1
0
forked from pool/openldap2

Accepting request 361364 from network:ldap

- Move ldap.conf into libldap-data package, per convention.

- Move ldap.conf out of shlib package again, they are not allowed
  there for obvious reasons (conflict with future package).

- Build password strength enforcer as an implementation of ppolicy
  password checker, introducing:
  ppolicy-check-password-1.2.tar.gz
  ppolicy-check-password.Makefile
  ppolicy-check-password.conf
  ppolicy-check-password.5
  0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch
  (Implements fate#319461)

- Remove redundant -n openldap2- package name prefix.

- sanitize release line in specfile
- move systemd requires to server package
- use configure macro also for building the 2.3.37 version
      admin24 fix TLSDHParamFile to be correct (ITS#7684)
- FATE#315028 remove memory limit for slapd
- fix check-build.sh for kernel > 3.0
- Disabled testsuite for now. Causes problems in the buildserivce
- Install the correct schema2ldif script (bnc#665530)
  avoids build-compare failures and unhelpful rebuilds/republishes
- Fix listener URIs in init script to make SLP registration work
  again (bnc#620389)
  * Fixed slapd modrdn handling of invalid values (bnc#612430,
- New subpackage openldap2-back-sql. Contains the SQL backend
- Delete Operations happening during the "Refresh" phase of

OBS-URL: https://build.opensuse.org/request/show/361364
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=117
This commit is contained in:
Dominique Leuenberger 2016-02-29 08:11:20 +00:00 committed by Git OBS Bridge
commit e4be85f6ae
7 changed files with 632 additions and 163 deletions

View File

@ -0,0 +1,130 @@
From b026c9236e6b11c158e69572a28eb0efb174234b Mon Sep 17 00:00:00 2001
From: HouzuoGuo <guohouzuo@gmail.com>
Date: Wed, 17 Feb 2016 16:10:05 +0100
Subject: [PATCH] Fix incorrect calculation of consecutive number of characters
in a class, when the input is shorter than 6 chars or consecutive chars
appear at the beginning of input
diff --git a/check_password.c b/check_password.c
index 0d9f901..acf8eda 100644
--- a/check_password.c
+++ b/check_password.c
@@ -355,18 +355,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
int min_quality = DEFAULT_QUALITY;
int use_cracklib = DEFAULT_CRACKLIB;
- /** bail out early as cracklib will reject passwords shorter
- * than 6 characters
- */
-
nLen = strlen (pPasswd);
- if ( nLen < 6) {
- mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1);
- sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
- goto fail;
- }
if (read_config_file() == -1) {
syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
@@ -392,46 +381,38 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
*/
if ( max_consecutive_per_class != 0 ) {
- int consec_chars = 1;
- char type[10] = "unkown";
- char prev_type[10] = "unknown";
+ char prev_type = '\0';
+ char this_type = ' ';
+ i = 0;
+ int consec_chars = 0;
for ( i = 0; i < nLen; i++ ) {
-
if ( islower(pPasswd[i]) ) {
- strncpy(type,"lower",10);
+ this_type = 'l';
}
else if ( isupper(pPasswd[i]) ) {
- strncpy(type,"upper",10);
+ this_type = 'u';
}
else if ( isdigit(pPasswd[i]) ) {
- strncpy(type,"digit",10);
+ this_type = 'd';
}
else if ( ispunct(pPasswd[i]) ) {
- strncpy(type,"punct",10);
+ this_type = 'p';
}
else {
- strncpy(type,"unknown",10);
- }
-
- if ( consec_chars > max_consecutive_per_class ) {
- mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(CONSEC_FAIL_SZ) +
- strlen(pEntry->e_name.bv_val));
- sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val);
- goto fail;
+ this_type = ' ';
}
-
- if ( strncmp(type,prev_type,10) == 0 ) {
- consec_chars++;
+ if (this_type == prev_type) {
+ ++consec_chars;
+ } else if (i > 0) {
+ consec_chars = 0;
}
- else {
- if (strncmp("unknown",prev_type,8) != 0) {
- consec_chars = 1;
- }
- else {
- consec_chars++;
- }
- strncpy(prev_type,type,10);
+ prev_type = this_type;
+ if ( consec_chars >= max_consecutive_per_class ) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+ strlen(CONSEC_FAIL_SZ) +
+ strlen(pEntry->e_name.bv_val));
+ sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val);
+ goto fail;
}
}
}
diff --git a/check_password_test.c b/check_password_test.c
index 626d719..d33bd80 100644
--- a/check_password_test.c
+++ b/check_password_test.c
@@ -90,7 +90,6 @@ void setconf(
}
int main(void) {
-
// Empty Config, equiv to:
// 5,3,1,0,0,0,0
setconf(-1,-1,-1,-1,-1,-1,-1);
@@ -109,5 +108,16 @@ int main(void) {
testpass("Test 2.1", "Simp1e", 1);
testpass("Test 2.2", "SimPle", 1);
testpass("Test 2.1", "Simp1e!", 0);
+
+ setconf(1,0,0,0,0,0,0);
+ testpass("a", "Ab1,", 0);
+ testpass("a", "AAb1,", 1);
+ testpass("a", "Abb1,", 1);
+
+ setconf(3,0,0,0,0,0,0);
+ testpass("a", "AAAbbb111,,,", 0);
+ testpass("a", "AAAAbbb111,,,,", 1);
+ testpass("a", "AAAbbbb111,,,", 1);
+
return 0;
}
--
2.7.1

