From e488e6253c4640052d65055d492fc9cd09c5dc422d5b532d27375d338e2288c3 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 1 Jul 2010 13:38:00 +0000 Subject: [PATCH 1/9] Accepting request 42372 from home:rhafer:branches:network:ldap Copy from home:rhafer:branches:network:ldap/openldap2 via accept of submit request 42372 revision 2. Request was accepted with message: Reviewed ok OBS-URL: https://build.opensuse.org/request/show/42372 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=38 --- Syncprov-might-lose-deletes-ITS-6555.dif | 38 +++++++++ openldap2-client.changes | 9 ++ openldap2-client.spec | 8 +- openldap2.changes | 9 ++ openldap2.spec | 4 + slapd-modrdn-crash-ITS-6570.dif | 100 +++++++++++++++++++++++ 6 files changed, 166 insertions(+), 2 deletions(-) create mode 100644 Syncprov-might-lose-deletes-ITS-6555.dif create mode 100644 slapd-modrdn-crash-ITS-6570.dif diff --git a/Syncprov-might-lose-deletes-ITS-6555.dif b/Syncprov-might-lose-deletes-ITS-6555.dif new file mode 100644 index 0000000..9e0bd94 --- /dev/null +++ b/Syncprov-might-lose-deletes-ITS-6555.dif @@ -0,0 +1,38 @@ +From e32aa64d19840a3b76da532d200fa1cb733e0672 Mon Sep 17 00:00:00 2001 +From: ralf +Date: Thu, 20 May 2010 15:08:28 +0000 +Subject: Syncprov might lose deletes (ITS#6555) + +During the refresh phase the sync filter needs to be adjusted (skipping +the "(entrycsn>=cookie)" part that was inserted) when checking whether a +change needs to be replicated, otherwise we lose DELETES that happen during +the refresh phase. + +bnc#606294 + + 1 files changed, 9 insertions(+), 1 deletions(-) + +diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c +index 675568e..030edf5 100644 +--- a/servers/slapd/overlays/syncprov.c ++++ b/servers/slapd/overlays/syncprov.c +@@ -1301,7 +1301,15 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit ) + op2.o_hdr = &oh; + op2.o_extra = op->o_extra; + op2.o_callback = NULL; +- rc = test_filter( &op2, e, ss->s_op->ors_filter ); ++ ldap_pvt_thread_mutex_lock( &ss->s_mutex ); ++ if (ss->s_flags & PS_FIX_FILTER) { ++ /* Skip the AND/GE clause that we stuck on in front. We ++ would lose deletes/mods that happen during the refresh ++ phase otherwise (ITS#6555) */ ++ op2.ors_filter = ss->s_op->ors_filter->f_and->f_next; ++ } ++ ldap_pvt_thread_mutex_unlock( &ss->s_mutex ); ++ rc = test_filter( &op2, e, op2.ors_filter ); + } + + Debug( LDAP_DEBUG_TRACE, "syncprov_matchops: sid %03x fscope %d rc %d\n", +-- +1.7.0.3 + diff --git a/openldap2-client.changes b/openldap2-client.changes index 2a80cef..58841dd 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com + +- LDAP clients could crash the server by submitting a specially + crafted LDAP ModRDN operation. (bnc#612430, ITS#6570) +- Delete Operations happening during the "Refresh" phase of + "refreshAndPersist" replication failed to replicate under + certain circumstances (bnc#606294, ITS#6555) + ------------------------------------------------------------------- Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com diff --git a/openldap2-client.spec b/openldap2-client.spec index 3e71f2e..664fe1f 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -1,5 +1,5 @@ # -# spec file for package openldap2-client (Version 2.4.21) +# spec file for package openldap2 (Version 2.4.21) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,7 +19,7 @@ %define run_test_suite 1 -Name: openldap2-client +Name: openldap2-client BuildRequires: cyrus-sasl-devel db-devel libopenssl-devel tcpd-devel %if %sles_version == 9 BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel @@ -60,6 +60,8 @@ Patch5: slapd-back-hdb-fortify.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif +Patch12: Syncprov-might-lose-deletes-ITS-6555.dif +Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -180,6 +182,8 @@ Authors: %patch7 %endif %patch11 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/openldap2.changes b/openldap2.changes index 2a80cef..58841dd 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com + +- LDAP clients could crash the server by submitting a specially + crafted LDAP ModRDN operation. (bnc#612430, ITS#6570) +- Delete Operations happening during the "Refresh" phase of + "refreshAndPersist" replication failed to replicate under + certain circumstances (bnc#606294, ITS#6555) + ------------------------------------------------------------------- Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com diff --git a/openldap2.spec b/openldap2.spec index 9434a1b..d8464f5 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -60,6 +60,8 @@ Patch5: slapd-back-hdb-fortify.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif +Patch12: Syncprov-might-lose-deletes-ITS-6555.dif +Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -180,6 +182,8 @@ Authors: %patch7 %endif %patch11 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/slapd-modrdn-crash-ITS-6570.dif b/slapd-modrdn-crash-ITS-6570.dif new file mode 100644 index 0000000..667950c --- /dev/null +++ b/slapd-modrdn-crash-ITS-6570.dif @@ -0,0 +1,100 @@ +From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001 +From: hyc +Date: Sun, 6 Jun 2010 22:02:32 +0000 +Subject: slapd modrdn crash (ITS#6570) + +part #1 reject RDNs with binary BER values +part #2 reject RDNs with empty values + +Unauthenticated LDAP clients could crash the server by submitting a +specially crafted LDAP ModRDN operatoin. + +Part #1: +OpenLDAP crashes with segfault during the processing of a modrdn call with +maliciously formed destination rdn string. No authentication is required to +trigger this vulnerability. + +Part #2: +OpenLDAP crashes at a null pointer dereference during the processing of modrdn +call with maliciously formed destination rdn string. No authentication is +required to trigger this vulnerability. + + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c +index 3534e7f..75d2204 100644 +--- a/servers/slapd/dn.c ++++ b/servers/slapd/dn.c +@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) + ava->la_attr = ad->ad_cname; + + if( ava->la_flags & LDAP_AVA_BINARY ) { +- if( ava->la_value.bv_len == 0 ) { +- /* BER encoding is empty */ +- return LDAP_INVALID_SYNTAX; +- } ++ /* AVA is binary encoded, not supported */ ++ return LDAP_INVALID_SYNTAX; + + /* Do not allow X-ORDERED 'VALUES' naming attributes */ + } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { + return LDAP_INVALID_SYNTAX; + +- /* AVA is binary encoded, don't muck with it */ + } else if( flags & SLAP_LDAPDN_PRETTY ) { + transf = ad->ad_type->sat_syntax->ssyn_pretty; + if( !transf ) { +@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) + ava->la_value = bv; + ava->la_flags |= LDAP_AVA_FREE_VALUE; + } ++ /* reject empty values */ ++ if (!ava->la_value.bv_len) { ++ return