
--enable-ldap=mod \
--enable-meta=mod \
--enable-monitor=mod \
--enable-perl=mod \
--enable-sock=mod \
--enable-sql=mod \
@ -244,19 +297,21 @@ export STRIP=""
--enable-overlays=mod \
--enable-syncprov=mod \
--enable-ppolicy=mod \
--enable-lmpasswd \
--with-yielding-select \
--with-argon2 \
|| cat config.log
make depend
make %{?_smp_mflags}
# Build selected contrib overlays
for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/argon2 passwd/sha2 passwd/pbkdf2 trace
do
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
done
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
# Build ppolicy-check-password module
make -C contrib/slapd-modules/%{name_ppolicy_check_module} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
# Create ldap user
%sysusers_generate_pre %{SOURCE19} ldap
@ -294,12 +349,12 @@ make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdi
# Additional symbolic link to slapd executable in /usr/sbin/
ln -s %{_libdir}/slapd %{buildroot}%{_sbindir}/slapd
# Install selected contrib overlays
for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/argon2 passwd/sha2 passwd/pbkdf2 trace
do
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
done
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
install -m 755 %{SOURCE13} %{buildroot}/usr/lib/openldap/start
install -m 644 %{SOURCE14} %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{_sysconfdir}/openldap/slapd.d
@ -307,7 +362,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/sasl2
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sasl2/slapd.conf
install -m 755 -d %{buildroot}/var/lib/ldap
chmod a+x %{buildroot}%{_libdir}/liblber.so*
chmod a+x %{buildroot}%{_libdir}/libldap.so*
chmod a+x %{buildroot}%{_libdir}/libldap_r.so*
install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
mkdir -p %{buildroot}%{_tmpfilesdir}/
install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
@ -318,6 +373,18 @@ install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath
install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc
# Install ppolicy check module
make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf
# Install ppolicy check module's doc files
pushd contrib/slapd-modules/%{name_ppolicy_check_module}
mkdir -p "%{buildroot}%ppolicy_docdir"
install -m 0644 README "%{buildroot}%ppolicy_docdir"
install -m 0644 LICENSE "%{buildroot}%ppolicy_docdir"
popd
# Install ppolicy check module's manual page
install -m 0644 %{S:203}.gz %{buildroot}%{_mandir}/man5/
mkdir -p %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE16} %{buildroot}%{_fillupdir}/sysconfig.openldap
install -m 644 *.ldif %{buildroot}%{_sysconfdir}/openldap/schema
@ -334,6 +401,7 @@ rm -rf doc/guide/release
install -d %{buildroot}%{DOCDIR}/adminguide \
%{buildroot}%{DOCDIR}/images \
%{buildroot}%{DOCDIR}/drafts
install -m 644 %{buildroot}/etc/openldap/DB_CONFIG.example %{buildroot}%{DOCDIR}/
install -m 644 doc/guide/admin/* %{buildroot}%{DOCDIR}/adminguide
install -m 644 doc/guide/images/*.gif %{buildroot}%{DOCDIR}/images
install -m 644 doc/drafts/* %{buildroot}%{DOCDIR}/drafts
@ -345,8 +413,10 @@ install -m 644 ANNOUNCEMENT \
%{buildroot}%{DOCDIR}
install -m 644 servers/slapd/slapd.ldif \
%{buildroot}%{DOCDIR}/slapd.ldif.default
rm -f %{buildroot}/etc/openldap/DB_CONFIG.example
rm -f %{buildroot}/etc/openldap/schema/README
rm -f %{buildroot}/etc/openldap/slapd.ldif*
rm -f %{buildroot}%{slapdrundir}/openldap-data/DB_CONFIG.example
mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
@ -359,12 +429,14 @@ rm -f %{buildroot}/usr/share/man/man5/slapd-passwd.5
rm -f %{buildroot}/usr/share/man/man5/slapd-shell.5
rm -f %{buildroot}/usr/share/man/man5/slapd-tcl.5
# Remove *.la files, libtool does not handle this correct
# Keep .la files for modules in the openldap subdirectory, which are consumed
# in this form.
rm -f %{buildroot}%{_libdir}/*.la
rm -f %{buildroot}%{_libdir}/lib*.la
# Provide a libldap_r for backwards-compatibility with OpenLDAP < 2.5.
ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