View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Thu Feb 25 11:06:12 UTC 2016 - hguo@suse.com
- Move ldap.conf into libldap-data package, per convention.
-------------------------------------------------------------------
Sun Feb 21 23:04:38 UTC 2016 - jengelh@inai.de
- Move ldap.conf out of shlib package again, they are not allowed
there for obvious reasons (conflict with future package).
-------------------------------------------------------------------
Thu Feb 18 14:45:30 UTC 2016 - hguo@suse.com
- Build password strength enforcer as an implementation of ppolicy
password checker, introducing:
ppolicy-check-password-1.2.tar.gz
ppolicy-check-password.Makefile
ppolicy-check-password.conf
ppolicy-check-password.5
0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch
(Implements fate#319461)
-------------------------------------------------------------------
Thu Feb 18 12:18:13 UTC 2016 - lmuelle@suse.com
- Remove redundant -n openldap2- package name prefix.
-------------------------------------------------------------------
Mon Feb 8 14:40:32 UTC 2016 - hguo@suse.com
@ -22,7 +50,7 @@ Mon Feb 8 14:40:32 UTC 2016 - hguo@suse.com
-------------------------------------------------------------------
Mon Feb 8 13:24:49 UTC 2016 - mpluskal@suse.com
- Use optflags when building
-------------------------------------------------------------------
@ -155,7 +183,7 @@ Wed Sep 10 10:26:02 UTC 2014 - varkoly@suse.com
-------------------------------------------------------------------
Wed Sep 3 01:49:12 CEST 2014 - ro@suse.de
- sanitize release line in specfile
- sanitize release line in specfile
-------------------------------------------------------------------
Wed Jul 16 15:56:11 UTC 2014 - ckornacker@suse.com
@ -176,7 +204,7 @@ Tue May 13 15:20:40 UTC 2014 - coolo@suse.com
-------------------------------------------------------------------
Wed Apr 23 20:51:14 UTC 2014 - dmueller@suse.com
- move systemd requires to server package
- move systemd requires to server package
-------------------------------------------------------------------
Tue Feb 18 14:39:07 UTC 2014 - ckornacker@suse.com
@ -186,7 +214,7 @@ Tue Feb 18 14:39:07 UTC 2014 - ckornacker@suse.com
-------------------------------------------------------------------
Sun Feb 16 18:55:40 CET 2014 - ro@suse.de
- use configure macro also for building the 2.3.37 version
- use configure macro also for building the 2.3.37 version
-------------------------------------------------------------------
Wed Feb 12 11:24:08 UTC 2014 - varkoly@suse.com
@ -211,13 +239,13 @@ Wed Feb 12 11:24:08 UTC 2014 - varkoly@suse.com
* Build Environment
Test suite: Use $(MAKE) for tests (ITS#7753)
* Documentation
admin24 fix TLSDHParamFile to be correct (ITS#7684)
admin24 fix TLSDHParamFile to be correct (ITS#7684)
-------------------------------------------------------------------
Tue Feb 11 08:49:43 UTC 2014 - varkoly@suse.com
- Add systemd style service definition
- FATE#315028 remove memory limit for slapd
- FATE#315028 remove memory limit for slapd
- FATE#315415: LDAP compat packages required for older SLES versions
For this reson following patches were applied:
openldap-2.3.37-libldap-suid.diff
@ -363,7 +391,7 @@ Mon Mar 25 16:08:21 UTC 2013 - jengelh@inai.de
-------------------------------------------------------------------
Sat Nov 17 12:06:23 CET 2012 - ro@suse.de
- fix check-build.sh for kernel > 3.0
- fix check-build.sh for kernel > 3.0
-------------------------------------------------------------------
Fri Nov 16 09:52:42 UTC 2012 - rhafer@suse.com
@ -449,7 +477,7 @@ Thu May 10 09:22:52 UTC 2012 - rhafer@suse.de
-------------------------------------------------------------------
Mon Apr 23 07:08:13 UTC 2012 - rhafer@suse.de
- Disabled testsuite for now. Causes problems in the buildserivce
- Disabled testsuite for now. Causes problems in the buildserivce
-------------------------------------------------------------------
Tue Mar 6 12:23:35 UTC 2012 - rhafer@suse.de
@ -664,7 +692,7 @@ Tue Feb 1 10:08:06 UTC 2011 - rhafer@suse.de
-------------------------------------------------------------------
Wed Jan 19 15:05:27 UTC 2011 - rhafer@suse.de
- Install the correct schema2ldif script (bnc#665530)
- Install the correct schema2ldif script (bnc#665530)
-------------------------------------------------------------------
Wed Jan 5 15:48:27 UTC 2011 - rhafer@novell.com
@ -696,7 +724,7 @@ Tue Oct 5 14:39:46 UTC 2010 - rhafer@novell.com
Sun Oct 3 22:55:34 UTC 2010 - cristian.rodriguez@opensuse.org
- Do not include Build date and time in binaries, this
avoids build-compare failures and unhelpful rebuilds/republishes
avoids build-compare failures and unhelpful rebuilds/republishes
-------------------------------------------------------------------
Wed Sep 29 09:21:52 UTC 2010 - rhafer@novell.com
@ -709,8 +737,8 @@ Wed Sep 29 09:21:52 UTC 2010 - rhafer@novell.com
-------------------------------------------------------------------
Thu Aug 26 14:04:06 UTC 2010 - rhafer@novell.com
- Fix listener URIs in init script to make SLP registration work
again (bnc#620389)
- Fix listener URIs in init script to make SLP registration work
again (bnc#620389)
-------------------------------------------------------------------
Fri Jul 23 07:49:40 UTC 2010 - rhafer@novell.com
@ -726,7 +754,7 @@ Thu Jul 1 13:02:13 UTC 2010 - rhafer@novell.com
* Fixed liblutil off-by-one with delta (ITS#6541)
* Fixed slapd acls with glued databases (ITS#6468)
* Fixed slapd syncrepl rid logging (ITS#6533)
* Fixed slapd modrdn handling of invalid values (bnc#612430,
* Fixed slapd modrdn handling of invalid values (bnc#612430,
ITS#6570)
* Fixed slapd-bdb hasSubordinates computation (ITS#6549)
* Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474)
@ -740,7 +768,7 @@ Thu Jul 1 13:02:13 UTC 2010 - rhafer@novell.com
ITS#6555)
* Fixed slapo-valsort to use Debug (ITS#6566)
* Fixed contrib/nssov network.c missing patch (ITS#6562)
- New subpackage openldap2-back-sql. Contains the SQL backend
- New subpackage openldap2-back-sql. Contains the SQL backend
module plus some documentation (bnc#395719)
- generate Patches from git tree (resulted in all patches being
renamed)
@ -756,14 +784,14 @@ Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com
- LDAP clients could crash the server by submitting a specially
crafted LDAP ModRDN operation. (bnc#612430, ITS#6570)
- Delete Operations happening during the "Refresh" phase of
- Delete Operations happening during the "Refresh" phase of
"refreshAndPersist" replication failed to replicate under
certain circumstances (bnc#606294, ITS#6555)
certain circumstances (bnc#606294, ITS#6555)
-------------------------------------------------------------------
Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com
- Create /var/run/slapd on demand. /var/run might be mounted on
- Create /var/run/slapd on demand. /var/run might be mounted on
tmpfs.
-------------------------------------------------------------------
@ -781,7 +809,7 @@ Wed Mar 17 13:06:12 UTC 2010 - rhafer@novell.com
Tue Mar 16 10:01:39 UTC 2010 - rhafer@novell.com
- Removed obsolete hunk from openldap2.dif
- Remove ldap.conf patch to use saner default for Certificate
- Remove ldap.conf patch to use saner default for Certificate
verification (bnc#575146)
-------------------------------------------------------------------
@ -817,7 +845,7 @@ Thu Dec 10 15:41:11 UTC 2009 - rhafer@novell.com
"demand" as documented even if other tls_ options are absent
(bnc#558397, ITS#6319)
- apply changes to the global size and timelimits to all database
that don't specify limits themself. (bnc#562184, ITS#6428)
that don't specify limits themself. (bnc#562184, ITS#6428)
-------------------------------------------------------------------
Mon Nov 30 16:09:22 UTC 2009 - rhafer@novell.com
@ -842,7 +870,7 @@ Mon Nov 30 16:09:22 UTC 2009 - rhafer@novell.com
* Fixed slapo-syncprov checkpoint conversion (ITS#6370)
* Fixed slapo-syncprov deadlock (ITS#6335)
* Fixed slapo-syncprov out of order changes (ITS#6346)