LDAP_INVALID_SYNTAX; ++ } + } + rc = LDAP_SUCCESS; + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index e386ef9..e143a7b 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -445,12 +445,19 @@ slap_modrdn2mods( + mod_tmp->sml_values[1].bv_val = NULL; + if( desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); +- (void) (*desc->ad_type->sat_equality->smr_normalize)( ++ rs->sr_err = desc->ad_type->sat_equality->smr_normalize( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, + desc->ad_type->sat_syntax, + desc->ad_type->sat_equality, + &mod_tmp->sml_values[0], + &mod_tmp->sml_nvalues[0], NULL ); ++ if (rs->sr_err != LDAP_SUCCESS) { ++ ch_free(mod_tmp->sml_nvalues); ++ ch_free(mod_tmp->sml_values[0].bv_val); ++ ch_free(mod_tmp->sml_values); ++ ch_free(mod_tmp); ++ goto done; ++ } + mod_tmp->sml_nvalues[1].bv_val = NULL; + } else { + mod_tmp->sml_nvalues = NULL; +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 68e6d28..d2f4708 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -1732,8 +1732,9 @@ UTF8StringNormalize( + ? LDAP_UTF8_APPROX : 0; + + val = UTF8bvnormalize( val, &tmp, flags, ctx ); ++ /* out of memory or syntax error, the former is unlikely */ + if( val == NULL ) { +- return LDAP_OTHER; ++ return LDAP_INVALID_SYNTAX; + } + + /* collapse spaces (in place) */ +-- +1.7.0.3 + From 55aa20cad25cd0f863d1b25e2dce60a75e8a7a9cdd821aa23025d6b775808e2c Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Fri, 2 Jul 2010 14:00:12 +0000 Subject: [PATCH 2/9] Accepting request 42373 from network:ldap checked in (request 42373) OBS-URL: https://build.opensuse.org/request/show/42373 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=39 --- Syncprov-might-lose-deletes-ITS-6555.dif | 38 --------- openldap2-client.changes | 9 -- openldap2-client.spec | 8 +- openldap2.changes | 9 -- openldap2.spec | 4 - slapd-modrdn-crash-ITS-6570.dif | 100 ----------------------- 6 files changed, 2 insertions(+), 166 deletions(-) delete mode 100644 Syncprov-might-lose-deletes-ITS-6555.dif delete mode 100644 slapd-modrdn-crash-ITS-6570.dif diff --git a/Syncprov-might-lose-deletes-ITS-6555.dif b/Syncprov-might-lose-deletes-ITS-6555.dif deleted file mode 100644 index 9e0bd94..0000000 --- a/Syncprov-might-lose-deletes-ITS-6555.dif +++ /dev/null @@ -1,38 +0,0 @@ -From e32aa64d19840a3b76da532d200fa1cb733e0672 Mon Sep 17 00:00:00 2001 -From: ralf -Date: Thu, 20 May 2010 15:08:28 +0000 -Subject: Syncprov might lose deletes (ITS#6555) - -During the refresh phase the sync filter needs to be adjusted (skipping -the "(entrycsn>=cookie)" part that was inserted) when checking whether a -change needs to be replicated, otherwise we lose DELETES that happen during -the refresh phase. - -bnc#606294 - - 1 files changed, 9 insertions(+), 1 deletions(-) - -diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c -index 675568e..030edf5 100644 ---- a/servers/slapd/overlays/syncprov.c -+++ b/servers/slapd/overlays/syncprov.c -@@ -1301,7 +1301,15 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit ) - op2.o_hdr = &oh; - op2.o_extra = op->o_extra; - op2.o_callback = NULL; -- rc = test_filter( &op2, e, ss->s_op->ors_filter ); -+ ldap_pvt_thread_mutex_lock( &ss->s_mutex ); -+ if (ss->s_flags & PS_FIX_FILTER) { -+ /* Skip the AND/GE clause that we stuck on in front. We -+ would lose deletes/mods that happen during the refresh -+ phase otherwise (ITS#6555) */ -+ op2.ors_filter = ss->s_op->ors_filter->f_and->f_next; -+ } -+ ldap_pvt_thread_mutex_unlock( &ss->s_mutex ); -+ rc = test_filter( &op2, e, op2.ors_filter ); - } - - Debug( LDAP_DEBUG_TRACE, "syncprov_matchops: sid %03x fscope %d rc %d\n", --- -1.7.0.3 - diff --git a/openldap2-client.changes b/openldap2-client.changes index 58841dd..2a80cef 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,12 +1,3 @@ -------------------------------------------------------------------- -Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com - -- LDAP clients could crash the server by submitting a specially - crafted LDAP ModRDN operation. (bnc#612430, ITS#6570) -- Delete Operations happening during the "Refresh" phase of - "refreshAndPersist" replication failed to replicate under - certain circumstances (bnc#606294, ITS#6555) - ------------------------------------------------------------------- Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com diff --git a/openldap2-client.spec b/openldap2-client.spec index 664fe1f..3e71f2e 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -1,5 +1,5 @@ # -# spec file for package openldap2 (Version 2.4.21) +# spec file for package openldap2-client (Version 2.4.21) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,7 +19,7 @@ %define run_test_suite 1 -Name: openldap2-client +Name: openldap2-client BuildRequires: cyrus-sasl-devel db-devel libopenssl-devel tcpd-devel %if %sles_version == 9 BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel @@ -60,8 +60,6 @@ Patch5: slapd-back-hdb-fortify.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif -Patch12: Syncprov-might-lose-deletes-ITS-6555.dif -Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -182,8 +180,6 @@ Authors: %patch7 %endif %patch11 -%patch12 -p1 -%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/openldap2.changes b/openldap2.changes index 58841dd..2a80cef 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,12 +1,3 @@ -------------------------------------------------------------------- -Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com - -- LDAP clients could crash the server by submitting a specially - crafted LDAP ModRDN operation. (bnc#612430, ITS#6570) -- Delete Operations happening during the "Refresh" phase of - "refreshAndPersist" replication failed to replicate under - certain circumstances (bnc#606294, ITS#6555) - ------------------------------------------------------------------- Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com diff --git a/openldap2.spec b/openldap2.spec index d8464f5..9434a1b 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -60,8 +60,6 @@ Patch5: slapd-back-hdb-fortify.