From 605d80a7bb0e572a839869968602e21f8d474f330d68323b23327d9d1612b285 Mon Sep 17 00:00:00 2001 From: Howard Guo Date: Thu, 21 Jan 2016 13:36:42 +0000 Subject: [PATCH] Accepting request 354705 from home:stroeder:branches:network:ldap Compared to my obsoleted request #339745: 1. sysconfdir now correctly is /etc/openldap 2. slapd starts with default configuration file (tested on openSUSE 13.2 and Tumbleweed) 3. added Recommends: cyrus-sasl 4. replaced README.dynamic-overlays by README.module-loading with updated text 5. added patch for OpenLDAP ITS#8336 OBS-URL: https://build.opensuse.org/request/show/354705 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=146 --- 0002-slapd.conf.dif | 47 +-- 0007-Recover-on-DB-version-change.dif | 29 -- ...nd-do-not-return-Connection0-entries.patch | 29 -- ...vert-ITS-8240-remove-obsolete-assert.patch | 27 -- README.dynamic-overlays | 19 - README.module-loading | 25 ++ SuSEfirewall2.openldap | 17 + addonschema.tar.gz | 3 - ldapns.schema | 23 ++ openldap-2.4.42.tgz | 3 - openldap-2.4.43.tgz | 3 + openldap-rc.tgz | 3 - openldap-re24-its7796.patch | 80 ++++ openldap-re24-its8336.patch | 25 ++ openldap2-client.changes | 36 +- openldap2-client.spec | 337 +++++++++++------ openldap2.changes | 32 ++ openldap2.spec | 352 ++++++++++------- rfc2307bis.schema | 288 ++++++++++++++ slapd.conf.example | 354 ++++++++++++++++++ slapd.service | 11 + start | 208 ++++++++++ sysconfig.openldap | 158 ++++++++ yast.schema | 202 ++++++++++ 24 files changed, 1919 insertions(+), 392 deletions(-) delete mode 100644 0007-Recover-on-DB-version-change.dif delete mode 100644 0008-In-monitor-backend-do-not-return-Connection0-entries.patch delete mode 100644 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch delete mode 100644 README.dynamic-overlays create mode 100644 README.module-loading create mode 100644 SuSEfirewall2.openldap delete mode 100644 addonschema.tar.gz create mode 100644 ldapns.schema delete mode 100644 openldap-2.4.42.tgz create mode 100644 openldap-2.4.43.tgz delete mode 100644 openldap-rc.tgz create mode 100644 openldap-re24-its7796.patch create mode 100644 openldap-re24-its8336.patch create mode 100644 rfc2307bis.schema create mode 100644 slapd.conf.example create mode 100644 slapd.service create mode 100644 start create mode 100644 sysconfig.openldap create mode 100644 yast.schema diff --git a/0002-slapd.conf.dif b/0002-slapd.conf.dif index e05f799..9b9e6f2 100644 --- a/0002-slapd.conf.dif +++ b/0002-slapd.conf.dif @@ -1,35 +1,38 @@ -From a8be17d4a1db1c6ee24b328f3f34e21ccb02ca3f Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Wed, 16 Jun 2010 14:05:49 +0200 -Subject: slapd.conf - - diff --git a/servers/slapd/slapd.conf b/servers/slapd/slapd.conf -index 4938b85..9caf292 100644 +index 4938b85..b9bec75 100644 --- a/servers/slapd/slapd.conf +++ b/servers/slapd/slapd.conf -@@ -3,6 +3,10 @@ +@@ -2,7 +2,11 @@ + # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # - include %SYSCONFDIR%/schema/core.schema -+include %SYSCONFDIR%/schema/cosine.schema -+include %SYSCONFDIR%/schema/inetorgperson.schema -+include %SYSCONFDIR%/schema/rfc2307bis.schema -+include %SYSCONFDIR%/schema/yast.schema +-include %SYSCONFDIR%/schema/core.schema ++include /etc/openldap/schema/core.schema ++include /etc/openldap/schema/cosine.schema ++include /etc/openldap/schema/inetorgperson.schema ++include /etc/openldap/schema/rfc2307bis.schema ++include /etc/openldap/schema/yast.schema # Define global ACLs to disable default read access. -@@ -10,8 +14,8 @@ include %SYSCONFDIR%/schema/core.schema +@@ -10,13 +14,13 @@ include %SYSCONFDIR%/schema/core.schema # service AND an understanding of referrals. #referral ldap://root.openldap.org -pidfile %LOCALSTATEDIR%/run/slapd.pid -argsfile %LOCALSTATEDIR%/run/slapd.args -+pidfile %LOCALSTATEDIR%/slapd.pid -+argsfile %LOCALSTATEDIR%/slapd.args ++pidfile /run/slapd/slapd.pid ++argsfile /run/slapd/slapd.args # Load dynamic backend modules: - # modulepath %MODULEDIR% +-# modulepath %MODULEDIR% ++# modulepath /usr/lib/openldap + # moduleload back_bdb.la +-# moduleload back_hdb.la ++moduleload back_hdb.la + # moduleload back_ldap.la + + # Sample security restrictions @@ -26,20 +30,30 @@ argsfile %LOCALSTATEDIR%/run/slapd.args # security ssf=1 update_ssf=112 simple_bind=64 @@ -75,9 +78,12 @@ index 4938b85..9caf292 100644 # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") -@@ -52,6 +66,8 @@ argsfile %LOCALSTATEDIR%/run/slapd.args +@@ -50,8 +64,10 @@ argsfile %LOCALSTATEDIR%/run/slapd.args + # BDB database definitions + ####################################################################### - database bdb +-database bdb ++database hdb suffix "dc=my-domain,dc=com" +checkpoint 1024 5 +cachesize 10000 @@ -92,6 +98,3 @@ index 4938b85..9caf292 100644 +directory /var/lib/ldap # Indices to maintain index objectClass eq --- -1.7.10.4 - diff --git a/0007-Recover-on-DB-version-change.dif b/0007-Recover-on-DB-version-change.dif deleted file mode 100644 index 37f109b..0000000 --- a/0007-Recover-on-DB-version-change.dif +++ /dev/null @@ -1,29 +0,0 @@ -From 895fa6d9b49344e1a92f7df3ed65458519e22f98 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Tue, 5 Oct 2010 14:20:22 +0200 -Subject: Recover on DB version change - -If the libdb Version changed try to recover the database. Note: This will -only succeed if only the format of transaction logs changed. - -diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c -index ac5a6d5..fea5cb4 100644 ---- a/servers/slapd/back-bdb/init.c -+++ b/servers/slapd/back-bdb/init.c -@@ -330,6 +330,13 @@ shm_retry: - rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome, - flags | do_recover, bdb->bi_dbenv_mode ); - -+ if ( rc == DB_VERSION_MISMATCH ) { -+ Debug( LDAP_DEBUG_ANY, -+ LDAP_XSTRING(bdb_db_open) ": bdb version change detected " -+ "trying to recover\n", 0, 0, 0 ); -+ rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome, -+ flags | DB_RECOVER, bdb->bi_dbenv_mode ); -+ } - if ( rc ) { - /* Regular open failed, probably a missing shm environment. - * Start over, do a recovery. --- -1.7.10.4 - diff --git a/0008-In-monitor-backend-do-not-return-Connection0-entries.patch b/0008-In-monitor-backend-do-not-return-Connection0-entries.patch deleted file mode 100644 index 1cdb257..0000000 --- a/0008-In-monitor-backend-do-not-return-Connection0-entries.patch +++ /dev/null @@ -1,29 +0,0 @@ -From d4b247e43fe1ea1b3713f3d8f493422d5adcc537 Mon Sep 17 00:00:00 2001 -From: HouzuoGuo -Date: Fri, 13 Mar 2015 16:14:10 +0100 -Subject: [PATCH] In monitor backend, do not return Connection0 entries as they - are created for internal use only. - ---- - servers/slapd/back-monitor/conn.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c -index c1995b0..2d27738 100644 ---- a/servers/slapd/back-monitor/conn.c -+++ b/servers/slapd/back-monitor/conn.c -@@ -454,6 +454,11 @@ monitor_subsys_conn_create( - c != NULL; - c = connection_next( c, &connindex ) ) - { -+ /* Connection 0 is created by connection_client_setup for internal use only */ -+ if (c->c_connid == 0) { -+ continue; -+ } -+ - monitor_entry_t *mp; - - if ( conn_create( mi, c, &e, ms ) != SLAP_CB_CONTINUE --- -2.1.4 - diff --git a/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch b/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch deleted file mode 100644 index a85b81a..0000000 --- a/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Sat, 12 Sep 2015 22:18:22 +0100 -Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert"" - -We have never documented our use of assert, so can't expect -builders to do the right thing. -This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993. - -The commit fixes CVE-2015-6908. - -diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c -index 85c3e23..c05dcf8 100644 ---- a/libraries/liblber/io.c -+++ b/libraries/liblber/io.c -@@ -679,7 +679,7 @@ done: - return (ber->ber_tag); - } - -- assert( 0 ); /* ber structure is messed up ?*/ -+ /* invalid input */ - return LBER_DEFAULT; - } - --- -2.6.3 - diff --git a/README.dynamic-overlays b/README.dynamic-overlays deleted file mode 100644 index c071a6b..0000000 --- a/README.dynamic-overlays +++ /dev/null @@ -1,19 +0,0 @@ -Most of the OpenLDAP overlays are now compiled as dynamic modules in our -packages. If you want to use any of these in your setup make sure to put -the correct "olcModuleLoad" or "moduleload" statements in your configuration. -For details please see the slapd-config(5) and slapd.conf(5) manpages -(depending on which config mechanism you use). - -For a list of the list of included dynamic modules see the -"/usr/lib/openldap/modules/" directory. - -For convenience and backwards compatibility some overlays are are still -compiled statically into the slapd binary. To see which overlays that are -call "/usr/lib/openldap/slapd -VVV". Currently these are: - -syncprov (the provider part of syncrepl replication) -ppolicy (a LDAP Password Policy implementation) - -Documentations for the overlays can be found in the respective man pages -(named "slapo-") or the OpenLDAP Administration Guide which -is part of the "openldap2-doc" package. diff --git a/README.module-loading b/README.module-loading new file mode 100644 index 0000000..6535424 --- /dev/null +++ b/README.module-loading @@ -0,0 +1,25 @@ +All of the OpenLDAP backends (except back-config) and overlays are now +compiled as dynamic modules in our packages. If you want to use any of +these in your setup make sure to put the correct "olcModuleLoad" or +"moduleload" statements in your configuration. + +For details please see the slapd-config(5) and slapd.conf(5) manpages +(depending on which config mechanism you use). + +For a list of the included dynamic modules