- Added switch to enable/disable testsuite (%run_test_suite)
- Added switch to enable/disable testsuite (%run_test_suite)
-------------------------------------------------------------------
Tue Nov 3 19:13:32 UTC 2009 - coolo@novell.com
@ -852,8 +880,8 @@ Tue Nov 3 19:13:32 UTC 2009 - coolo@novell.com
-------------------------------------------------------------------
Mon Sep 28 13:59:18 UTC 2009 - rhafer@novell.com
- Added schema2ldif tool to openldap2-client subpackage
(bnc#541819)
- Added schema2ldif tool to openldap2-client subpackage
(bnc#541819)
-------------------------------------------------------------------
Wed Sep 23 15:35:13 UTC 2009 - rhafer@novell.com
@ -916,23 +944,23 @@ Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com
-------------------------------------------------------------------
Mon Jun 29 14:24:56 CEST 2009 - rhafer@novell.com
- Fixed Summary/Description for -client subpackage
- Fixed Summary/Description for -client subpackage
-------------------------------------------------------------------
Thu Jun 25 17:29:03 CEST 2009 - rhafer@novell.com
- Improved connection check in init script (bnc#510295)
- Improved connection check in init script (bnc#510295)
-------------------------------------------------------------------
Mon Jun 15 12:12:17 CEST 2009 - rhafer@novell.com
- Fixed complilation with newer glibc (2.3.X release needs
- Fixed complilation with newer glibc (2.3.X release needs
GNU_SOURCE defined as well in getpeerid.c)
-------------------------------------------------------------------
Wed Apr 29 17:07:33 CEST 2009 - rhafer@novell.com
- gcc 4.4 fixes
- gcc 4.4 fixes
-------------------------------------------------------------------
Mon Apr 6 15:41:05 CEST 2009 - rhafer@suse.de
@ -958,7 +986,7 @@ Mon Apr 6 15:41:05 CEST 2009 - rhafer@suse.de
* Fixed slapd-ldap/meta with invalid attrs again (ITS#5959)
* Fixed slapo-accesslog interaction with ppolicy (ITS#5979)
* Fixed slapo-dynlist conversion to cn=config (ITS#6002)
* Fixed various slapo-syncprov issues (ITS#5972, ITS#6020,
* Fixed various slapo-syncprov issues (ITS#5972, ITS#6020,
ITS#5985, ITS#5999, ITS#5973, ITS#6045, ITS#6024, ITS#5988)
- Fix building on older openSUSE releases
@ -994,7 +1022,7 @@ Fri Mar 20 14:00:20 CET 2009 - rhafer@suse.de
* Fixed slapd epoll handling (ITS#5886)
* Fixed slapd glue with MMR (ITS#5925)
* Fixed slapd listener comparison (ITS#5613)
* Fixed various syncrepl issues (ITS#5809,ITS#5850, ITS#5843,
* Fixed various syncrepl issues (ITS#5809,ITS#5850, ITS#5843,
ITS#5866, ITS#5901, ITS#5881, ITS#5935, ITS#5710,
ITS#5781, ITS#5809, ITS#5798, ITS#5826)
* Fixed slapd-bdb/hdb dncachesize handling (ITS#5860)
@ -1009,7 +1037,7 @@ Wed Jan 7 12:34:56 CET 2009 - olh@suse.de
-------------------------------------------------------------------
Fri Dec 12 14:45:07 CET 2008 - rhafer@suse.de
- Fixed openldap2-devel dependencies (bnc#457989)
- Fixed openldap2-devel dependencies (bnc#457989)
-------------------------------------------------------------------
Tue Dec 9 11:11:38 CET 2008 - rhafer@suse.de
@ -1021,7 +1049,7 @@ Tue Dec 9 11:11:38 CET 2008 - rhafer@suse.de
-------------------------------------------------------------------
Fri Nov 28 14:08:16 CET 2008 - rhafer@suse.de
- Disable the slapadd trickle-task it cause performance issues
- Disable the slapadd trickle-task it cause performance issues
when using libdb-4.5 (bnc#449641)
- removed obsolete configure option (ldbm backend does not exist
in OpenLDAP 2.4)
@ -1044,8 +1072,8 @@ Tue Nov 4 14:10:24 CET 2008 - rhafer@suse.de
-------------------------------------------------------------------
Thu Oct 23 12:59:08 CEST 2008 - rhafer@suse.de
- the helper function to create various LDAP controls returned
wrong error codes under certain circumstances
- the helper function to create various LDAP controls returned
wrong error codes under certain circumstances
(bnc#429064, ITS#5762)
- Fixed referral chasing in chain-overlay (bnc#438088, ITS#5742)
- Fixed back-config integration of overlays with private instances
@ -1089,8 +1117,8 @@ Sun Oct 12 23:51:09 CEST 2008 - rhafer@suse.de
-------------------------------------------------------------------
Mon Oct 6 10:49:23 CEST 2008 - rhafer@suse.de
- remove some problematic test-cases, that cause a lot of
unreproducable buildfailures
- remove some problematic test-cases, that cause a lot of
unreproducable buildfailures
- check for exisitence of /etc/openldap/slapd.conf in init-script
assume back-config usage if it isn't present (bnc#428168)
@ -1124,14 +1152,14 @@ Fri Sep 12 10:09:28 CEST 2008 - rhafer@suse.de
-------------------------------------------------------------------
Tue Sep 9 17:22:18 CEST 2008 - rhafer@suse.de
- Removed getaddrinfo workaround. Recent glibc doesn't need it
- Removed getaddrinfo workaround. Recent glibc doesn't need it
anymore (bnc#288879, ITS#5251)
- Server requires libldap of the same version.
-------------------------------------------------------------------
Mon Sep 8 16:07:47 CEST 2008 - rhafer@suse.de
- Import back-config support for deleting databases from CVS HEAD
- Import back-config support for deleting databases from CVS HEAD
-------------------------------------------------------------------
Tue Sep 2 09:18:05 CEST 2008 - rhafer@suse.de
@ -1141,9 +1169,9 @@ Tue Sep 2 09:18:05 CEST 2008 - rhafer@suse.de
-------------------------------------------------------------------
Thu Aug 28 11:46:08 CEST 2008 - rhafer@suse.de
- added ldapns.schema , to allow to use pam_ldap's "check_host_attr"
- added ldapns.schema , to allow to use pam_ldap's "check_host_attr"
and "check_service_attr" features (bnc#419984)
- backport overlay_register_control fix from HEAD (bnc#420016,
- backport overlay_register_control fix from HEAD (bnc#420016,
ITS#5649)
-------------------------------------------------------------------
@ -1160,14 +1188,14 @@ Mon Aug 18 11:00:13 CEST 2008 - rhafer@suse.de
Wed Aug 13 17:25:25 CEST 2008 - ro@suse.de
- try to fix build for buildservice
(BUILD_INCARNATION can be empty)
(BUILD_INCARNATION can be empty)
-------------------------------------------------------------------
Mon Aug 11 11:06:08 CEST 2008 - rhafer@suse.de
- /usr/lib/sasl2/slapd.conf was moved to /etc/sasl2/slapd.conf
- /usr/lib/sasl2/slapd.conf was moved to /etc/sasl2/slapd.conf
(bnc#412652)
- adjust ownerships of database directories even when using
- adjust ownerships of database directories even when using
back-config
-------------------------------------------------------------------
@ -1226,13 +1254,13 @@ Tue Jun 24 11:08:00 CEST 2008 - rhafer@suse.de
Wed Jun 11 13:03:29 CEST 2008 - rhafer@suse.de
- Update to Version 2.4.10. Most important changes:
* Fixed libldap ld_defconn cleanup if it was freed (ITS#5518,
* Fixed libldap ld_defconn cleanup if it was freed (ITS#5518,
ITS#5525)
* Fixed libldap msgid handling (ITS#5318)
* Fixed libldap t61 infinite loop (ITS#5542)
* Fixed libldap_r missing stubs (ITS#5519)
* Fixed slapd initialization of sr_msgid, rs->sr_tag (ITS#5461)
* Fixed slapd missing termination of integerFilter keys
* Fixed slapd missing termination of integerFilter keys
(ITS#5503)
* Fixed slapd multiple attrs in URI (ITS#5516)
* Fixed slapd sasl_ssf retrieval (ITS#5403)
@ -1256,7 +1284,7 @@ Wed Jun 11 13:03:29 CEST 2008 - rhafer@suse.de
-------------------------------------------------------------------
Fri May 16 13:24:11 CEST 2008 - rhafer@suse.de
- Support update from 2.3 releases (bnc#390247)
- Support update from 2.3 releases (bnc#390247)
-------------------------------------------------------------------
Thu May 8 08:55:00 CEST 2008 - rhafer@suse.de
@ -1287,8 +1315,8 @@ Thu May 8 08:55:00 CEST 2008 - rhafer@suse.de
* Fixed slapd-meta crash on search (ITS#5481)
* Various syncrepl fixes (ITS#5407, ITS#5413, ITS#5426, ITS#5430,
ITS#5432, ITS#5454, ITS#5397, ITS#5470)
* Various slapo-syncprov fixes (ITS#5401, ITS#5405, ITS#5418,
ITS#5486, ITS#5433, ITS#5434, ITS#5437, ITS#5444, ITS#5445,
* Various slapo-syncprov fixes (ITS#5401, ITS#5405, ITS#5418,