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif -Patch12: Syncprov-might-lose-deletes-ITS-6555.dif -Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -182,8 +180,6 @@ Authors: %patch7 %endif %patch11 -%patch12 -p1 -%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/slapd-modrdn-crash-ITS-6570.dif b/slapd-modrdn-crash-ITS-6570.dif deleted file mode 100644 index 667950c..0000000 --- a/slapd-modrdn-crash-ITS-6570.dif +++ /dev/null @@ -1,100 +0,0 @@ -From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001 -From: hyc -Date: Sun, 6 Jun 2010 22:02:32 +0000 -Subject: slapd modrdn crash (ITS#6570) - -part #1 reject RDNs with binary BER values -part #2 reject RDNs with empty values - -Unauthenticated LDAP clients could crash the server by submitting a -specially crafted LDAP ModRDN operatoin. - -Part #1: -OpenLDAP crashes with segfault during the processing of a modrdn call with -maliciously formed destination rdn string. No authentication is required to -trigger this vulnerability. - -Part #2: -OpenLDAP crashes at a null pointer dereference during the processing of modrdn -call with maliciously formed destination rdn string. No authentication is -required to trigger this vulnerability. - - 3 files changed, 16 insertions(+), 7 deletions(-) - -diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c -index 3534e7f..75d2204 100644 ---- a/servers/slapd/dn.c -+++ b/servers/slapd/dn.c -@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) - ava->la_attr = ad->ad_cname; - - if( ava->la_flags & LDAP_AVA_BINARY ) { -- if( ava->la_value.bv_len == 0 ) { -- /* BER encoding is empty */ -- return LDAP_INVALID_SYNTAX; -- } -+ /* AVA is binary encoded, not supported */ -+ return LDAP_INVALID_SYNTAX; - - /* Do not allow X-ORDERED 'VALUES' naming attributes */ - } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { - return LDAP_INVALID_SYNTAX; - -- /* AVA is binary encoded, don't muck with it */ - } else if( flags & SLAP_LDAPDN_PRETTY ) { - transf = ad->ad_type->sat_syntax->ssyn_pretty; - if( !transf ) { -@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) - ava->la_value = bv; - ava->la_flags |= LDAP_AVA_FREE_VALUE; - } -+ /* reject empty values */ -+ if (!ava->la_value.bv_len) { -+ return LDAP_INVALID_SYNTAX; -+ } - } - rc = LDAP_SUCCESS; - -diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c -index e386ef9..e143a7b 100644 ---- a/servers/slapd/modrdn.c -+++ b/servers/slapd/modrdn.c -@@ -445,12 +445,19 @@ slap_modrdn2mods( - mod_tmp->sml_values[1].bv_val = NULL; - if( desc->ad_type->sat_equality->smr_normalize) { - mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); -- (void) (*desc->ad_type->sat_equality->smr_normalize)( -+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize( - SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, - desc->ad_type->sat_syntax, - desc->ad_type->sat_equality, - &mod_tmp->sml_values[0], - &mod_tmp->sml_nvalues[0], NULL ); -+ if (rs->sr_err != LDAP_SUCCESS) { -+ ch_free(mod_tmp->sml_nvalues); -+ ch_free(mod_tmp->sml_values[0].bv_val); -+ ch_free(mod_tmp->sml_values); -+ ch_free(mod_tmp); -+ goto done; -+ } - mod_tmp->sml_nvalues[1].bv_val = NULL; - } else { - mod_tmp->sml_nvalues = NULL; -diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c -index 68e6d28..d2f4708 100644 ---- a/servers/slapd/schema_init.c -+++ b/servers/slapd/schema_init.c -@@ -1732,8 +1732,9 @@ UTF8StringNormalize( - ? LDAP_UTF8_APPROX : 0; - - val = UTF8bvnormalize( val, &tmp, flags, ctx ); -+ /* out of memory or syntax error, the former is unlikely */ - if( val == NULL ) { -- return LDAP_OTHER; -+ return LDAP_INVALID_SYNTAX; - } - - /* collapse spaces (in place) */ --- -1.7.0.3 - From 4af766a1af3a933d30b8aa1ea902cf43db3873bd294261586602088e8eadc156 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Fri, 23 Jul 2010 07:28:16 +0000 Subject: [PATCH 3/9] OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=40 --- Syncprov-might-lose-deletes-ITS-6555.dif | 38 +++++++++ openldap2-client.changes | 9 ++ openldap2-client.spec | 6 +- openldap2.changes | 9 ++ openldap2.spec | 6 +- slapd-modrdn-crash-ITS-6570.dif | 100 +++++++++++++++++++++++ 6 files changed, 166 insertions(+), 2 deletions(-) create mode 100644 Syncprov-might-lose-deletes-ITS-6555.dif create mode 100644 slapd-modrdn-crash-ITS-6570.dif diff --git a/Syncprov-might-lose-deletes-ITS-6555.dif b/Syncprov-might-lose-deletes-ITS-6555.dif new file mode 100644 index 0000000..9e0bd94 --- /dev/null +++ b/Syncprov-might-lose-deletes-ITS-6555.dif @@ -0,0 +1,38 @@ +From e32aa64d19840a3b76da532d200fa1cb733e0672 Mon Sep 17 00:00:00 2001 +From: ralf +Date: Thu, 20 May 2010 15:08:28 +0000 +Subject: Syncprov might lose deletes (ITS#6555) + +During the refresh phase the sync filter needs to be adjusted (skipping +the "(entrycsn>=cookie)" part that was inserted) when checking whether a +change needs to be replicated, otherwise we lose DELETES that happen during +the refresh phase. + +bnc#606294 + + 1 files changed, 9 insertions(+), 1 deletions(-) + +diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c +index 675568e..030edf5 100644 +--- a/servers/slapd/overlays/syncprov.c ++++ b/servers/slapd/overlays/syncprov.c +@@ -1301,7 +1301,15 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit ) + op2.o_hdr = &oh; + op2.o_extra = op->o_extra; + op2.o_callback = NULL; +- rc = test_filter( &op2, e, ss->s_op->ors_filter ); ++ ldap_pvt_thread_mutex_lock( &ss->s_mutex ); ++ if (ss->s_flags & PS_FIX_FILTER) { ++ /* Skip the AND/GE clause that we stuck on in front. We ++ would lose deletes/mods that happen during the refresh ++ phase otherwise (ITS#6555) */ ++ op2.ors_filter = ss->s_op->ors_filter->f_and->f_next; ++ } ++ ldap_pvt_thread_mutex_unlock( &ss->s_mutex ); ++ rc = test_filter( &op2, e, op2.ors_filter ); + } + + Debug( LDAP_DEBUG_TRACE, "syncprov_matchops: sid %03x fscope %d rc %d\n", +-- +1.7.0.3 + diff --git a/openldap2-client.changes b/openldap2-client.changes index 2a80cef..58841dd 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com + +- LDAP clients could crash the server by submitting a specially + crafted LDAP ModRDN operation. (bnc#612430, ITS#6570) +- Delete Operations happening during the "Refresh" phase of + "refreshAndPersist" replication failed to replicate under + certain circumstances (bnc#606294, ITS#6555) + ------------------------------------------------------------------- Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com diff --git a/openldap2-client.spec b/openldap2-client.spec index 3e71f2e..51137f4 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -28,7 +28,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel %endif Version: 2.4.21 -Release: 5 +Release: 6 Url: http://www.openldap.org License: BSD3c(or similar) ; openldap 2.8 %if "%{name}" == "openldap2" @@ -60,6 +60,8 @@ Patch5: slapd-back-hdb-fortify.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif +Patch12: Syncprov-might-lose-deletes-ITS-6555.dif +Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -180,6 +182,8 @@ Authors: %patch7 %endif %patch11 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/openldap2.changes b/openldap2.changes index 2a80cef..58841dd 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com + +- LDAP clients could crash the server by submitting a specially + crafted LDAP ModRDN operation. (bnc#612430, ITS#6570) +- Delete Operations happening during the "Refresh" phase of + "refreshAndPersist" replication failed to replicate under + certain circumstances (bnc#606294, ITS#6555) + ------------------------------------------------------------------- Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com diff --git a/openldap2.spec b/openldap2.spec index 9434a1b..c037261 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -28,7 +28,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel %endif Version: 2.4.21 -Release: 5 +Release: 6 Url: http://www.openldap.org License: BSD3c(or similar) ; openldap 2.8 %if "%{name}" == "openldap2" @@ -60,6 +60,8 @@ Patch5: slapd-back-hdb-fortify.