list all modules files: + +ls /usr/lib*/openldap/*.so + +Or just the backend files: + +ls /usr/lib*/openldap/back_*.so + +Documentations for the overlays can be found in the respective man pages or +the OpenLDAP Administration Guide which is part of the "openldap2-doc" +package. + +Backend man-pages: +man 5 slapo- + +Overlays man-pages: +man 5 slapo- diff --git a/SuSEfirewall2.openldap b/SuSEfirewall2.openldap new file mode 100644 index 0000000..e3fd802 --- /dev/null +++ b/SuSEfirewall2.openldap @@ -0,0 +1,17 @@ +## Name: OpenLDAP Server +## Description: Opens ports for the OpenLDAP Server (slapd). + +# space separated list of allowed TCP ports +TCP="ldap ldaps" + +# space separated list of allowed UDP ports +UDP="ldap" + +# space separated list of allowed RPC services +RPC="" + +# space separated list of allowed IP protocols +IP="" + +# space separated list of allowed UDP broadcast ports +BROADCAST="" diff --git a/addonschema.tar.gz b/addonschema.tar.gz deleted file mode 100644 index 9fd432f..0000000 --- a/addonschema.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a1a0de4fe8c80b0210a706a9e8313b3c2f8b72b2de88961acf433a4e09752a4f -size 3480 diff --git a/ldapns.schema b/ldapns.schema new file mode 100644 index 0000000..15571cf --- /dev/null +++ b/ldapns.schema @@ -0,0 +1,23 @@ +# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $ + +# LDAP Name Service Additional Schema + +# http://www.iana.org/assignments/gssapi-service-names + +attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' + DESC 'IANA GSS-API authorized service name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' + DESC 'Auxiliary object class for adding authorizedService attribute' + SUP top + AUXILIARY + MAY authorizedService ) + +objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' + DESC 'Auxiliary object class for adding host attribute' + SUP top + AUXILIARY + MAY host ) + diff --git a/openldap-2.4.42.tgz b/openldap-2.4.42.tgz deleted file mode 100644 index b57d335..0000000 --- a/openldap-2.4.42.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:eeb7b0e2c5852bfd2650e83909bb6152835c0b862fab10b63954dc1bcbba8e63 -size 5645925 diff --git a/openldap-2.4.43.tgz b/openldap-2.4.43.tgz new file mode 100644 index 0000000..26ad249 --- /dev/null +++ b/openldap-2.4.43.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:34d78e5598a2b0360d26a9050fcdbbe198c65493b013bb607839d5598b6978c8 +size 5654057 diff --git a/openldap-rc.tgz b/openldap-rc.tgz deleted file mode 100644 index 7701724..0000000 --- a/openldap-rc.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5ec6d4241cd2080d20f9d8da8d76e51cfbe88ab14cdb9cbff4fea1348ce174c4 -size 4018 diff --git a/openldap-re24-its7796.patch b/openldap-re24-its7796.patch new file mode 100644 index 0000000..1f073dd --- /dev/null +++ b/openldap-re24-its7796.patch @@ -0,0 +1,80 @@ +diff --git a/servers/slapd/back-bdb/filterindex.c b/servers/slapd/back-bdb/filterindex.c +index 71e3ea4..bafef72 100644 +--- a/servers/slapd/back-bdb/filterindex.c ++++ b/servers/slapd/back-bdb/filterindex.c +@@ -741,7 +741,7 @@ equality_candidates( + &db, &mask, &prefix ); + + if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { +- Debug( LDAP_DEBUG_ANY, ++ Debug( LDAP_DEBUG_TRACE, + "<= bdb_equality_candidates: (%s) not indexed\n", + ava->aa_desc->ad_cname.bv_val, 0, 0 ); + return 0; +@@ -858,7 +858,7 @@ approx_candidates( + &db, &mask, &prefix ); + + if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { +- Debug( LDAP_DEBUG_ANY, ++ Debug( LDAP_DEBUG_TRACE, + "<= bdb_approx_candidates: (%s) not indexed\n", + ava->aa_desc->ad_cname.bv_val, 0, 0 ); + return 0; +@@ -978,7 +978,7 @@ substring_candidates( + &db, &mask, &prefix ); + + if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { +- Debug( LDAP_DEBUG_ANY, ++ Debug( LDAP_DEBUG_TRACE, + "<= bdb_substring_candidates: (%s) not indexed\n", + sub->sa_desc->ad_cname.bv_val, 0, 0 ); + return 0; +@@ -1095,7 +1095,7 @@ inequality_candidates( + &db, &mask, &prefix ); + + if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { +- Debug( LDAP_DEBUG_ANY, ++ Debug( LDAP_DEBUG_TRACE, + "<= bdb_inequality_candidates: (%s) not indexed\n", + ava->aa_desc->ad_cname.bv_val, 0, 0 ); + return 0; +diff --git a/servers/slapd/back-mdb/filterindex.c b/servers/slapd/back-mdb/filterindex.c +index 58c1cc8..20c58b7 100644 +--- a/servers/slapd/back-mdb/filterindex.c ++++ b/servers/slapd/back-mdb/filterindex.c +@@ -709,7 +709,7 @@ equality_candidates( + &dbi, &mask, &prefix ); + + if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { +- Debug( LDAP_DEBUG_ANY, ++ Debug( LDAP_DEBUG_TRACE, + "<= mdb_equality_candidates: (%s) not indexed\n", + ava->aa_desc->ad_cname.bv_val, 0, 0 ); + return 0; +@@ -825,7 +825,7 @@ approx_candidates( + &dbi, &mask, &prefix ); + + if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { +- Debug( LDAP_DEBUG_ANY, ++ Debug( LDAP_DEBUG_TRACE, + "<= mdb_approx_candidates: (%s) not indexed\n", + ava->aa_desc->ad_cname.bv_val, 0, 0 ); + return 0; +@@ -944,7 +944,7 @@ substring_candidates( + &dbi, &mask, &prefix ); + + if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { +- Debug( LDAP_DEBUG_ANY, ++ Debug( LDAP_DEBUG_TRACE, + "<= mdb_substring_candidates: (%s) not indexed\n", + sub->sa_desc->ad_cname.bv_val, 0, 0 ); + return 0; +@@ -1060,7 +1060,7 @@ inequality_candidates( + &dbi, &mask, &prefix ); + + if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { +- Debug( LDAP_DEBUG_ANY, ++ Debug( LDAP_DEBUG_TRACE, + "<= mdb_inequality_candidates: (%s) not indexed\n", + ava->aa_desc->ad_cname.bv_val, 0, 0 ); + return 0; diff --git a/openldap-re24-its8336.patch b/openldap-re24-its8336.patch new file mode 100644 index 0000000..71a0246 --- /dev/null +++ b/openldap-re24-its8336.patch @@ -0,0 +1,25 @@ +From fd7bfbc0df0ade534bea84914d385ecf2a73f678 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Tue, 8 Dec 2015 18:17:24 +0000 +Subject: ITS#8336 fix page_search_root assert on FreeDB + +Let "illegal" branch pages thru on the FreeDB - the condition +is only temporary and will be fixed by the time rebalance finishes. + +diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c +index fa0c9e5..a624cba 100644 +--- a/libraries/liblmdb/mdb.c ++++ b/libraries/liblmdb/mdb.c +@@ -5279,7 +5279,11 @@ mdb_page_search_root(MDB_cursor *mc, MDB_val *key, int flags) + indx_t i; + + DPRINTF(("branch page %"Z"u has %u keys", mp->mp_pgno, NUMKEYS(mp))); +- mdb_cassert(mc, NUMKEYS(mp) > 1); ++ /* Don't assert on branch pages in the FreeDB. We can get here ++ * while in the process of rebalancing a FreeDB branch page; we must ++ * let that proceed. ITS#8336 ++ */ ++ mdb_cassert(mc, !mc->mc_dbi || NUMKEYS(mp) > 1); + DPRINTF(("found index 0 to page %"Z"u", NODEPGNO(NODEPTR(mp, 0)))); + + if (flags & (MDB_PS_FIRST|MDB_PS_LAST)) { diff --git a/openldap2-client.changes b/openldap2-client.changes index c45cbc2..34efd1f 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,5 +1,37 @@ ------------------------------------------------------------------- -Wed Dec 2 12:51:10 UTC 2015 - hguo@suse.com +Tue Dec 8 11:36:16 UTC 2015 - michael@stroeder.com + +- Upgrade to upstream 2.4.43 release with accumulated bug fixes. +- Still build on SLES12 +- Loadable backend and overlay modules are now installed + into arch-specific path %{_libdir}/openldap +- All backends and overlays as modules for smaller memory footprint + on memory constrained systems +- Added extra package for back-sock +- Consequent use of %{_rundir} everywhere +- Rely on upstream ./configure script instead of any other + macro foo +- Dropped linking with libwrap +- Dropped 0004-libldap-use-gethostbyname_r.dif because this + work-around for nss_ldap is obsolete +- New sub-package openldap2-contrib with selected contrib/ overlays +- Replaced addonschema.tar.gz with separate schema sources +- Updated ldapns.schema from recent slapo-nssov source tree +- Added symbolic link to slapd executable in /usr/sbin/ +- Added more complex example configuration file + /etc/openldap/slapd.conf.example +- Set OPENLDAP_START_LDAPI="yes" in /etc/sysconfig/openldap +- Set OPENLDAP_REGISTER_SLP="no" in /etc/sysconfig/openldap +- Added patch for OpenLDAP ITS#7796 to avoid excessive + "not index" logging +- Replaced openldap-rc.tgz with single source files +- Added soft dependency (Recommends) to cyrus-sasl +- Added soft dependency (Recommends) to cyrus-sasl-devel + to openldap2-devel +- Added patch for OpenLDAP ITS#8336 (assert in liblmdb) + +------------------------------------------------------------------- +Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com - Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) @@ -36,7 +68,7 @@ Fri Oct 9 09:19:35 UTC 2015 - hguo@suse.com check-build.sh ------------------------------------------------------------------- -Thu Oct 1 11:08:59 UTC 2015 - hguo@suse.com +Thu Oct 1 11:08:41 UTC 2015 - hguo@suse.com - Upgrade to upstream 2.4.42 release with accumulated bug fixes. diff --git a/openldap2-client.spec b/openldap2-client.spec index d613e96..5e68726 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -1,7 +1,7 @@ # # spec file for package openldap2-client # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,52 +17,58 @@ %define run_test_suite 0 -%define version_main 2.4.42 +%define version_main 2.4.43 -%if ! %{defined _rundir} -%define _rundir %{_localstatedir}/run +%if %{suse_version} >= 1310 && %{suse_version} != 1315 +%define _rundir /run/slapd +%else +%define _rundir /var/run/slapd %endif Name: openldap2-client Summary: The OpenLDAP commandline client tools License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Clients -Version: 2.4.42 +Version: %{version_main} Release: 0 Url: http://www.openldap.org Source: openldap-%{version_main}.tgz -Source1: openldap-rc.tgz -Source2: addonschema.tar.gz Source3: DB_CONFIG Source4: sasl-slapd.conf -Source5: README.dynamic-overlays +Source5: README.module-loading Source6: schema2ldif Source7: baselibs.conf -Patch1: 0001-build-adjustments.dif +Source9: ldapns.schema +Source10: rfc2307bis.schema +Source11: yast.schema +Source12: slapd.conf.example +Source13: start +Source14: slapd.service +Source15: SuSEfirewall2.openldap +Source16: sysconfig.openldap Patch2: 0002-slapd.conf.dif Patch3: 0003-LDAPI-socket-location.dif -Patch4: 0004-libldap-use-gethostbyname_r.dif +#Patch4: 0004-libldap-use-gethostbyname_r.dif Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif -Patch7: 0007-Recover-on-DB-version-change.dif -Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch -Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch +Patch10: openldap-re24-its7796.patch Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch +Patch12: openldap-re24-its8336.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff BuildRequires: libopenssl-devel BuildRequires: libtool +Requires: libldap-2_4-2 = %{version_main} +Recommends: cyrus-sasl %if "%{name}" == "openldap2" BuildRequires: db-devel BuildRequires: openslp-devel -BuildRequires: tcpd-devel BuildRequires: unixODBC-devel Conflicts: openldap -Requires: libldap-2_4-2 = %{version_main} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -%if 0%{?suse_version} >= 1140 +%if %{suse_version} >= 1310 && %{suse_version} != 1315 # avoid cycle with krb5 BuildRequires: krb5-mini BuildRequires: pkgconfig(systemd) @@ -70,7 +76,6 @@ BuildRequires: pkgconfig(systemd) %endif %else Conflicts: openldap-client -Requires: libldap-2_4-2 = %{version_main} %endif # For /usr/bin/strings Requires(pre): binutils @@ -78,10 +83,10 @@ Requires(pre): binutils %if "%{name}" == "openldap2" %description -The Lightweight Directory Access Protocol (LDAP) is used to access -online directory services. It runs directly over TCP and can be used to -access a stand-alone LDAP directory service or to access a directory -service that has an X.500 back-end. +OpenLDAP is a client and server reference implementation of the +Lightweight Directory Access Protocol v3 (LDAPv3). + +The server provides several database backends and overlays. %package -n openldap2-back-perl Summary: OpenLDAP Perl Back-End @@ -93,6 +98,16 @@ Requires: perl = %{perl_version} The OpenLDAP Perl back-end allows you to execute Perl code specific to different LDAP operations. +%package -n openldap2-back-sock +Summary: OpenLDAP Socket Back-End +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version_main} +Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz + +%description -n openldap2-back-sock +The OpenLDAP socket back-end allows you to handle LDAP requests and +results with an external process listening on a Unix domain socket. + %package -n openldap2-back-meta Summary: OpenLDAP Meta Back-End Group: Productivity/Networking/LDAP/Servers @@ -115,6 +130,25 @@ The primary purpose of this OpenLDAP backend is to present information stored in a Relational (SQL) Database as an LDAP subtree without the need to do any programming. +%package -n openldap2-contrib +Summary: OpenLDAP Contrib Modules +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version_main} + +%description -n openldap2-contrib +Various overlays found in contrib/: +allop +allowed Generates attributes indicating access rights +autogroup +cloak +denyop +lastbind writes last bind timestamp to entry +noopsrch handles no-op search control +nops +pw-sha2 generates/validates SHA-2 password hashes +pw-pbkdf2 generates/validates PBKDF2 password hashes +smbk5pwd generates Samba3 password hashes (heimdal krb disabled) + %package -n openldap2-doc Summary: OpenLDAP Documentation Group: Documentation/Other @@ -126,6 +160,7 @@ BuildArch: noarch %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts + Authors: -------- The OpenLDAP Project @@ -145,6 +180,7 @@ Obsoletes: openldap2-devel-64bit # Conflicts: openldap-devel Requires: libldap-2_4-2 = %{version_main} +Recommends: cyrus-sasl-devel %description -n openldap2-devel This package provides the OpenLDAP libraries, header files, and @@ -171,60 +207,75 @@ This package contains the OpenLDAP client libraries. %endif %prep -%setup -q -n openldap-%{version_main} -a1 -a2 -%patch1 -p1 +%setup -q -n openldap-%{version_main} %patch2 -p1 %patch3 -p1 -%patch4 -p1 +#%patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 cp %{SOURCE5} . %build -%{?suse_update_config:%{suse_update_config -f build}} -libtoolize --force -autoreconf -export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE" +# %{?suse_update_config:%{suse_update_config -f build}} +#libtoolize --force +#autoreconf +# export CFLAGS="${RPM_OPT_FLAGS} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES" +export