ITS#5486, ITS#5433, ITS#5434, ITS#5437, ITS#5444, ITS#5445,
ITS#5484, ITS#5451)
-------------------------------------------------------------------
@ -1316,7 +1344,7 @@ Thu Apr 3 14:26:12 CEST 2008 - rhafer@suse.de
Mon Mar 3 08:50:18 CET 2008 - rhafer@suse.de
- revert last change and make libldap_r available again as some
packages seem to directly rely on libldap_r. Assume they know
packages seem to directly rely on libldap_r. Assume they know
of the libldap_r's limitations.
-------------------------------------------------------------------
@ -1324,7 +1352,7 @@ Wed Feb 27 11:21:39 CET 2008 - rhafer@suse.de
- Moved libldap_r from -client subpackage to the main server
package as it is only meant to be used by slapd.
- Removed static libldap_r.a library and libldap_r.so link from
- Removed static libldap_r.a library and libldap_r.so link from
-devel subpackage. External programs should only use the "normal"
libldap library.
@ -1343,7 +1371,7 @@ Wed Feb 20 09:49:30 CET 2008 - rhafer@suse.de
* Fixed slapd modrdn check for valid new DN (ITS#5344)
* Fixed slapd multi-step SASL binds (ITS#5298)
* Fixed slapd overlay ordering when moving to slapd.d (ITS#5284)
* Fixed slapd NULL printf (ITS#5264)
* Fixed slapd NULL printf (ITS#5264)
* Fixed slapd NULL set values (ITS#5286)
* Fixed slapd timestamp race condition (ITS#5370)
* Fixed slapd cn=config crash on delete (ITS#5343)
@ -1367,12 +1395,12 @@ Wed Feb 20 09:49:30 CET 2008 - rhafer@suse.de
-------------------------------------------------------------------
Thu Jan 10 15:06:12 CET 2008 - rhafer@suse.de
- Removed bogus debugging output from slapd_getaddrinfo_dupl.dif
- Removed bogus debugging output from slapd_getaddrinfo_dupl.dif
-------------------------------------------------------------------
Wed Jan 9 13:29:33 CET 2008 - rhafer@suse.de
- Fixed allocation for paged results cookie (Bug #352255, ITS#5315)
- Fixed allocation for paged results cookie (Bug #352255, ITS#5315)
-------------------------------------------------------------------
Fri Dec 14 13:53:33 CET 2007 - rhafer@suse.de
@ -1555,7 +1583,7 @@ Tue Mar 20 17:08:37 CET 2007 - rguenther@suse.de
-------------------------------------------------------------------
Thu Mar 15 14:29:22 CET 2007 - rhafer@suse.de
- added Service definitions for SuSEfirewall2 (Bug #251654)
- added Service definitions for SuSEfirewall2 (Bug #251654)
-------------------------------------------------------------------
Thu Feb 22 16:50:18 CET 2007 - rhafer@suse.de
@ -1567,12 +1595,12 @@ Thu Feb 22 16:50:18 CET 2007 - rhafer@suse.de
* Fixed slapd libltdl link ordering (ITS#4830)
* Fixed slapd syncrepl memory leaks (ITS#4805)
* Fixed slapd dynacl/ACI compatibility with 2.1
* Fixed slapd-bdb/hdb be_entry_get with aliases/referrals
* Fixed slapd-bdb/hdb be_entry_get with aliases/referrals
(ITS#4810)
* Fixed slapd-ldap more response handling bugs (ITS#4782)
* Fixed slapd-ldap C-API code tests (ITS#4808)
* Fixed slapd-monitor NULL printf (ITS#4811)
* Fixed slapo-chain spurious additional info in response
* Fixed slapo-chain spurious additional info in response
(ITS#4828)
* Fixed slapo-syncprov presence list (ITS#4813)
* Fixed slapo-syncprov contextCSN checkpoint again (ITS#4720)
@ -1584,15 +1612,15 @@ Fri Jan 26 14:26:51 CET 2007 - rhafer@suse.de
- Updated to Version 2.3.33. Most important changes:
* Fixed slapd-ldap chase-referrals switch (ITS#4557)
* Fixed slapd-ldap bind behavior when idassert is always used
* Fixed slapd-ldap bind behavior when idassert is always used
(ITS#4781)
* Fixed slapd-ldap response handling bugs (ITS#4782)
* Fixed slapd-ldap idassert mode=self anonymous ops (ITS#4798)
* Fixed slapd-ldap/meta privileged connections handling
* Fixed slapd-ldap/meta privileged connections handling
(ITS#4791)
* Fixed slapd-meta retrying (ITS#4594, 4762)
* Fixed slapo-chain referral DN use (ITS#4776)
* Fixed slapo-dynlist dangling pointer after entry free
* Fixed slapo-dynlist dangling pointer after entry free
(ITS#4801)
* Fixed libldap ldap_pvt_put_filter syntax checks (ITS#4648)
@ -1606,7 +1634,7 @@ Fri Jan 12 11:04:22 CET 2007 - rhafer@suse.de
* Fixed slapd connections_shutdown assert
* Fixed slapd add redundant duplicate value check (ITS#4600)
* Fixed slapd ACL set memleak (ITS#4780)
* Fixed slapd syncrepl shutdown hang (ITS#4790)
* Fixed slapd syncrepl shutdown hang (ITS#4790)
-------------------------------------------------------------------
Fri Nov 17 10:25:44 CET 2006 - rhafer@suse.de
@ -1614,33 +1642,33 @@ Fri Nov 17 10:25:44 CET 2006 - rhafer@suse.de
- Fix for a flaw in libldap's strval2strlen() function when processing the
authcid string of certain Bind Requests, which could allow attackers to
cause an affected application to crash (especially the OpenLDAP Server),
creating a denial of service condition (Bug#221154,ITS#4740)
creating a denial of service condition (Bug#221154,ITS#4740)
-------------------------------------------------------------------
Tue Nov 14 16:18:34 CET 2006 - rhafer@suse.de
- Additional back-perl fixes from CVS. The first revision of the
- Additional back-perl fixes from CVS. The first revision of the
patch did not fix the problem completely (Bug#207618, ITS#4751)
-------------------------------------------------------------------
Fri Oct 27 16:46:43 CEST 2006 - rhafer@suse.de
- cyrus-sasl configuration moved from %{_libdir}/sasl2 to
- cyrus-sasl configuration moved from %{_libdir}/sasl2 to
/etc/sasl2/ (Bug: #206414)
-------------------------------------------------------------------
Wed Oct 4 15:56:11 CEST 2006 - rhafer@suse.de
- Add $network to Should-Start/Should-Stop in init scripts
- Add $network to Should-Start/Should-Stop in init scripts
(Bug: #206823)
- Imported latest back-perl changes from CVS, to fix back-perl
- Imported latest back-perl changes from CVS, to fix back-perl
initialization (Bug: #207618)
-------------------------------------------------------------------
Tue Aug 22 16:27:25 CEST 2006 - rhafer@suse.de
- Updated to Version 2.3.27
* Fixed libldap dnssrv bug with "not present" positive statement
* Fixed libldap dnssrv bug with "not present" positive statement
(ITS#4610)
* Fixed libldap dangling pointer issue (ITS#4405)
* Fixed slapd incorrect rebuilding of replica URI (ITS#4633)
@ -1671,7 +1699,7 @@ Wed Aug 2 11:08:23 CEST 2006 - rhafer@suse.de
Mon Jun 26 16:36:16 CEST 2006 - rhafer@suse.de
- Updated to Version 2.3.24
* Fixed slapd syncrepl timestamp bug (delta-sync/cascade)
* Fixed slapd syncrepl timestamp bug (delta-sync/cascade)
(ITS#4567)
* Fixed slapd-bdb/hdb non-root users adding suffix/root entries
(ITS#4552)
@ -1691,7 +1719,7 @@ Thu Jun 22 14:46:58 CEST 2006 - schwab@suse.de
Wed May 24 09:52:03 CEST 2006 - rhafer@suse.de
- Updated to Version 2.3.23
* obsoletes the patches: libldap_ads-sasl-gssapi.dif,
* obsoletes the patches: libldap_ads-sasl-gssapi.dif,
slapd-epollerr.dif
* Fixed slapd-ldap improper free bug (ITS#4550)
* Fixed libldap referral input destroy issue (ITS#4533)
@ -1709,15 +1737,15 @@ Wed May 24 09:52:03 CEST 2006 - rhafer@suse.de
-------------------------------------------------------------------
Wed May 10 10:20:16 CEST 2006 - rhafer@suse.de
- Really apply the patch for Bug#160566
- slapd could crash while processing queries with pre-/postread
- Really apply the patch for Bug#160566
- slapd could crash while processing queries with pre-/postread
controls (Bug#173877, ITS#4532)
-------------------------------------------------------------------
Fri Mar 24 13:48:52 CET 2006 - rhafer@suse.de
- Backported fix from CVS for occasional crashes in referral
chasing code (as used in e.g. back-meta/back-ldap).
- Backported fix from CVS for occasional crashes in referral
chasing code (as used in e.g. back-meta/back-ldap).
(Bug: #160566, ITS: #4448)
-------------------------------------------------------------------
@ -1729,7 +1757,7 @@ Mon Mar 13 16:23:32 CET 2006 - rhafer@suse.de
-------------------------------------------------------------------
Fri Feb 17 12:58:13 CET 2006 - rhafer@suse.de
- Add "external" to the list of supported SASL mechanisms