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif +Patch12: Syncprov-might-lose-deletes-ITS-6555.dif +Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -180,6 +182,8 @@ Authors: %patch7 %endif %patch11 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/slapd-modrdn-crash-ITS-6570.dif b/slapd-modrdn-crash-ITS-6570.dif new file mode 100644 index 0000000..667950c --- /dev/null +++ b/slapd-modrdn-crash-ITS-6570.dif @@ -0,0 +1,100 @@ +From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001 +From: hyc +Date: Sun, 6 Jun 2010 22:02:32 +0000 +Subject: slapd modrdn crash (ITS#6570) + +part #1 reject RDNs with binary BER values +part #2 reject RDNs with empty values + +Unauthenticated LDAP clients could crash the server by submitting a +specially crafted LDAP ModRDN operatoin. + +Part #1: +OpenLDAP crashes with segfault during the processing of a modrdn call with +maliciously formed destination rdn string. No authentication is required to +trigger this vulnerability. + +Part #2: +OpenLDAP crashes at a null pointer dereference during the processing of modrdn +call with maliciously formed destination rdn string. No authentication is +required to trigger this vulnerability. + + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c +index 3534e7f..75d2204 100644 +--- a/servers/slapd/dn.c ++++ b/servers/slapd/dn.c +@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) + ava->la_attr = ad->ad_cname; + + if( ava->la_flags & LDAP_AVA_BINARY ) { +- if( ava->la_value.bv_len == 0 ) { +- /* BER encoding is empty */ +- return LDAP_INVALID_SYNTAX; +- } ++ /* AVA is binary encoded, not supported */ ++ return LDAP_INVALID_SYNTAX; + + /* Do not allow X-ORDERED 'VALUES' naming attributes */ + } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { + return LDAP_INVALID_SYNTAX; + +- /* AVA is binary encoded, don't muck with it */ + } else if( flags & SLAP_LDAPDN_PRETTY ) { + transf = ad->ad_type->sat_syntax->ssyn_pretty; + if( !transf ) { +@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) + ava->la_value = bv; + ava->la_flags |= LDAP_AVA_FREE_VALUE; + } ++ /* reject empty values */ ++ if (!ava->la_value.bv_len) { ++ return LDAP_INVALID_SYNTAX; ++ } + } + rc = LDAP_SUCCESS; + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index e386ef9..e143a7b 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -445,12 +445,19 @@ slap_modrdn2mods( + mod_tmp->sml_values[1].bv_val = NULL; + if( desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); +- (void) (*desc->ad_type->sat_equality->smr_normalize)( ++ rs->sr_err = desc->ad_type->sat_equality->smr_normalize( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, + desc->ad_type->sat_syntax, + desc->ad_type->sat_equality, + &mod_tmp->sml_values[0], + &mod_tmp->sml_nvalues[0], NULL ); ++ if (rs->sr_err != LDAP_SUCCESS) { ++ ch_free(mod_tmp->sml_nvalues); ++ ch_free(mod_tmp->sml_values[0].bv_val); ++ ch_free(mod_tmp->sml_values); ++ ch_free(mod_tmp); ++ goto done; ++ } + mod_tmp->sml_nvalues[1].bv_val = NULL; + } else { + mod_tmp->sml_nvalues = NULL; +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 68e6d28..d2f4708 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -1732,8 +1732,9 @@ UTF8StringNormalize( + ? LDAP_UTF8_APPROX : 0; + + val = UTF8bvnormalize( val, &tmp, flags, ctx ); ++ /* out of memory or syntax error, the former is unlikely */ + if( val == NULL ) { +- return LDAP_OTHER; ++ return LDAP_INVALID_SYNTAX; + } + + /* collapse spaces (in place) */ +-- +1.7.0.3 + From 337b984955223d0e194e4dfe32d18c4629192c5e3af20eeb35ed256e93a40d16 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Fri, 23 Jul 2010 07:57:08 +0000 Subject: [PATCH 4/9] Accepting request 43806 from network:ldap:OpenLDAP:RE24 Copy from network:ldap:OpenLDAP:RE24/openldap2 via accept of submit request 43806 revision 69. Request was accepted with message: Reviewed ok OBS-URL: https://build.opensuse.org/request/show/43806 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=41 --- openldap2.dif => 0001-build-adjustments.dif | 40 ++-- slapd_conf.dif => 0002-slapd.conf.dif | 25 ++- 0003-LDAPI-socket-location.dif | 24 +++ 0004-libldap-use-gethostbyname_r.dif | 33 +++ pie-compile.dif => 0005-pie-compile.dif | 193 +++++++++--------- ...d-fixes-for-back-config-DELETE-support.dif | 23 ++- Syncprov-might-lose-deletes-ITS-6555.dif | 38 ---- ldapi_url.dif | 11 - openldap-2.4.21.tar.bz2 | 3 - openldap-2.4.23.tar.bz2 | 3 + openldap2-client.changes | 102 +++++++++ openldap2-client.spec | 95 +++++---- openldap2.changes | 102 +++++++++ openldap2.spec | 91 +++++---- slapd-back-hdb-fortify.dif | 13 -- slapd-modrdn-crash-ITS-6570.dif | 100 --------- 16 files changed, 534 insertions(+), 362 deletions(-) rename openldap2.dif => 0001-build-adjustments.dif (50%) rename slapd_conf.dif => 0002-slapd.conf.dif (80%) create mode 100644 0003-LDAPI-socket-location.dif create mode 100644 0004-libldap-use-gethostbyname_r.dif rename pie-compile.dif => 0005-pie-compile.dif (53%) rename slapd-bconfig-del-db.dif => 0006-assorted-fixes-for-back-config-DELETE-support.dif (66%) delete mode 100644 Syncprov-might-lose-deletes-ITS-6555.dif delete mode 100644 ldapi_url.dif delete mode 100644 openldap-2.4.21.tar.bz2 create mode 100644 openldap-2.4.23.tar.bz2 delete mode 100644 slapd-back-hdb-fortify.dif delete mode 100644 slapd-modrdn-crash-ITS-6570.dif diff --git a/openldap2.dif b/0001-build-adjustments.dif similarity index 50% rename from openldap2.dif rename to 0001-build-adjustments.dif index 44faf27..5f71315 100644 --- a/openldap2.dif +++ b/0001-build-adjustments.dif @@ -1,8 +1,19 @@ -Index: build/top.mk -=================================================================== ---- build/top.mk.orig -+++ build/top.mk -@@ -39,7 +39,7 @@ libdir = @libdir@ +From 2a6dda988ea0b14931427cce835e8a6da5c3488e Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Wed, 16 Jun 2010 14:04:07 +0200 +Subject: build-adjustments + +- Don't strip binaries +- Adjusted modules path +- don't use automake macro + + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/build/top.mk b/build/top.mk +index 0794173..eb4c825 100644 +--- a/build/top.mk ++++ b/build/top.mk +@@ -40,7 +40,7 @@ libdir = @libdir@ libexecdir = @libexecdir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -11,19 +22,10 @@ Index: build/top.mk sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@$(ldap_subdir) -@@ -58,7 +58,7 @@ INSTALL_PROGRAM = $(INSTALL) - INSTALL_DATA = $(INSTALL) -m 644 - INSTALL_SCRIPT = $(INSTALL) - --STRIP = -s -+#STRIP = -s - - LINT = lint - 5LINT = 5lint -Index: configure.in -=================================================================== ---- configure.in.orig -+++ configure.in +diff --git a/configure.in b/configure.in +index ba05a5a..e658b81 100644 +--- a/configure.in ++++ b/configure.in @@ -67,7 +67,9 @@ dnl Determine host platform dnl we try not to use this for much AC_CANONICAL_TARGET([]) @@ -35,4 +37,6 @@ Index: configure.in AC_SUBST(PACKAGE)dnl AC_SUBST(VERSION)dnl AC_DEFINE_UNQUOTED(OPENLDAP_PACKAGE,"$PACKAGE",Package) +-- +1.7.1 diff --git a/slapd_conf.dif b/0002-slapd.conf.dif similarity index 80% rename from slapd_conf.dif rename to 0002-slapd.conf.dif index 5f22516..70adde1 100644 --- a/slapd_conf.dif +++ b/0002-slapd.conf.dif @@ -1,5 +1,15 @@ ---- servers/slapd/slapd.conf 2007/02/21 16:27:01 1.1 -+++ servers/slapd/slapd.conf 2007/02/21 16:29:20 +From d9c1061b77eec147e6d1df8b466d4b17b89e6890 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Wed, 16 Jun 2010 14:05:49 +0200 +Subject: slapd.conf + + + 1 files changed, 33 insertions(+), 17 deletions(-) + +diff --git a/servers/slapd/slapd.conf b/servers/slapd/slapd.conf +index 4938b85..9caf292 100644 +--- a/servers/slapd/slapd.conf ++++ b/servers/slapd/slapd.conf @@ -3,6 +3,10 @@ # This file should NOT be world readable. # @@ -11,7 +21,7 @@ # Define global ACLs to disable default read access. -@@ -10,8 +14,8 @@ +@@ -10,8 +14,8 @@ include %SYSCONFDIR%/schema/core.schema # service AND an understanding of referrals. #referral ldap://root.openldap.org @@ -22,7 +32,7 @@ # Load dynamic backend modules: # modulepath %MODULEDIR% -@@ -26,20 +30,30 @@ +@@ -26,20 +30,30 @@ argsfile %LOCALSTATEDIR%/run/slapd.args # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: @@ -67,7 +77,7 @@ # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") -@@ -52,6 +66,8 @@ +@@ -52,6 +66,8 @@ argsfile %LOCALSTATEDIR%/run/slapd.args database bdb suffix "dc=my-domain,dc=com" @@ -76,7 +86,7 @@ rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. -@@ -60,6 +76,6 @@ +@@ -60,6 +76,6 @@ rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. @@ -84,3 +94,6 @@ +directory /var/lib/ldap # Indices to maintain index objectClass eq +-- +1.7.1 + diff --git a/0003-LDAPI-socket-location.dif b/0003-LDAPI-socket-location.dif new file mode 100644 index 0000000..1e4a3d6 --- /dev/null +++ b/0003-LDAPI-socket-location.dif @@ -0,0 +1,24 @@ +From 82e121e47976ba0058733976b1c5428a6ee33c31 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Wed, 16 Jun 2010 14:06:42 +0200 +Subject: LDAPI socket location + + + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/include/ldap_defaults.h b/include/ldap_defaults.h +index 3e0d4b2..5235339 100644 +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -39,7 +39,7 @@ + #define LDAP_ENV_PREFIX "LDAP" + + /* default ldapi:// socket */ +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi" + + /* + * SLAPD DEFINITIONS +-- +1.7.1 + diff --git a/0004-libldap-use-gethostbyname_r.dif b/0004-libldap-use-gethostbyname_r.dif new file mode 100644 index 0000000..d93e054 --- /dev/null +++ b/0004-libldap-use-gethostbyname_r.dif @@ -0,0 +1,33 @@ +From 21d21f0d9aed8876722748ef8ba92f75dbcdc771 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Wed, 16 Jun 2010 14:08:03 +0200 +Subject: libldap use gethostbyname_r + + + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c +index 0704f9a..50a3389 100644 +--- a/libraries/libldap/util-int.c ++++ b/libraries/libldap/util-int.c +@@ -52,7 +52,7 @@ extern int h_errno; + #ifndef LDAP_R_COMPILE + # undef HAVE_REENTRANT_FUNCTIONS + # undef HAVE_CTIME_R +-# undef HAVE_GETHOSTBYNAME_R ++/* # undef HAVE_GETHOSTBYNAME_R */ + # undef HAVE_GETHOSTBYADDR_R + + #else +@@ -330,7 +330,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) + #define BUFSTART (1024-32) + #define BUFMAX (32*1024-32) + +-#if defined(LDAP_R_COMPILE) ++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) + static char *safe_realloc( char **buf, int len ); + + #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) +-- +1.7.1 + diff --git a/pie-compile.dif b/0005-pie-compile.dif similarity index 53% rename from pie-compile.dif rename to 0005-pie-compile.dif index 0cede92..8da876d 100644 --- a/pie-compile.dif +++ b/0005-pie-compile.dif @@ -1,8 +1,16 @@ -Index: build/top.mk -=================================================================== ---- build/top.mk.orig -+++ build/top.mk -@@ -178,9 +178,9 @@ SLAPD_L = $(LDAP_LIBLUNICODE_A) $(LDAP_L +From c73e8eb5d25f22ffb1203a38becbe88da4fc9116 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Wed, 16 Jun 2010 14:08:30 +0200 +Subject: pie compile + + + 12 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/build/top.mk b/build/top.mk +index eb4c825..4cb3da8 100644 +--- a/build/top.mk ++++ b/build/top.mk +@@ -178,9 +178,9 @@ SLAPD_L = $(LDAP_LIBLUNICODE_A) $(LDAP_LIBREWRITE_A) \ WRAP_LIBS = @WRAP_LIBS@ # AutoConfig generated AC_CC = @CC@ @@ -14,11 +22,11 @@ Index: build/top.mk AC_LIBS = @LIBS@ KRB4_LIBS = @KRB4_LIBS@ -Index: libraries/liblunicode/Makefile.in -=================================================================== ---- libraries/liblunicode/Makefile.in.orig -+++ libraries/liblunicode/Makefile.in -@@ -35,6 +35,9 @@ $(XXDIR)/uctable.h: $(XXDIR)/ucgendat.c +diff --git a/libraries/liblunicode/Makefile.in b/libraries/liblunicode/Makefile.in +index 5348baa..7332d4e 100644 +--- a/libraries/liblunicode/Makefile.in ++++ b/libraries/liblunicode/Makefile.in +@@ -35,6 +35,9 @@ $(XXDIR)/uctable.h: $(XXDIR)/ucgendat.c $(srcdir)/UnicodeData.txt $(srcdir)/Comp $(MAKE) ucgendat ./ucgendat $(srcdir)/UnicodeData.txt -x $(srcdir)/CompositionExclusions.txt @@ -28,10 +36,10 @@ Index: libraries/liblunicode/Makefile.in ucgendat: $(XLIBS) ucgendat.o $(LTLINK) -o $@ ucgendat.o $(LIBS) -Index: libraries/liblutil/Makefile.in -=================================================================== ---- libraries/liblutil/Makefile.in.orig -+++ libraries/liblutil/Makefile.in +diff --git a/libraries/liblutil/Makefile.in b/libraries/liblutil/Makefile.in +index b527966..a04e18e 100644 +--- a/libraries/liblutil/Makefile.in ++++ b/libraries/liblutil/Makefile.in @@ -19,6 +19,9 @@ PROGRAM = testavl LDAP_INCDIR= ../../include LDAP_LIBDIR= ../../libraries @@ -42,11 +50,25 @@ Index: libraries/liblutil/Makefile.in NT_SRCS = ntservice.c NT_OBJS = ntservice.o slapdmsg.res -Index: servers/slapd/Makefile.in -=================================================================== ---- servers/slapd/Makefile.in.orig -+++ servers/slapd/Makefile.in -@@ -69,6 +69,9 @@ SLAPD_DYNAMIC_BACKENDS=@SLAPD_DYNAMIC_BA +diff --git a/libraries/librewrite/Makefile.in b/libraries/librewrite/Makefile.in +index 72678c1..a4e0bcc 100644 +--- a/libraries/librewrite/Makefile.in ++++ b/libraries/librewrite/Makefile.in +@@ -26,6 +26,9 @@ OBJS = config.o context.o info.o ldapmap.o map.o params.o rule.o \ + LDAP_INCDIR= ../../include + LDAP_LIBDIR= ../../libraries + ++PIE_CFLAGS="-fPIE" ++PIE_LDFLAGS="-pie" ++ + LIBRARY = librewrite.a + PROGRAMS = rewrite + XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A) \ +diff --git a/servers/slapd/Makefile.in b/servers/slapd/Makefile.in +index c170d79..23a18eb 100644 +--- a/servers/slapd/Makefile.in ++++ b/servers/slapd/Makefile.in +@@ -69,6 +69,9 @@ SLAPD_DYNAMIC_BACKENDS=@SLAPD_DYNAMIC_BACKENDS@ SLAPI_LIBS=@LIBSLAPI@ @SLAPI_LIBS@ @@ -56,10 +78,10 @@ Index: servers/slapd/Makefile.in XDEFS = $(MODULES_CPPFLAGS) XLDFLAGS = $(MODULES_LDFLAGS) -Index: servers/slapd/back-bdb/Makefile.in -=================================================================== ---- servers/slapd/back-bdb/Makefile.in.orig -+++ servers/slapd/back-bdb/Makefile.in +diff --git a/servers/slapd/back-bdb/Makefile.in b/servers/slapd/back-bdb/Makefile.in +index f44dab2..d919931 100644 +--- a/servers/slapd/back-bdb/Makefile.in ++++ b/servers/slapd/back-bdb/Makefile.in @@ -37,6 +37,9 @@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_BDB@_DEFS) MOD_LIBS = $(BDB_LIBS) @@ -70,10 +92,10 @@ Index: servers/slapd/back-bdb/Makefile.in shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) -Index: servers/slapd/back-hdb/Makefile.in -=================================================================== ---- servers/slapd/back-hdb/Makefile.in.orig -+++ servers/slapd/back-hdb/Makefile.in +diff --git a/servers/slapd/back-hdb/Makefile.in b/servers/slapd/back-hdb/Makefile.in +index 5d8381c..a80d8c0 100644 +--- a/servers/slapd/back-hdb/Makefile.in ++++ b/servers/slapd/back-hdb/Makefile.in @@ -41,6 +41,9 @@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_HDB@_DEFS) MOD_LIBS = $(BDB_LIBS) @@ -84,66 +106,10 @@ Index: servers/slapd/back-hdb/Makefile.in shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) -Index: servers/slapd/overlays/Makefile.in -=================================================================== ---- servers/slapd/overlays/Makefile.in.orig -+++ servers/slapd/overlays/Makefile.in -@@ -45,6 +45,9 @@ LTONLY_MOD = $(LTONLY_mod) - LDAP_INCDIR= ../../../include - LDAP_LIBDIR= ../../../libraries - -+PIE_CFLAGS="-fPIE" -+PIE_LDFLAGS="-pie" -+ - MOD_DEFS = -DSLAPD_IMPORT - - shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) -Index: servers/slapd/back-relay/Makefile.in -=================================================================== ---- servers/slapd/back-relay/Makefile.in.orig -+++ servers/slapd/back-relay/Makefile.in -@@ -25,6 +25,9 @@ BUILD_MOD = @BUILD_RELAY@ - mod_DEFS = -DSLAPD_IMPORT - MOD_DEFS = $(@BUILD_RELAY@_DEFS) - -+PIE_CFLAGS="-fPIE" -+PIE_LDFLAGS="-pie" -+ - shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) - NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) - UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) -Index: servers/slapd/back-ldif/Makefile.in -=================================================================== ---- servers/slapd/back-ldif/Makefile.in.orig -+++ servers/slapd/back-ldif/Makefile.in -@@ -25,6 +25,9 @@ BUILD_MOD = yes - mod_DEFS = -DSLAPD_IMPORT - MOD_DEFS = $(yes_DEFS) - -+PIE_CFLAGS="-fPIE" -+PIE_LDFLAGS="-pie" -+ - shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) - NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) - UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) -Index: libraries/librewrite/Makefile.in -=================================================================== ---- libraries/librewrite/Makefile.in.orig -+++ libraries/librewrite/Makefile.in -@@ -26,6 +26,9 @@ OBJS = config.o context.o info.o ldapmap - LDAP_INCDIR= ../../include - LDAP_LIBDIR= ../../libraries - -+PIE_CFLAGS="-fPIE" -+PIE_LDFLAGS="-pie" -+ - LIBRARY = librewrite.a - PROGRAMS = rewrite - XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A) \ -Index: servers/slapd/back-ldap/Makefile.in -=================================================================== ---- servers/slapd/back-ldap/Makefile.in.orig -+++ servers/slapd/back-ldap/Makefile.in +diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in +index 64a4af8..51495d5 100644 +--- a/servers/slapd/back-ldap/Makefile.in ++++ b/servers/slapd/back-ldap/Makefile.in @@ -29,6 +29,9 @@ BUILD_MOD = @BUILD_LDAP@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_LDAP@_DEFS) @@ -154,10 +120,24 @@ Index: servers/slapd/back-ldap/Makefile.in shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) -Index: servers/slapd/back-monitor/Makefile.in -=================================================================== ---- servers/slapd/back-monitor/Makefile.in.orig -+++ servers/slapd/back-monitor/Makefile.in +diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in +index 29450ae..c47641f 100644 +--- a/servers/slapd/back-ldif/Makefile.in ++++ b/servers/slapd/back-ldif/Makefile.in +@@ -25,6 +25,9 @@ BUILD_MOD = yes + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(yes_DEFS) + ++PIE_CFLAGS="-fPIE" ++PIE_LDFLAGS="-pie" ++ + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) + NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) +diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in +index 6005b2d..a8f45a7 100644 +--- a/servers/slapd/back-monitor/Makefile.in ++++ b/servers/slapd/back-monitor/Makefile.in @@ -33,6 +33,9 @@ BUILD_MOD = @BUILD_MONITOR@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_MONITOR@_DEFS) @@ -168,3 +148,34 @@ Index: servers/slapd/back-monitor/Makefile.in shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) +diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in +index a408f34..518c7e5 100644 +--- a/servers/slapd/back-relay/Makefile.in ++++ b/servers/slapd/back-relay/Makefile.in +@@ -25,6 +25,9 @@ BUILD_MOD = @BUILD_RELAY@ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(@BUILD_RELAY@_DEFS) + ++PIE_CFLAGS="-fPIE" ++PIE_LDFLAGS="-pie" ++ + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) + NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +index 0b7ce5c..7a48574 100644 +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -46,6 +46,9 @@ LTONLY_MOD = $(LTONLY_mod) + LDAP_INCDIR= ../../../include + LDAP_LIBDIR= ../../../libraries + ++PIE_CFLAGS="-fPIE" ++PIE_LDFLAGS="-pie" ++ + MOD_DEFS = -DSLAPD_IMPORT + + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) +-- +1.7.1 + diff --git a/slapd-bconfig-del-db.dif b/0006-assorted-fixes-for-back-config-DELETE-support.dif similarity