# Make ldap_r the only copy in the system [rh#1370065].
# libldap.so is only for `gcc/ld -lldap`. Make no libldap-2.4.so.2.
rm -f "%{buildroot}%{_libdir}"/libldap-2.4.so*
ln -fs libldap_r.so "%{buildroot}%{_libdir}/libldap.so"
gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \
-Wl,-soname -Wl,libldap-2.4.so.2 -L "%{buildroot}%{_libdir}" -lldap_r
%pre -f ldap.pre
%service_add_pre slapd.service
@ -374,9 +446,9 @@ ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
%tmpfiles_create %{name}.conf
%service_add_post slapd.service
%post -n libldap-2_5-0 -p /sbin/ldconfig
%post -n libldap-2_4-2 -p /sbin/ldconfig
%postun -n libldap-2_5-0 -p /sbin/ldconfig
%postun -n libldap-2_4-2 -p /sbin/ldconfig
%preun
%service_del_preun slapd.service
@ -402,24 +474,24 @@ ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
%{_fillupdir}/sysconfig.openldap
%{_sbindir}/slap*
%{_sbindir}/rcslapd
%{_libdir}/openldap/back_bdb*
%{_libdir}/openldap/back_hdb*
%{_libdir}/openldap/back_ldap*
%{_libdir}/openldap/back_mdb*
%{_libdir}/openldap/back_monitor*
%{_libdir}/openldap/back_relay*
%{_libdir}/openldap/accesslog*
%{_libdir}/openldap/auditlog*
%{_libdir}/openldap/autoca*
%{_libdir}/openldap/collect*
%{_libdir}/openldap/constraint*
%{_libdir}/openldap/dds*
%{_libdir}/openldap/deref*
%{_libdir}/openldap/dyngroup*
%{_libdir}/openldap/dynlist*
%{_libdir}/openldap/homedir*
%{_libdir}/openldap/memberof*
%{_libdir}/openldap/otp*
%{_libdir}/openldap/pcache*
%{_libdir}/openldap/ppolicy*
%{_libdir}/openldap/remoteauth*
%{_libdir}/openldap/ppolicy-2.4.*
%{_libdir}/openldap/ppolicy.*
%{_libdir}/openldap/refint*
%{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm*
@ -439,20 +511,16 @@ ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
%dir %attr(0750, ldap, ldap) %{_sharedstatedir}/ldap
%ghost %attr(0750, ldap, ldap) %{slapdrundir}
%doc %{_mandir}/man8/sl*
%doc %{_mandir}/man8/lloadd.*
%doc %{_mandir}/man5/lloadd.conf.*
%doc %{_mandir}/man5/slapd.*
%doc %{_mandir}/man5/slapd-asyncmeta.*
%doc %{_mandir}/man5/slapd-bdb.*
%doc %{_mandir}/man5/slapd-config.*
%doc %{_mandir}/man5/slapd-hdb.*
%doc %{_mandir}/man5/slapd-ldap.*
%doc %{_mandir}/man5/slapd-ldif.*
%doc %{_mandir}/man5/slapd-mdb.*
%doc %{_mandir}/man5/slapd-monitor.*
%doc %{_mandir}/man5/slapd-pw-*
%doc %{_mandir}/man5/slapd-relay.*
%doc %{_mandir}/man5/slapd-wt.*
%doc %{_mandir}/man5/slapo-*
%doc %{_mandir}/man5/slappw-argon2.*
%dir %{DOCDIR}
%doc %{DOCDIR}/ANNOUNCEMENT
%doc %{DOCDIR}/COPYRIGHT
@ -460,6 +528,7 @@ ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
%doc %{DOCDIR}/README*
%doc %{DOCDIR}/CHANGES
%doc %{DOCDIR}/slapd.ldif.default
%doc %{DOCDIR}/DB_CONFIG.example
%files back-perl
%defattr(-,root,root)
@ -505,12 +574,14 @@ ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
%{_libdir}/openldap/autogroup.*
%{_libdir}/openldap/lastbind.*
%{_libdir}/openldap/noopsrch.*
%{_libdir}/openldap/pw-argon2.*
%{_libdir}/openldap/pw-sha2.*
%{_libdir}/openldap/pw-pbkdf2.*
%{_libdir}/openldap/denyop.*
%{_libdir}/openldap/cloak.*
%{_libdir}/openldap/smbk5pwd.*
%{_libdir}/openldap/trace.*
%doc %{_mandir}/man5/slapd-pw-argon2.*
%files client
%defattr(-,root,root)
@ -527,13 +598,12 @@ ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
/usr/bin/ldapsearch
/usr/bin/ldappasswd
/usr/bin/ldapurl
/usr/bin/ldapvc
/usr/bin/ldapwhoami
%files -n libldap-2_5-0
%files -n libldap-2_4-2
%defattr(-,root,root)
%{_libdir}/liblber*2.5.so.*
%{_libdir}/libldap*2.5.so.*
%{_libdir}/liblber*2.4.so.*
%{_libdir}/libldap*2.4.so.*
%files devel
%defattr(-,root,root)
@ -544,11 +614,17 @@ ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
%{_includedir}/*.h
%{_libdir}/liblber.so
%{_libdir}/libldap*.so
%{_libdir}/pkgconfig/*.pc
%files devel-static
%defattr(-,root,root)
%_libdir/liblber.a
%_libdir/libldap*.a
%files ppolicy-check-password
%defattr(-,root,root)
%doc %{ppolicy_docdir}/
%config(noreplace) /etc/openldap/check_password.conf
%{_libdir}/openldap/ppolicy-check-password.*
%{_mandir}/man5/ppolicy-check-password.*
%changelog