- Add "external" to the list of supported SASL mechanisms
(Bug: #151771)
-------------------------------------------------------------------
@ -1741,7 +1769,7 @@ Thu Feb 16 11:45:20 CET 2006 - rhafer@suse.de
-------------------------------------------------------------------
Mon Feb 13 14:45:43 CET 2006 - rhafer@suse.de
- Don't ignore non-read/write epoll events (Bug: #149993,
- Don't ignore non-read/write epoll events (Bug: #149993,
ITS: #4395)
- Added update message to /usr/share/update-messages/en/ and enable
it, when update did not succeed.
@ -1763,7 +1791,7 @@ Fri Feb 3 11:32:27 CET 2006 - rhafer@suse.de
-------------------------------------------------------------------
Fri Jan 27 09:15:33 CET 2006 - rhafer@suse.de
- Updated to 2.3.19 (Bug #144371)
- Updated to 2.3.19 (Bug #144371)
-------------------------------------------------------------------
Fri Jan 27 02:16:56 CET 2006 - mls@suse.de
@ -1773,8 +1801,8 @@ Fri Jan 27 02:16:56 CET 2006 - mls@suse.de
-------------------------------------------------------------------
Wed Jan 25 18:17:51 CET 2006 - rhafer@suse.de
- Updated Admin Guide to latest version
- build slapcat from openldap-2.2.24 and install it to
- Updated Admin Guide to latest version
- build slapcat from openldap-2.2.24 and install it to
/usr/sbin/openldap-2.2-slapcat to be able to migrate from
OpenLDAP 2.2.
- removed slapd-backbdb-dbupgrade which is no longer needed
@ -1799,24 +1827,24 @@ Wed Jan 11 10:13:52 CET 2006 - rhafer@suse.de
-------------------------------------------------------------------
Mon Jan 9 11:48:10 CET 2006 - rhafer@suse.de
- Updated to 2.3.16
- Updated to 2.3.16
-------------------------------------------------------------------
Mon Dec 19 13:55:35 CET 2005 - rhafer@suse.de
- Fixed filelist (slapd-hdb man-page was missing)
- Fixed filelist (slapd-hdb man-page was missing)
-------------------------------------------------------------------
Fri Dec 9 10:04:28 CET 2005 - rhafer@suse.de
- Fixed build on x86_64
- Fixed build on x86_64
-------------------------------------------------------------------
Wed Dec 7 10:48:57 CET 2005 - rhafer@suse.de
- Merged -back-ldap and -back-monitor subpackages into the main
- Merged -back-ldap and -back-monitor subpackages into the main
package and don't build them as dynamic modules anymore.
- updated to OpenLDAP 2.3.13
- updated to OpenLDAP 2.3.13
-------------------------------------------------------------------
Mon Nov 28 16:56:21 CET 2005 - rhafer@suse.de
@ -1837,7 +1865,7 @@ Mon Sep 26 09:51:11 CEST 2005 - rhafer@suse.de
-------------------------------------------------------------------
Fri Sep 23 14:41:14 CEST 2005 - rhafer@suse.de
- updated to OpenLDAP 2.3.7
- updated to OpenLDAP 2.3.7
-------------------------------------------------------------------
Tue Aug 16 14:08:49 CEST 2005 - rhafer@suse.de
@ -1847,13 +1875,13 @@ Tue Aug 16 14:08:49 CEST 2005 - rhafer@suse.de
-------------------------------------------------------------------
Mon Jul 4 11:42:08 CEST 2005 - rhafer@suse.de
- devel-subpackage requires openldap2-client of the same version
- devel-subpackage requires openldap2-client of the same version
(Bugzilla: #93579)
-------------------------------------------------------------------
Thu Jun 30 17:55:22 CEST 2005 - uli@suse.de
- build with -fPIE (not -fpie) to avoid GOT overflow on s390*
- build with -fPIE (not -fpie) to avoid GOT overflow on s390*
-------------------------------------------------------------------
Wed Jun 22 16:26:42 CEST 2005 - rhafer@suse.de
@ -1863,12 +1891,12 @@ Wed Jun 22 16:26:42 CEST 2005 - rhafer@suse.de
-------------------------------------------------------------------
Wed Jun 15 16:43:25 CEST 2005 - rhafer@suse.de
- updated to 2.2.27
- updated to 2.2.27
-------------------------------------------------------------------
Wed May 25 13:58:57 CEST 2005 - rhafer@suse.de
- libldap-gethostbyname_r.dif: Use gethostbyname_r instead of
- libldap-gethostbyname_r.dif: Use gethostbyname_r instead of
gethostbyname in libldap. Should fix host lookups through
nss_ldap (Bugzilla: #76173)
@ -1881,21 +1909,21 @@ Fri May 13 12:27:05 CEST 2005 - rhafer@suse.de
-------------------------------------------------------------------
Thu Apr 28 09:42:30 CEST 2005 - rhafer@suse.de
- Added /%{_libdir}]/sasl2/slapd.conf to avoid warnings about
- Added /%{_libdir}]/sasl2/slapd.conf to avoid warnings about
unconfigured OTP mechanism (Bugzilla: #80588)
-------------------------------------------------------------------
Tue Apr 12 15:02:24 CEST 2005 - rhafer@suse.de
- added minimal timeout to startproc in init-script to let it
report the "failed" status correctly in case of misconfiguration
- added minimal timeout to startproc in init-script to let it
report the "failed" status correctly in case of misconfiguration
(Bugzilla: #76393)
-------------------------------------------------------------------
Mon Apr 4 16:41:32 CEST 2005 - rhafer@suse.de
- crl-check.dif: Implements CRL checking on client and server side
- use different base ports for differnt values of BUILD_INCARNATION
- use different base ports for differnt values of BUILD_INCARNATION
(/.buildenv) to allow parallel runs of the test-suite on a single
machine
@ -1919,7 +1947,7 @@ Tue Mar 29 14:21:50 CEST 2005 - rhafer@suse.de
Wed Mar 2 13:44:23 CET 2005 - rhafer@suse.de
- syncrepl.dif: merged latest syncrepl fixes (Bugzilla: #65928)
- libldap-reinit-fdset.dif: Re-init fd_sets when select is
- libldap-reinit-fdset.dif: Re-init fd_sets when select is
interupted (Bugzilla #50076, ITS: #3524)
-------------------------------------------------------------------
@ -1931,7 +1959,7 @@ Thu Feb 17 14:28:02 CET 2005 - rhafer@suse.de
-------------------------------------------------------------------
Tue Feb 1 14:30:13 CET 2005 - rhafer@suse.de
- Cleanup back-bdb databases in %post, db-4.3 changed the
- Cleanup back-bdb databases in %post, db-4.3 changed the
transaction log format again.
- cosmetic fixes in init script
@ -1969,7 +1997,7 @@ Fri Sep 24 17:55:10 CEST 2004 - ro@suse.de
-------------------------------------------------------------------
Fri Sep 24 13:59:40 CEST 2004 - rhafer@suse.de
- Added pre_checkin.sh to generate a separate openldap2-client
- Added pre_checkin.sh to generate a separate openldap2-client
spec-file from which the openldap2-client and openldap2-devel
subpackages are built. Should reduce build time for libldap as
the test-suite is only executed in openldap2.spec.
@ -1990,15 +2018,15 @@ Mon Aug 9 23:43:18 CEST 2004 - dobey@suse.de
Tue Aug 3 14:48:25 CEST 2004 - rhafer@suse.de
- updated to 2.2.16
- Updated ACLs in slapd_conf.dif to disable default read access
- Updated ACLs in slapd_conf.dif to disable default read access
to the "userPKCS12" Attribute
- rc-check-conn.diff: When starting slapd wait until is accepts
- rc-check-conn.diff: When starting slapd wait until is accepts
connections, or 10 seconds at maximum (Bugzilla #41354)
- Backported -o slp={on|off} feature from OpenLDAP Head and added
new sysconfig variable (OPENLDAP_REGISTER_SLP) to be able
to switch SLP registration on and off. (Bugzilla #39865)
- removed unneeded README.update
-------------------------------------------------------------------
Fri Apr 30 16:46:50 CEST 2004 - rhafer@suse.de
@ -2017,22 +2045,22 @@ Thu Apr 29 15:13:31 CEST 2004 - coolo@suse.de
-------------------------------------------------------------------
Mon Apr 19 12:13:41 CEST 2004 - rhafer@suse.de
- ldapi_url.dif: Fixed paths for LDAPI-socket, pid-file and
- ldapi_url.dif: Fixed paths for LDAPI-socket, pid-file and
args-file (Bugzilla #38790)
- ldbm_modrdn.dif: Fixed back-ldbm modrdn indexing bug (ITS #3059,
Bugzilla #38915)
- modify_check_duplicates.dif: check for duplicate attribute
- modify_check_duplicates.dif: check for duplicate attribute
values in modify requests (ITS #3066/#3097, Bugzilla #38607)
- updated and renamed yast2userconfig.schema to yast.schema as it
- updated and renamed yast2userconfig.schema to yast.schema as it
contains more that only user configuration now