index 66% rename from slapd-bconfig-del-db.dif rename to 0006-assorted-fixes-for-back-config-DELETE-support.dif index 620232b..44f9946 100644 --- a/slapd-bconfig-del-db.dif +++ b/0006-assorted-fixes-for-back-config-DELETE-support.dif @@ -1,8 +1,16 @@ -Index: servers/slapd/bconfig.c -=================================================================== ---- servers/slapd/bconfig.c.orig -+++ servers/slapd/bconfig.c -@@ -5492,13 +5492,26 @@ config_back_delete( Operation *op, SlapR +From a998fdc90747f222d261e714ea7e757ad0345f56 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Wed, 16 Jun 2010 14:08:56 +0200 +Subject: assorted fixes for back-config DELETE support + + + 1 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 8626f21..4ec085f 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -5924,13 +5924,26 @@ config_back_delete( Operation *op, SlapReply *rs ) rs->sr_err = LDAP_UNWILLING_TO_PERFORM; } else if ( op->o_abandon ) { rs->sr_err = SLAPD_ABANDON; @@ -31,7 +39,7 @@ Index: servers/slapd/bconfig.c /* remove CfEntryInfo from the siblings list */ if ( ce->ce_parent->ce_kids == ce ) { -@@ -5560,6 +5573,7 @@ config_back_delete( Operation *op, SlapR +@@ -5992,6 +6005,7 @@ config_back_delete( Operation *op, SlapReply *rs ) #else rs->sr_err = LDAP_UNWILLING_TO_PERFORM; #endif /* SLAP_CONFIG_DELETE */ @@ -39,3 +47,6 @@ Index: servers/slapd/bconfig.c send_ldap_result( op, rs ); return rs->sr_err; } +-- +1.7.1 + diff --git a/Syncprov-might-lose-deletes-ITS-6555.dif b/Syncprov-might-lose-deletes-ITS-6555.dif deleted file mode 100644 index 9e0bd94..0000000 --- a/Syncprov-might-lose-deletes-ITS-6555.dif +++ /dev/null @@ -1,38 +0,0 @@ -From e32aa64d19840a3b76da532d200fa1cb733e0672 Mon Sep 17 00:00:00 2001 -From: ralf -Date: Thu, 20 May 2010 15:08:28 +0000 -Subject: Syncprov might lose deletes (ITS#6555) - -During the refresh phase the sync filter needs to be adjusted (skipping -the "(entrycsn>=cookie)" part that was inserted) when checking whether a -change needs to be replicated, otherwise we lose DELETES that happen during -the refresh phase. - -bnc#606294 - - 1 files changed, 9 insertions(+), 1 deletions(-) - -diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c -index 675568e..030edf5 100644 ---- a/servers/slapd/overlays/syncprov.c -+++ b/servers/slapd/overlays/syncprov.c -@@ -1301,7 +1301,15 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit ) - op2.o_hdr = &oh; - op2.o_extra = op->o_extra; - op2.o_callback = NULL; -- rc = test_filter( &op2, e, ss->s_op->ors_filter ); -+ ldap_pvt_thread_mutex_lock( &ss->s_mutex ); -+ if (ss->s_flags & PS_FIX_FILTER) { -+ /* Skip the AND/GE clause that we stuck on in front. We -+ would lose deletes/mods that happen during the refresh -+ phase otherwise (ITS#6555) */ -+ op2.ors_filter = ss->s_op->ors_filter->f_and->f_next; -+ } -+ ldap_pvt_thread_mutex_unlock( &ss->s_mutex ); -+ rc = test_filter( &op2, e, op2.ors_filter ); - } - - Debug( LDAP_DEBUG_TRACE, "syncprov_matchops: sid %03x fscope %d rc %d\n", --- -1.7.0.3 - diff --git a/ldapi_url.dif b/ldapi_url.dif deleted file mode 100644 index b8eb3f9..0000000 --- a/ldapi_url.dif +++ /dev/null @@ -1,11 +0,0 @@ ---- include/ldap_defaults.h 2004/04/14 14:13:27 1.1 -+++ include/ldap_defaults.h 2004/04/14 14:14:01 -@@ -39,7 +39,7 @@ - #define LDAP_ENV_PREFIX "LDAP" - - /* default ldapi:// socket */ --#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" -+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi" - - /* - * SLAPD DEFINITIONS diff --git a/openldap-2.4.21.tar.bz2 b/openldap-2.4.21.tar.bz2 deleted file mode 100644 index ef5bbfc..0000000 --- a/openldap-2.4.21.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7140bb913a95765134daf5ee17254d938f54c981790d328e6cd3ca7ad6cea915 -size 4421498 diff --git a/openldap-2.4.23.tar.bz2 b/openldap-2.4.23.tar.bz2 new file mode 100644 index 0000000..1ab37f7 --- /dev/null +++ b/openldap-2.4.23.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56349b44f6219fa305e9ebaffd6f2c2c57e3229a1f1c850f6fc5f6ba4e06c03a +size 4223407 diff --git a/openldap2-client.changes b/openldap2-client.changes index 58841dd..ba2e760 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Fri Jul 23 07:49:40 UTC 2010 - rhafer@novell.com + +- Fixed RPM Group and Summary Tags (bnc#624980) + +------------------------------------------------------------------- +Thu Jul 1 13:02:13 UTC 2010 - rhafer@novell.com + +- Updated to 2.4.23: + * Fixed libldap to return server's error code (ITS#6569) + * Fixed libldap memleaks (ITS#6568) + * Fixed liblutil off-by-one with delta (ITS#6541) + * Fixed slapd acls with glued databases (ITS#6468) + * Fixed slapd syncrepl rid logging (ITS#6533) + * Fixed slapd modrdn handling of invalid values (bnc#612430, + ITS#6570) + * Fixed slapd-bdb hasSubordinates computation (ITS#6549) + * Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474) + * Fixed slapd-bdb entry cache delete failure (ITS#6577) + * Fixed slapd-ldap to return control responses (ITS#6530) + * Fixed slapo-ppolicy to use Debug (ITS#6566) + * Fixed slapo-refint to zero out freed DN vals (ITS#6572) + * Fixed slapo-rwm to use Debug (ITS#6566) + * Fixed slapo-sssvlv to use Debug (ITS#6566) + * Fixed slapo-syncprov lost deletes in refresh phase (bnc#606294, + ITS#6555) + * Fixed slapo-valsort to use Debug (ITS#6566) + * Fixed contrib/nssov network.c missing patch (ITS#6562) + ------------------------------------------------------------------- Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com @@ -7,12 +36,85 @@ Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com "refreshAndPersist" replication failed to replicate under certain circumstances (bnc#606294, ITS#6555) +------------------------------------------------------------------- +Thu Jun 17 15:53:49 UTC 2010 - rhafer@novell.com + +- New subpackage openldap2-back-sql. Contains the SQL backend + module plus some documentation (bnc#395719) + +------------------------------------------------------------------- +Thu Jun 17 13:02:40 UTC 2010 - rhafer@novell.com + +- generate Patches from git tree (resulted in all patches being + renamed) +- installing binaries without stripping them is done by setting + the STRIP enviroment variable instead for patching the Makefile + now +- Fixed a bug in the syncprov overlay which could lead to not + replicate delete Operations (ITS#6555, bnc#606294) + ------------------------------------------------------------------- Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com - Create /var/run/slapd on demand. /var/run might be mounted on tmpfs. +------------------------------------------------------------------- +Wed Apr 28 11:17:06 UTC 2010 - rhafer@novell.com + +- BuildRequires cleanup + +------------------------------------------------------------------- +Mon