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:840517adc7fa60cb45050ba203437e29458542d9d7f23e906520e0b2fca56fe9
size 10354

182
ppolicy-check-password.5 Normal file
View File

@ -0,0 +1,182 @@
.\"/*
.\" * All rights reserved
.\" * Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
.\" * Authors: Howard Guo <hguo@suse.com>
.\" *
.\" * This program is free software; you can redistribute it and/or
.\" * modify it under the terms of the GNU General Public License
.\" * as published by the Free Software Foundation; either version 2
.\" * of the License, or (at your option) any later version.
.\" *
.\" * This program is distributed in the hope that it will be useful,
.\" * but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" * GNU General Public License for more details.
.\" */
.\"
.TH PPOLICY-CHECK-PASSWORD 5 "2016/02/18" "OpenLDAP password quality check"
.SH NAME
ppolicy\-check\-password \- Password quality checker for OpenLDAP ppolicy overlay
.SH SYNOPSIS
pwdCheckModule ppolicy-check-password.so
.SH DESCRIPTION
ppolicy\-check\-password is an implementation of password quality check module, it can be plugged into OpenLDAP
.BR slapo\-ppolicy (5)
overlay to enforce organisational password strength policies for password-change operations.
.SH PREREQUISITES
In order to use the module, you should enable and configure
.BR slapo\-ppolicy (5)
overlay on the OpenLDAP server. You may use the following example to enable ppolicy overlay:
.HP 4
Enable ppolicy overlay
To enable ppolicy overlay on the server using static configuration file
.BR slapd.conf (5)
, first enable ppolicy schema by adding line:
.br
include /etc/openldap/schema/ppolicy.schema
and then append the following lines to the database definition in which password policy should be enforced:
.br
overlay ppolicy
.br
ppolicy_default "cn=PolicyContainer,dc=my-domain,dc=com"
Save slapd.conf and (re)start OpenLDAP server.
If you use cn=config (online configuration) instead of static configuration file, add the schema /etc/openldap/schema/ppolicy.ldif to cn=schema,cn=config, then enable ppolicy overlay in olcDatabase.
.LP
.HP 4
Create ppolicy container entry
The ppolicy container entry stores attributes that describe the password policy in detail, create the entry with
.BR ldapadd (1)
:
.br
dn: cn=PolicyContainer,dc=my-domain,dc=com
.br
cn: PolicyContainer
.br
objectClass: pwdPolicy
.br
objectClass: person
.br
objectClass: top
.br
pwdAllowUserChange: TRUE
.br
pwdAttribute: userPassword
.br
pwdCheckQuality: 2
.br
pwdExpireWarning: 600
.br
pwdFailureCountInterval:
.br
pwdGraceAuthNLimit: 5
.br
pwdInHistory: 5
.br
pwdLockout: TRUE
.br
pwdLockoutDuration: 0
.br
pwdMaxAge: 0
.br
pwdMaxFailure:
.br
pwdMinAge: 0
.br
pwdMinLength: 5
.br
pwdMustChange: FALSE
.br
pwdSafeModify: FALSE
.br
sn: dummy value
.br
The password policy becomes effective immediately, there is no need to restart OpenLDAP server.
.LP
.HP 4
Enable ppolicy-check-password.so module
Modify the ppolicy container entry with
.BR ldapmodify (1)
:
.br
dn: cn=PolicyContainer,dc=my-domain,dc=com
.br
changeType: modify
.br
add: objectClass
.br
objectClass: pwdPolicyChecker
.br
\-
.br
add: pwdCheckModule
.br
pwdCheckModule: ppolicy-check-password.so
The password check module becomes effective immediately, there is no need to restart OpenLDAP server.
.LP
.SH CONFIGURATION
The password check module reads configuration parameters from
.B /etc/openldap/check_password.conf
Edits made to the configuration file become effective immediately, there is no need to restart OpenLDAP server.