- syncrepl.dif: addtional fixes for syncrepl (ITS #3055, #3056)
- test_syncrepl_timeout: increased sleep timeout in syncrepl
- test_syncrepl_timeout: increased sleep timeout in syncrepl
testsuite
-------------------------------------------------------------------
Thu Apr 1 15:05:15 CEST 2004 - rhafer@suse.de
- added "TLS_REQCERT allow" to /etc/openldap/ldap.conf, to make
- added "TLS_REQCERT allow" to /etc/openldap/ldap.conf, to make
START_TLS work without access to the CA Certificate.
(Bugzilla: #37393)
@ -2065,7 +2093,7 @@ Tue Mar 16 16:15:49 CET 2004 - schwab@suse.de
Tue Mar 2 19:50:18 CET 2004 - rhafer@suse.de
- updated to 2.2.6
- build a openldap-2.1-slapcat from 2.1.25 sources to be able to
- build a openldap-2.1-slapcat from 2.1.25 sources to be able to
migrate from SLES8 and SL 9.0
-------------------------------------------------------------------
@ -2076,8 +2104,8 @@ Thu Feb 19 17:25:12 CET 2004 - ro@suse.de
-------------------------------------------------------------------
Thu Feb 5 17:38:52 CET 2004 - rhafer@suse.de
- updated to 2.2.5
- adjusted rfc2307bis.schema to support UTF-8 values in most
- updated to 2.2.5
- adjusted rfc2307bis.schema to support UTF-8 values in most
attributes
- enabled proxycache-overlay (wiht fix to work with back-ldbm)
@ -2102,7 +2130,7 @@ Mon Dec 8 16:46:03 CET 2003 - rhafer@suse.de
-------------------------------------------------------------------
Tue Nov 11 15:20:05 CET 2003 - rhafer@suse.de
- enabled SLP-support
- enabled SLP-support
-------------------------------------------------------------------
Fri Oct 17 22:14:24 CEST 2003 - kukuk@suse.de
@ -2150,23 +2178,23 @@ Tue Jul 1 15:42:03 CEST 2003 - rhafer@suse.de
-------------------------------------------------------------------
Mon Jun 16 16:29:03 CEST 2003 - rhafer@suse.de
- updated to 2.1.21
- updated to 2.1.21
-------------------------------------------------------------------
Wed Jun 11 17:08:11 CEST 2003 - ro@suse.de
- fixed requires lines
- fixed requires lines
-------------------------------------------------------------------
Mon May 26 16:00:43 CEST 2003 - rhafer@suse.de
- don't link back-ldap against librewrite.a, it's already linked
- don't link back-ldap against librewrite.a, it's already linked
into slapd (package should build on non-i386 Archs again)
-------------------------------------------------------------------
Fri May 23 14:35:49 CEST 2003 - rhafer@suse.de
- fixed dynamic build of back-ldap
- fixed dynamic build of back-ldap
- new subpackage back-ldap
-------------------------------------------------------------------
@ -2185,12 +2213,12 @@ Fri May 9 14:23:45 CEST 2003 - rhafer@suse.de
-------------------------------------------------------------------
Wed Apr 16 00:34:31 CEST 2003 - ro@suse.de
- fixed requires for devel-package ...
- fixed requires for devel-package ...
-------------------------------------------------------------------
Tue Apr 15 10:18:11 CEST 2003 - ro@suse.de
- fixed neededforbuild
- fixed neededforbuild
-------------------------------------------------------------------
Thu Feb 13 12:13:23 CET 2003 - kukuk@suse.de
@ -2200,17 +2228,17 @@ Thu Feb 13 12:13:23 CET 2003 - kukuk@suse.de
-------------------------------------------------------------------
Tue Feb 11 19:02:14 CET 2003 - rhafer@suse.de
- added /etc/openldap to filelist
- added /etc/openldap to filelist
-------------------------------------------------------------------
Mon Feb 3 16:42:47 CET 2003 - rhafer@suse.de
- switch default backend to ldbm
- switch default backend to ldbm
-------------------------------------------------------------------
Sun Feb 2 23:58:34 CET 2003 - ro@suse.de
- fixed requires for devel package (cyrus-sasl2-devel)
- fixed requires for devel package (cyrus-sasl2-devel)
-------------------------------------------------------------------
Fri Jan 31 08:58:39 CET 2003 - rhafer@suse.de
@ -2246,7 +2274,7 @@ Fri Sep 6 11:11:07 CEST 2002 - rhafer@suse.de
-------------------------------------------------------------------
Mon Sep 2 18:02:03 CEST 2002 - rhafer@suse.de
- removed damoenstart_ipv6.diff and disabled IPv6 support due to
- removed damoenstart_ipv6.diff and disabled IPv6 support due to
massive problems with nss_ldap
-------------------------------------------------------------------
@ -2269,7 +2297,7 @@ Fri Aug 23 13:54:15 CEST 2002 - rhafer@suse.de
-------------------------------------------------------------------
Thu Aug 15 15:56:09 CEST 2002 - rhafer@suse.de
- removed termcap and readline from neededforbuild
- removed termcap and readline from neededforbuild
-------------------------------------------------------------------
Thu Aug 8 11:21:36 CEST 2002 - rhafer@suse.de
@ -2290,12 +2318,12 @@ Fri Jul 19 11:28:28 CEST 2002 - rhafer@suse.de
-------------------------------------------------------------------
Fri Jul 5 13:26:17 CEST 2002 - kukuk@suse.de
- fix openldap2-devel requires
- fix openldap2-devel requires
-------------------------------------------------------------------
Thu Jul 4 10:29:03 CEST 2002 - rhafer@suse.de
- switched back from cyrus-sasl2 to cyrus-sasl
- switched back from cyrus-sasl2 to cyrus-sasl
-------------------------------------------------------------------
Wed Jul 3 13:30:23 CEST 2002 - rhafer@suse.de
@ -2318,19 +2346,19 @@ Wed Jun 5 18:25:51 CEST 2002 - rhafer@suse.de
-------------------------------------------------------------------
Thu Mar 7 16:27:15 CET 2002 - rhafer@suse.de
- Fix for Bugzilla ID#14569 (added cyrus-sasl-devel openssl-devel
- Fix for Bugzilla ID#14569 (added cyrus-sasl-devel openssl-devel
to the "Requires" Section of the -devel subpackage)
-------------------------------------------------------------------
Mon Feb 18 13:06:10 CET 2002 - rhafer@suse.de
- updated to the latest STABLE release (2.0.23) which fixes some
- updated to the latest STABLE release (2.0.23) which fixes some
nasty bugs see ITS #1562,#1582,#1577,#1578
-------------------------------------------------------------------
Thu Feb 7 14:13:25 CET 2002 - rhafer@suse.de
- updated to the latest release (which fixes a index corruption
- updated to the latest release (which fixes a index corruption
bug)
- cleanup in neededforbuild
- small fixes for the init-scripts
@ -2348,17 +2376,17 @@ Wed Jan 16 18:36:12 CET 2002 - egmont@suselinux.hu
-------------------------------------------------------------------
Tue Jan 15 15:31:09 CET 2002 - rhafer@suse.de
- updated to v2.0.20 (which fixes a security hole in ACL
processing)
- updated to v2.0.20 (which fixes a security hole in ACL
processing)
-------------------------------------------------------------------
Fri Jan 11 15:54:51 CET 2002 - rhafer@suse.de
- converted archive to bzip2
- makes use of %{_libdir} now
- set CFLAGS to -O0 for archs ia64, s390(x) and alpha otherwise
- set CFLAGS to -O0 for archs ia64, s390(x) and alpha otherwise
the test suite fails on these archs
- changed slapd.conf to store the database under /var/lib/ldap
- changed slapd.conf to store the database under /var/lib/ldap
(this patch was missing in the last versions by accident)
-------------------------------------------------------------------
@ -2419,7 +2447,7 @@ Mon Jul 2 10:52:22 CEST 2001 - choeger@suse.de
-------------------------------------------------------------------
Tue Jun 19 16:18:54 CEST 2001 - ro@suse.de
- fixed for autoconf again
- fixed for autoconf again
-------------------------------------------------------------------
Fri Jun 15 10:23:24 CEST 2001 - choeger@suse.de
@ -2495,12 +2523,12 @@ Thu Dec 7 15:01:53 CET 2000 - choeger@suse.de
-------------------------------------------------------------------
Fri Dec 1 15:23:45 CET 2000 - ro@suse.de
- hacked configure for apparently broken pthread
- hacked configure for apparently broken pthread
-------------------------------------------------------------------
Fri Dec 1 02:28:54 CET 2000 - ro@suse.de
- fixed spec
- fixed spec
-------------------------------------------------------------------
Thu Nov 23 11:27:07 CET 2000 - choeger@suse.de