CFLAGS="-Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES" export STRIP="" -%configure \ - --localstatedir=%{_rundir}/slapd \ - --libexecdir=/usr/lib/openldap \ - --enable-wrappers \ +./configure \ + --prefix=/usr \ + --sysconfdir=%{_sysconfdir} \ + --libdir=%{_libdir} \ + --libexecdir=%{_libdir} \ + --localstatedir=%{_rundir} \ + --enable-wrappers=no \ --enable-spasswd \ --enable-modules \ --enable-shared \ --enable-dynamic \ - --with-tls \ + --with-tls=openssl \ --with-cyrus-sasl \ --enable-crypt \ --enable-ipv6=yes \ %if "%{name}" == "openldap2" --enable-aci \ - --enable-bdb \ - --enable-hdb \ + --enable-bdb=mod \ + --enable-hdb=mod \ --enable-rewrite \ - --enable-ldap=yes \ + --enable-ldap=mod \ --enable-meta=mod \ - --enable-monitor=yes \ + --enable-monitor=mod \ --enable-perl=mod \ + --enable-sock=mod \ --enable-sql=mod \ - --enable-mdb=yes \ + --enable-mdb=mod \ + --enable-relay=mod \ --enable-slp \ --enable-overlays=mod \ - --enable-syncprov=yes \ - --enable-ppolicy=yes \ + --enable-syncprov=mod \ + --enable-ppolicy=mod \ %else --disable-slapd \ %endif --enable-lmpasswd \ - --with-yielding-select + --with-yielding-select \ + || cat config.log make depend make %{?_smp_mflags} +%if "%{name}" == "openldap2" +# Build selected contrib overlays +for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +do + make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" +done +# One more level up needed because of passwd/sha2 +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB="" +%endif %check %if %run_test_suite @@ -252,50 +303,67 @@ make SLAPD_DEBUG=0 test %endif %install -mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/ -mkdir -p $RPM_BUILD_ROOT/usr/sbin -mkdir -p $RPM_BUILD_ROOT/%{_unitdir} -make STRIP="" DESTDIR=$RPM_BUILD_ROOT install -install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start -install -m 644 slapd.service $RPM_BUILD_ROOT/%{_unitdir} -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 -install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf -install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so* -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so* -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so* -install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/usr/sbin/schema2ldif +mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap +mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap +mkdir -p ${RPM_BUILD_ROOT}/usr/sbin +mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir} +make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +# Additional symbolic link to slapd executable in /usr/sbin/ +%if "%{name}" == "openldap2" +ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd +%endif +%if "%{name}" == "openldap2" +# Install selected contrib overlays +for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +do + make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +done +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +%endif +install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start +install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir} +mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d +mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2 +install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf +install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so* +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so* +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap.so* +install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif %if "%{name}" == "openldap2" %define DOCDIR %{_defaultdocdir}/%{name} -mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates -install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap -install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema -install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG -install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example -install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/ -install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap +mkdir -p ${RPM_BUILD_ROOT}/var/adm/fillup-templates +install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.openldap +install -m 644 %{SOURCE9} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE11} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap +install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG +install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example +install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/ +install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d` rm -rf doc/guide/release -install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \ - $RPM_BUILD_ROOT/%{DOCDIR}/images \ - $RPM_BUILD_ROOT/%{DOCDIR}/drafts -install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide -install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images -install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts +install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \ + ${RPM_BUILD_ROOT}/%{DOCDIR}/images \ + ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts +install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide +install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images +install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts install -m 644 ANNOUNCEMENT \ COPYRIGHT \ LICENSE \ README \ CHANGES \ %{SOURCE5} \ - $RPM_BUILD_ROOT/%{DOCDIR} + ${RPM_BUILD_ROOT}/%{DOCDIR} install -m 644 servers/slapd/slapd.ldif \ - $RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default -rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example -rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README -rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif* -rm -f $RPM_BUILD_ROOT%{_rundir}/slapd/openldap-data/DB_CONFIG.example + ${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default +rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example +rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README +rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif* +rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples # Provide SUSE policy symlink /usr/sbin/rcFOO -> /etc/init.d/FOO # /usr/sbin/service exists only since openSUSE 12.3: @@ -305,16 +373,15 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd ln -s /sbin/service %{buildroot}%{_sbindir}/rcslapd %endif %endif -rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5 +rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct -rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la +rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la #put filelists into files cat >openldap2.filelist <openldap2.filelist < openldap2-devel-static.filelist <<-EOF %_libdir/libldap*.a EOF cat > openldap2-back-perl.filelist < openldap2-back-sock.filelist < openldap2-back-meta.filelist < openldap2-back-sql.filelist < openldap2-contrib.filelist <openldap2-doc.filelist <&1 | grep -q on; then - touch /var/run/enable_slapd_service + touch %{_rundir}/enable_slapd_service fi %service_add_pre slapd.service @@ -467,7 +560,7 @@ fi %{fillup_only -n openldap ldap} %{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER} %service_add_post slapd.service -if [ -f /var/run/enable_slapd_service ]; then +if [ -f %{_rundir}/enable_slapd_service ]; then /usr/bin/systemctl --quiet enable slapd fi @@ -483,6 +576,9 @@ fi %files -n openldap2-back-perl -f openldap2-back-perl.filelist %defattr(-,root,root) +%files -n openldap2-back-sock -f openldap2-back-sock.filelist +%defattr(-,root,root) + %files -n openldap2-back-meta -f openldap2-back-meta.filelist %defattr(-,root,root) @@ -492,6 +588,9 @@ fi %files -n openldap2-doc -f openldap2-doc.filelist %defattr(-,root,root) +%files -n openldap2-contrib -f openldap2-contrib.filelist +%defattr(-,root,root) + %else %post -n libldap-2_4-2 -p /sbin/ldconfig diff --git a/openldap2.changes b/openldap2.changes index d854536..34efd1f 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,35 @@ +------------------------------------------------------------------- +Tue Dec 8 11:36:16 UTC 2015 - michael@stroeder.com + +- Upgrade to upstream 2.4.43 release with accumulated bug fixes. +- Still build on SLES12 +- Loadable backend and overlay modules are now installed + into arch-specific path %{_libdir}/openldap +- All backends and overlays as modules for smaller memory footprint + on memory constrained systems +- Added extra package for back-sock +- Consequent use of %{_rundir} everywhere +- Rely on upstream ./configure script instead of any other + macro foo +- Dropped linking with libwrap +- Dropped 0004-libldap-use-gethostbyname_r.dif because this + work-around for nss_ldap is obsolete +- New sub-package openldap2-contrib with selected contrib/ overlays +- Replaced addonschema.tar.gz with separate schema sources +- Updated ldapns.schema from recent slapo-nssov source tree +- Added symbolic link to slapd executable in /usr/sbin/ +- Added more complex example configuration file + /etc/openldap/slapd.conf.example +- Set OPENLDAP_START_LDAPI="yes" in /etc/sysconfig/openldap +- Set OPENLDAP_REGISTER_SLP="no" in /etc/sysconfig/openldap +- Added patch for OpenLDAP ITS#7796 to avoid excessive + "not index" logging +- Replaced openldap-rc.tgz with single source files +- Added soft dependency (Recommends) to cyrus-sasl +- Added soft dependency (Recommends) to cyrus-sasl-devel + to openldap2-devel +- Added patch for OpenLDAP ITS#8336 (assert in liblmdb) + ------------------------------------------------------------------- Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com diff --git a/openldap2.spec b/openldap2.spec index e9a91c9..53638f6 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -1,7 +1,7 @@ # # spec file for