Apr 26 15:14:17 UTC 2010 - rhafer@novell.com + +- Updated to 2.4.22: + * Added slapd SLAP_SCHEMA_EXPOSE flag for hidden schema elements + (ITS#6435) + * Added slapd tools selective iterations (ITS#6442) + * Added slapd syncrepl TCP keepalive (ITS#6389) + * Added slapo-ldap idassert-passthru (ITS#6456) + * Added slapo-pbind + * Fixed libldap gmtime re-entrancy (ITS#6262) + * Fixed libldap gssapi off by one error (ITS#6223) + * Fixed libldap referral on bind behavior(ITS#6510) + * Fixed slapd acl non-entry internal searches (ITS#6481) + * Fixed slapd acl attrval style initialization (ITS#6520) + * Fixed slapd certificateListValidate (ITS#6466) + * Fixed slapd empty URI parsing (ITS#6465) + * Fixed slapd glued misplaced entries (ITS#6506) + * Fixed slapd glued paged cookies (ITS#6507) + * Fixed slapd glued paged results (ITS#6504) + * Fixed slapd gmtime re-entrancy (ITS#6262) + * Fixed slapd to ignore controls with unrecognized flag + (ITS#6480) + * Fixed slapd entry ownership (ITS#5340) + * Fixed slapd sasl auxprop_lookup (ITS#6441) + * Fixed slapd sasl auxprop ssf (ITS#5195) + * Fixed slapd syncrepl for attributes with no matching rule + (ITS#6458) + * Fixed slapd syncrepl for unknown attrs and delta-sync + (ITS#6473) + * Fixed slapd syncrep loop with moddn (ITS#6472) + * Fixed slapo-accesslog to not replicate internal purges + (ITS#6519) + * Fixed slapd-bdb contextCSN updates from updatedn (ITS#6469) + * Fixed slapd-bdb lockobj zeroing (ITS#6501) + * Fixed slapd-ldap/meta control criticality (ITS#6523) + * Fixed slapd-ldap/meta with ordered values (ITS#6516) + * Fixed slapo-collect entry ownership (ITS#5340,ITS#6423) + * Fixed slapo-dds with NULL backend (ITS#6490) + * Fixed slapo-dynlist entry ownership (ITS#5340,ITS#6423) + * Fixed slapo-memberof attr count (ITS#6508) + * Fixed slapo-pcache to release its own entries (ITS#6484) + * Fixed slapo-pcache with NULL backend (ITS#6490) + * Fixed slapo-rwm entry release handling (ITS#6484) + * Fixed slapo-rwm memory handling with rewrites (ITS#6526) + * Fixed slapo-rwm olcRwmMap handling (ITS#6436) + * Fixed slapo-rwm entry ownership (ITS#5340,ITS#6423) + * Fixed slapo-syncprov memory leak (ITS#6459) + * Fixed slapo-translucent counter increment (ITS#6497) + * Fixed slapo-valsort entry ownership (ITS#5340,ITS#6423) + ------------------------------------------------------------------- Thu Apr 15 08:18:49 UTC 2010 - adrian@suse.de diff --git a/openldap2-client.spec b/openldap2-client.spec index 51137f4..cd58ff2 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -1,5 +1,5 @@ # -# spec file for package openldap2-client (Version 2.4.21) +# spec file for package openldap2 (Version 2.4.21) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,25 +19,25 @@ %define run_test_suite 1 -Name: openldap2-client -BuildRequires: cyrus-sasl-devel db-devel libopenssl-devel tcpd-devel -%if %sles_version == 9 -BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel +Name: openldap2-client +BuildRequires: cyrus-sasl-devel libopenssl-devel +%if %sles_version == 9 || %sles_version == 10 +BuildRequires: -libopenssl-devel -pwdutils openssl-devel %endif -%if %sles_version == 10 -BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel -%endif -Version: 2.4.21 -Release: 6 +Version: 2.4.23 +Release: 4 Url: http://www.openldap.org License: BSD3c(or similar) ; openldap 2.8 %if "%{name}" == "openldap2" -BuildRequires: openslp-devel -Group: Productivity/Networking/LDAP/Clients +BuildRequires: unixODBC-devel openslp-devel db-devel tcpd-devel +%if %sles_version == 9 || %sles_version == 10 +BuildRequires: -db-devel libdb-4_5-devel +%endif +Group: Productivity/Networking/LDAP/Servers Conflicts: openldap Requires: libldap-2_4-2 = %{version} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -Summary: The OpenLDAP commandline client tools +Summary: The OpenLDAP Server %else Group: Productivity/Networking/LDAP/Clients Conflicts: openldap-client @@ -53,15 +53,12 @@ Source4: sasl-slapd.conf Source5: README.update Source6: schema2ldif Source100: openldap-2.3.37.tar.bz2 -Patch1: openldap2.dif -Patch2: slapd_conf.dif -Patch4: ldapi_url.dif -Patch5: slapd-back-hdb-fortify.dif -Patch6: libldap-gethostbyname_r.dif -Patch7: pie-compile.dif -Patch11: slapd-bconfig-del-db.dif -Patch12: Syncprov-might-lose-deletes-ITS-6555.dif -Patch13: slapd-modrdn-crash-ITS-6570.dif +Patch1: 0001-build-adjustments.dif +Patch2: 0002-slapd.conf.dif +Patch3: 0003-LDAPI-socket-location.dif +Patch4: 0004-libldap-use-gethostbyname_r.dif +Patch5: 0005-pie-compile.dif +Patch6: 0006-assorted-fixes-for-back-config-DELETE-support.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -116,6 +113,21 @@ Authors: -------- The OpenLDAP Project +%package -n openldap2-back-sql +License: BSD3c(or similar) +Summary: OpenLDAP SQL Back-End +Requires: openldap2 = %{version} +AutoReqProv: on +Group: Productivity/Networking/LDAP/Servers + +%description -n openldap2-back-sql +The primary purpose of this OpenLDAP backend is to present information +stored in a Relational (SQL) Database as an LDAP subtree without the need +to do any programming. + +Authors: +-------- + The OpenLDAP Project %else %description @@ -173,17 +185,14 @@ Authors: %prep %setup -q -n openldap-%{version} -a1 -a2 -b100 -%patch1 -%patch2 -%patch4 -%patch5 -%patch6 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %if %suse_version > 920 -%patch7 +%patch5 -p1 %endif -%patch11 -%patch12 -p1 -%patch13 -p1 +%patch6 -p1 %if %suse_version == 1100 %patch200 -p1 %endif @@ -196,13 +205,10 @@ cd ../openldap-2.3.37 libtoolize --force autoreconf export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE" -./configure --prefix=/usr \ - --exec-prefix=/usr \ - --sysconfdir=%{_sysconfdir} \ +export STRIP="" +%configure \ --localstatedir=/var/run/slapd \ --libexecdir=/usr/lib/openldap \ - --libdir=%{_libdir} \ - --mandir=%{_mandir} \ --enable-wrappers \ --enable-aclgroups \ --enable-spasswd \ @@ -222,6 +228,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONN --enable-meta=mod \ --enable-monitor=yes \ --enable-perl=mod \ + --enable-sql=mod \ --enable-slp \ --enable-overlays=yes \ %else @@ -279,7 +286,7 @@ make SLAPD_DEBUG=0 test %install mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/usr/sbin -make DESTDIR=$RPM_BUILD_ROOT install +make STRIP="" DESTDIR=$RPM_BUILD_ROOT install install -m 755 rc.ldap $RPM_BUILD_ROOT/etc/init.d/ldap ln -sf ../../etc/init.d/ldap $RPM_BUILD_ROOT/usr/sbin/rcldap mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d @@ -313,10 +320,10 @@ rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sql.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la + #put filelists into files cat >openldap2.filelist < openldap2-back-meta.filelist < openldap2-back-sql.filelist <