View File

@ -25,6 +25,10 @@
%define _rundir /var/run/slapd
%endif
%define name_ppolicy_check_module ppolicy-check-password
%define version_ppolicy_check_module 1.2
%define ppolicy_docdir %{_docdir}/openldap-%{name_ppolicy_check_module}-%{version_ppolicy_check_module}
Name: openldap2
Summary: An open source implementation of the Lightweight Directory Access Protocol
License: OLDAP-2.8
@ -59,6 +63,12 @@ Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch
Patch11: 0011-openldap-re24-its7796.patch
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
Source201: %{name_ppolicy_check_module}.Makefile
Source202: %{name_ppolicy_check_module}.conf
Source203: %{name_ppolicy_check_module}.5
Patch200: 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: cyrus-sasl-devel
BuildRequires: db-devel
@ -86,75 +96,86 @@ Lightweight Directory Access Protocol v3 (LDAPv3).
The server provides several database backends and overlays.
%package -n openldap2-back-perl
%package back-perl
Summary: OpenLDAP Perl Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version_main}
Requires: perl = %{perl_version}
%description -n openldap2-back-perl
%description back-perl
The OpenLDAP Perl back-end allows you to execute Perl code specific to
different LDAP operations.
%package -n openldap2-back-sock
%package back-sock
Summary: OpenLDAP Socket Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version_main}
Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz
%description -n openldap2-back-sock
%description back-sock
The OpenLDAP socket back-end allows you to handle LDAP requests and
results with an external process listening on a Unix domain socket.
%package -n openldap2-back-meta
%package back-meta
Summary: OpenLDAP Meta Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version_main}
Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz
%description -n openldap2-back-meta
%description back-meta
The OpenLDAP Meta back-end is able to perform basic LDAP proxying with
respect to a set of remote LDAP servers. The information contained in
these servers can be presented as belonging to a single Directory
Information Tree (DIT).
%package -n openldap2-back-sql
%package back-sql
Summary: OpenLDAP SQL Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version_main}
%description -n openldap2-back-sql
%description back-sql
The primary purpose of this OpenLDAP backend is to present information
stored in a Relational (SQL) Database as an LDAP subtree without the need
to do any programming.
%package -n openldap2-contrib
%package -n libldap-data
Summary: Configuration file for system-wide defaults for all usages of libldap.
Group: Productivity/Networking/LDAP
%if 0%{?suse_version} != 1110
BuildArch: noarch
%endif
%description -n libldap-data
The subpackage contains a configuration file used to set system-wide defaults
to be applied with all usages of libldap.
%package contrib
Summary: OpenLDAP Contrib Modules
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version_main}
%description -n openldap2-contrib
%description contrib
Various overlays found in contrib/:
allop
allop
allowed Generates attributes indicating access rights
autogroup
cloak
denyop
autogroup
cloak
denyop
lastbind writes last bind timestamp to entry
noopsrch handles no-op search control
nops
nops
pw-sha2 generates/validates SHA-2 password hashes
pw-pbkdf2 generates/validates PBKDF2 password hashes
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
%package -n openldap2-doc
%package doc
Summary: OpenLDAP Documentation
Group: Documentation/Other
Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README
%if 0%{?suse_version} > 1110
BuildArch: noarch
%endif
%description -n openldap2-doc
%description doc
The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts.
Authors:
@ -162,15 +183,15 @@ Authors:
The OpenLDAP Project <project@openldap.org>
%package -n openldap2-client
%package client
Summary: OpenLDAP client utilities
Group: Productivity/Networking/LDAP/Clients
Requires: libldap-2_4-2 = %{version_main}
%description -n openldap2-client
%description client
OpenLDAP client utilities such as ldapadd, ldapsearch, ldapmodify.
%package -n openldap2-devel
%package devel
Summary: Libraries, Header Files and Documentation for OpenLDAP
Group: Development/Libraries/C and C++
# bug437293
@ -182,29 +203,54 @@ Conflicts: openldap-devel
Requires: libldap-2_4-2 = %{version_main}
Recommends: cyrus-sasl-devel
%description -n openldap2-devel
%description devel
This package provides the OpenLDAP libraries, header files, and
documentation.
%package -n openldap2-devel-static
%package devel-static
Summary: Static libraries for the OpenLDAP libraries
Group: Development/Libraries/C and C++
Requires: cyrus-sasl-devel
Requires: libopenssl-devel
Requires: openldap2-devel = %version
%description -n openldap2-devel-static
%description devel-static
This package provides the static versions of the OpenLDAP libraries
for development.
%package -n libldap-2_4-2
Summary: OpenLDAP Client Libraries
Group: Productivity/Networking/LDAP/Clients
Recommends: libldap-data >= %{version_main}
%description -n libldap-2_4-2
This package contains the OpenLDAP client libraries.
%package ppolicy-check-password
Version: %{version_ppolicy_check_module}
Release: 0
Summary: Password quality check module for OpenLDAP
Group: Productivity/Networking/LDAP/Servers
Url: https://github.com/onyxpoint/ppolicy-check-password
BuildRequires: cracklib-devel
Requires: openldap2 = %version_main
Recommends: cracklib cracklib-dict-full
%description ppolicy-check-password
An implementation of password quality check module, based on the original
work done by LDAP Toolbox Project (https://ltd-project.org), that works
together with OpenLDAP password policy overlay (ppolicy), to enforce
password strength policies.
%prep
# Unpack ppolicy check module
%setup -b 200 -q -n %{name_ppolicy_check_module}-%{version_ppolicy_check_module}
%patch200 -p1
cd ..
# Compress the manual page of ppolicy check module
gzip -k %{S:203}
# Unpack and patch OpenLDAP 2.4
%setup -q -n openldap-%{version_main}
%patch3 -p1
%patch5 -p1
@ -216,6 +262,10 @@ This package contains the OpenLDAP client libraries.
%patch11 -p1
cp %{SOURCE5} .
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
mv ../%{name_ppolicy_check_module}-%{version_ppolicy_check_module} contrib/slapd-modules/%{name_ppolicy_check_module}
cp %{S:201} contrib/slapd-modules/%{name_ppolicy_check_module}/Makefile
%build
export CFLAGS="%{optflags} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES"
export STRIP=""
@ -264,6 +314,9 @@ done
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
# Build ppolicy-check-password module
make -C contrib/slapd-modules/%{name_ppolicy_check_module} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
%check
%if %run_test_suite
# calculate the base port to be use in the test-suite
@ -315,6 +368,18 @@ chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so*
chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap.so*
install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif
# Install ppolicy check module
make -C contrib/slapd-modules/ppolicy-check-password STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf
# Install ppolicy check module's doc files
pushd contrib/slapd-modules/%{name_ppolicy_check_module}
mkdir -p "%{buildroot}%ppolicy_docdir"
install -m 0644 README "%{buildroot}%ppolicy_docdir"
install -m 0644 LICENSE "%{buildroot}%ppolicy_docdir"
popd
# Install ppolicy check module's manual page
install -m 0644 %{S:203}.gz %{buildroot}%{_mandir}/man5/
mkdir -p ${RPM_BUILD_ROOT}/var/adm/fillup-templates
install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.openldap
install -m 644 %{SOURCE9} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
@ -436,7 +501,8 @@ fi
%{_libdir}/openldap/dynlist*
%{_libdir}/openldap/memberof*
%{_libdir}/openldap/pcache*
%{_libdir}/openldap/ppolicy*
%{_libdir}/openldap/ppolicy-2.4.*
%{_libdir}/openldap/ppolicy.*
%{_libdir}/openldap/refint*
%{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm*
@ -471,22 +537,22 @@ fi
%doc %{DOCDIR}/CHANGES
%doc %{DOCDIR}/slapd.ldif.default
%files -n openldap2-back-perl
%files back-perl
%defattr(-,root,root)
%{_libdir}/openldap/back_perl*
%doc %{_mandir}/man5/slapd-perl.*
%files -n openldap2-back-sock
%files back-sock
%defattr(-,root,root)
%{_libdir}/openldap/back_sock*
%doc %{_mandir}/man5/slapd-sock.*
%files -n openldap2-back-meta
%files back-meta
%defattr(-,root,root)
%{_libdir}/openldap/back_meta*
%doc %{_mandir}/man5/slapd-meta.*
%files -n openldap2-back-sql
%files back-sql
%defattr(-,root,root)
%{_libdir}/openldap/back_sql*
%doc %{_mandir}/man5/slapd-sql.*
@ -494,14 +560,20 @@ fi
%doc servers/slapd/back-sql/docs/bugs
%doc servers/slapd/back-sql/docs/install
%files -n openldap2-doc
%files -n libldap-data
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%doc %{_mandir}/man5/ldap.conf*
%{_sysconfdir}/openldap/ldap.conf.default
%files doc
%defattr(-,root,root)
%dir %{DOCDIR}
%doc %{DOCDIR}/drafts
%doc %{DOCDIR}/adminguide
%doc %{DOCDIR}/images
%files -n openldap2-contrib
%files contrib
%defattr(-,root,root)
%{_libdir}/openldap/allowed.*
%{_libdir}/openldap/allop.*
@ -515,7 +587,7 @@ fi
%{_libdir}/openldap/cloak.*
%{_libdir}/openldap/smbk5pwd.*
%files -n openldap2-client
%files client
%defattr(-,root,root)
%doc %{_mandir}/man1/ldap*
%doc %{_mandir}/man5/ldif.*
@ -534,13 +606,10 @@ fi
%files -n libldap-2_4-2
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%doc %{_mandir}/man5/ldap.conf*
%{_sysconfdir}/openldap/ldap.conf.default
%{_libdir}/liblber*2.4.so.*
%{_libdir}/libldap*2.4.so.*
%files -n openldap2-devel
%files devel
%defattr(-,root,root)
%doc %{_mandir}/man3/ber*
%doc %{_mandir}/man3/lber*
@ -550,9 +619,16 @@ fi
%{_libdir}/liblber.so
%{_libdir}/libldap*.so
%files -n openldap2-devel-static
%files devel-static
%defattr(-,root,root)
%_libdir/liblber.a
%_libdir/libldap*.a
%files ppolicy-check-password
%defattr(-,root,root)
%doc %{ppolicy_docdir}/
%config(noreplace) /etc/openldap/check_password.conf
%{_libdir}/openldap/ppolicy-check-password.*
%{_mandir}/man5/ppolicy-check-password.*
%changelog