List of parameters:
.TP
.BI use_cracklib \ 1|0
CrackLib is a library for checking that a password is not easily crackable, making sure that the password is not based on simple patterns or dictionary words. If the parameter is set to 1, cracklib will be involved and new passwords must pass cracklib quality check in addition to all other policies such as min_points
.TP
.BI min_points \ <integer>
The parameter holds an integer value in between 0 and 4. The value denotes "quality points" that a password must acquire in order to pass the check. Usage of each character class awards one quality point. If the parameeter is set to 0, the check is disabled.
The character classes are: upper case letters, lower case letters, numeric digits, punctuations.
.TP
.BI min_upper \ <integer>
The minimal number of upper case characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI min_lower \ <integer>
The minimal number of lower case characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI min_digit \ <integer>
The minimal number of numeric digit characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI min_punct \ <integer>
The minimal number of punctuation characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI max_consecutive_per_class \ <integer>
The maximum number of characters from each character class that may appear consecutively. If the parameter is set to 0, the check is disabled.
.SH USAGE
After the module is enabled, the OpenLDAP server will invoke the password checker module on every user password change, the new user password must pass all quality checks before it is accepted. If the new password does not pass quality checks, the detailed reason will be logged on the OpenLDAP server, and the client will receive a Constraint Violation and a generic error message "Password fails quality checking policy" \- the lack of details is by design.
If the password change is carried out by RootDN, password checker module will not enforce the quality checks, and any password is acceptable.
.SH FILES
.TP
/etc/openldap/check_password.conf
Define the password strength policy.
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapd (8),
.BR slapo\-ppolicy (5)
.SH ACKNOWLEDGEMENTS
.P
The module was originally authored by LTB-project (ltb\-project.org), and further maintained by Onyx Point (onyxpoint.com).

View File

@ -0,0 +1,43 @@
LDAP_SRC = ../../..
LDAP_BUILD = $(LDAP_SRC)
LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
$(LDAP_BUILD)/libraries/liblber/liblber.la
LIBTOOL = $(LDAP_BUILD)/libtool
CC = gcc
OPT = -g -O2 -Wall -fpic -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"/usr/share/cracklib/pw_dict\"" -DCONFIG_FILE="\"/etc/openldap/check_password.conf\"" -lcrack
INCS = $(LDAP_INC)
LIBS = $(LDAP_LIB)
PROGRAMS = ppolicy-check-password.la
LTVER = 0:0:0
prefix=/usr/local
exec_prefix=$(prefix)
ldap_subdir=/openldap
libdir=$(exec_prefix)/lib64
libexecdir=$(exec_prefix)/libexec
moduledir=$(libdir)$(ldap_subdir)
.SUFFIXES: .c .o .lo
.c.lo:
$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
all: $(PROGRAMS)
ppolicy-check-password.la: check_password.lo
$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
-rpath $(moduledir) -module -o $@ $? $(LIBS)
clean:
rm -rf *.o *.lo *.la .libs
install: $(PROGRAMS)
mkdir -p $(DESTDIR)$(moduledir)
for p in $(PROGRAMS) ; do \
$(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
done

View File

@ -0,0 +1,7 @@
use_cracklib 1
min_points 3
min_upper 0
min_lower 0
min_digit 0
min_punct 0
max_consecutive_per_class 5