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:840517adc7fa60cb45050ba203437e29458542d9d7f23e906520e0b2fca56fe9
size 10354

182
ppolicy-check-password.5 Normal file
View File

@ -0,0 +1,182 @@
.\"/*
.\" * All rights reserved
.\" * Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
.\" * Authors: Howard Guo <hguo@suse.com>
.\" *
.\" * This program is free software; you can redistribute it and/or
.\" * modify it under the terms of the GNU General Public License
.\" * as published by the Free Software Foundation; either version 2
.\" * of the License, or (at your option) any later version.
.\" *
.\" * This program is distributed in the hope that it will be useful,
.\" * but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" * GNU General Public License for more details.
.\" */
.\"
.TH PPOLICY-CHECK-PASSWORD 5 "2016/02/18" "OpenLDAP password quality check"
.SH NAME
ppolicy\-check\-password \- Password quality checker for OpenLDAP ppolicy overlay
.SH SYNOPSIS
pwdCheckModule ppolicy-check-password.so
.SH DESCRIPTION
ppolicy\-check\-password is an implementation of password quality check module, it can be plugged into OpenLDAP
.BR slapo\-ppolicy (5)
overlay to enforce organisational password strength policies for password-change operations.
.SH PREREQUISITES
In order to use the module, you should enable and configure
.BR slapo\-ppolicy (5)
overlay on the OpenLDAP server. You may use the following example to enable ppolicy overlay:
.HP 4
Enable ppolicy overlay
To enable ppolicy overlay on the server using static configuration file
.BR slapd.conf (5)
, first enable ppolicy schema by adding line:
.br
include /etc/openldap/schema/ppolicy.schema
and then append the following lines to the database definition in which password policy should be enforced:
.br
overlay ppolicy
.br
ppolicy_default "cn=PolicyContainer,dc=my-domain,dc=com"
Save slapd.conf and (re)start OpenLDAP server.
If you use cn=config (online configuration) instead of static configuration file, add the schema /etc/openldap/schema/ppolicy.ldif to cn=schema,cn=config, then enable ppolicy overlay in olcDatabase.
.LP
.HP 4
Create ppolicy container entry
The ppolicy container entry stores attributes that describe the password policy in detail, create the entry with
.BR ldapadd (1)
:
.br
dn: cn=PolicyContainer,dc=my-domain,dc=com
.br
cn: PolicyContainer
.br
objectClass: pwdPolicy
.br
objectClass: person
.br
objectClass: top
.br
pwdAllowUserChange: TRUE
.br
pwdAttribute: userPassword
.br
pwdCheckQuality: 2
.br
pwdExpireWarning: 600
.br
pwdFailureCountInterval:
.br
pwdGraceAuthNLimit: 5
.br
pwdInHistory: 5
.br
pwdLockout: TRUE
.br
pwdLockoutDuration: 0
.br
pwdMaxAge: 0
.br
pwdMaxFailure:
.br
pwdMinAge: 0
.br
pwdMinLength: 5
.br
pwdMustChange: FALSE
.br
pwdSafeModify: FALSE
.br
sn: dummy value
.br
The password policy becomes effective immediately, there is no need to restart OpenLDAP server.
.LP
.HP 4
Enable ppolicy-check-password.so module
Modify the ppolicy container entry with
.BR ldapmodify (1)
:
.br
dn: cn=PolicyContainer,dc=my-domain,dc=com
.br
changeType: modify
.br
add: objectClass
.br
objectClass: pwdPolicyChecker
.br
\-
.br
add: pwdCheckModule
.br
pwdCheckModule: ppolicy-check-password.so
The password check module becomes effective immediately, there is no need to restart OpenLDAP server.
.LP
.SH CONFIGURATION
The password check module reads configuration parameters from
.B /etc/openldap/check_password.conf
Edits made to the configuration file become effective immediately, there is no need to restart OpenLDAP server.
List of parameters:
.TP
.BI use_cracklib \ 1|0
CrackLib is a library for checking that a password is not easily crackable, making sure that the password is not based on simple patterns or dictionary words. If the parameter is set to 1, cracklib will be involved and new passwords must pass cracklib quality check in addition to all other policies such as min_points
.TP
.BI min_points \ <integer>
The parameter holds an integer value in between 0 and 4. The value denotes "quality points" that a password must acquire in order to pass the check. Usage of each character class awards one quality point. If the parameeter is set to 0, the check is disabled.
The character classes are: upper case letters, lower case letters, numeric digits, punctuations.
.TP
.BI min_upper \ <integer>
The minimal number of upper case characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI min_lower \ <integer>
The minimal number of lower case characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI min_digit \ <integer>
The minimal number of numeric digit characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI min_punct \ <integer>
The minimal number of punctuation characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI max_consecutive_per_class \ <integer>
The maximum number of characters from each character class that may appear consecutively. If the parameter is set to 0, the check is disabled.
.SH USAGE
After the module is enabled, the OpenLDAP server will invoke the password checker module on every user password change, the new user password must pass all quality checks before it is accepted. If the new password does not pass quality checks, the detailed reason will be logged on the OpenLDAP server, and the client will receive a Constraint Violation and a generic error message "Password fails quality checking policy" \- the lack of details is by design.
If the password change is carried out by RootDN, password checker module will not enforce the quality checks, and any password is acceptable.
.SH FILES
.TP
/etc/openldap/check_password.conf
Define the password strength policy.
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapd (8),
.BR slapo\-ppolicy (5)
.SH ACKNOWLEDGEMENTS
.P
The module was originally authored by LTB-project (ltb\-project.org), and further maintained by Onyx Point (onyxpoint.com).

View File

@ -0,0 +1,43 @@
LDAP_SRC = ../../..
LDAP_BUILD = $(LDAP_SRC)
LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
$(LDAP_BUILD)/libraries/liblber/liblber.la
LIBTOOL = $(LDAP_BUILD)/libtool
CC = gcc
OPT = -g -O2 -Wall -fpic -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"/usr/share/cracklib/pw_dict\"" -DCONFIG_FILE="\"/etc/openldap/check_password.conf\"" -lcrack
INCS = $(LDAP_INC)
LIBS = $(LDAP_LIB)
PROGRAMS = ppolicy-check-password.la
LTVER = 0:0:0
prefix=/usr/local
exec_prefix=$(prefix)
ldap_subdir=/openldap
libdir=$(exec_prefix)/lib64
libexecdir=$(exec_prefix)/libexec
moduledir=$(libdir)$(ldap_subdir)
.SUFFIXES: .c .o .lo
.c.lo:
$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
all: $(PROGRAMS)
ppolicy-check-password.la: check_password.lo
$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
-rpath $(moduledir) -module -o $@ $? $(LIBS)
clean:
rm -rf *.o *.lo *.la .libs
install: $(PROGRAMS)
mkdir -p $(DESTDIR)$(moduledir)
for p in $(PROGRAMS) ; do \
$(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
done

View File

@ -0,0 +1,7 @@
use_cracklib 1
min_points 3
min_upper 0
min_lower 0
min_digit 0
min_punct 0
max_consecutive_per_class 5