package openldap2 # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,52 +17,58 @@ %define run_test_suite 0 -%define version_main 2.4.42 +%define version_main 2.4.43 -%if ! %{defined _rundir} -%define _rundir %{_localstatedir}/run +%if %{suse_version} >= 1310 && %{suse_version} != 1315 +%define _rundir /run/slapd +%else +%define _rundir /var/run/slapd %endif Name: openldap2 Summary: The OpenLDAP Server License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Clients -Version: 2.4.42 +Version: %{version_main} Release: 0 Url: http://www.openldap.org Source: openldap-%{version_main}.tgz -Source1: openldap-rc.tgz -Source2: addonschema.tar.gz Source3: DB_CONFIG Source4: sasl-slapd.conf -Source5: README.dynamic-overlays +Source5: README.module-loading Source6: schema2ldif Source7: baselibs.conf -Patch1: 0001-build-adjustments.dif +Source9: ldapns.schema +Source10: rfc2307bis.schema +Source11: yast.schema +Source12: slapd.conf.example +Source13: start +Source14: slapd.service +Source15: SuSEfirewall2.openldap +Source16: sysconfig.openldap Patch2: 0002-slapd.conf.dif Patch3: 0003-LDAPI-socket-location.dif -Patch4: 0004-libldap-use-gethostbyname_r.dif +#Patch4: 0004-libldap-use-gethostbyname_r.dif Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif -Patch7: 0007-Recover-on-DB-version-change.dif -Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch -Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch +Patch10: openldap-re24-its7796.patch Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch +Patch12: openldap-re24-its8336.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff BuildRequires: libopenssl-devel BuildRequires: libtool +Requires: libldap-2_4-2 = %{version_main} +Recommends: cyrus-sasl %if "%{name}" == "openldap2" BuildRequires: db-devel BuildRequires: openslp-devel -BuildRequires: tcpd-devel BuildRequires: unixODBC-devel Conflicts: openldap -Requires: libldap-2_4-2 = %{version_main} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -%if 0%{?suse_version} >= 1140 +%if %{suse_version} >= 1310 && %{suse_version} != 1315 # avoid cycle with krb5 BuildRequires: krb5-mini BuildRequires: pkgconfig(systemd) @@ -70,7 +76,6 @@ BuildRequires: pkgconfig(systemd) %endif %else Conflicts: openldap-client -Requires: libldap-2_4-2 = %{version_main} %endif # For /usr/bin/strings Requires(pre): binutils @@ -78,10 +83,10 @@ Requires(pre): binutils %if "%{name}" == "openldap2" %description -The Lightweight Directory Access Protocol (LDAP) is used to access -online directory services. It runs directly over TCP and can be used to -access a stand-alone LDAP directory service or to access a directory -service that has an X.500 back-end. +OpenLDAP is a client and server reference implementation of the +Lightweight Directory Access Protocol v3 (LDAPv3). + +The server provides several database backends and overlays. %package -n openldap2-back-perl Summary: OpenLDAP Perl Back-End @@ -93,6 +98,16 @@ Requires: perl = %{perl_version} The OpenLDAP Perl back-end allows you to execute Perl code specific to different LDAP operations. +%package -n openldap2-back-sock +Summary: OpenLDAP Socket Back-End +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version_main} +Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz + +%description -n openldap2-back-sock +The OpenLDAP socket back-end allows you to handle LDAP requests and +results with an external process listening on a Unix domain socket. + %package -n openldap2-back-meta Summary: OpenLDAP Meta Back-End Group: Productivity/Networking/LDAP/Servers @@ -115,6 +130,25 @@ The primary purpose of this OpenLDAP backend is to present information stored in a Relational (SQL) Database as an LDAP subtree without the need to do any programming. +%package -n openldap2-contrib +Summary: OpenLDAP Contrib Modules +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version_main} + +%description -n openldap2-contrib +Various overlays found in contrib/: +allop +allowed Generates attributes indicating access rights +autogroup +cloak +denyop +lastbind writes last bind timestamp to entry +noopsrch handles no-op search control +nops +pw-sha2 generates/validates SHA-2 password hashes +pw-pbkdf2 generates/validates PBKDF2 password hashes +smbk5pwd generates Samba3 password hashes (heimdal krb disabled) + %package -n openldap2-doc Summary: OpenLDAP Documentation Group: Documentation/Other @@ -126,6 +160,7 @@ BuildArch: noarch %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts + Authors: -------- The OpenLDAP Project @@ -145,6 +180,7 @@ Obsoletes: openldap2-devel-64bit # Conflicts: openldap-devel Requires: libldap-2_4-2 = %{version_main} +Recommends: cyrus-sasl-devel %description -n openldap2-devel This package provides the OpenLDAP libraries, header files, and @@ -171,61 +207,74 @@ This package contains the OpenLDAP client libraries. %endif %prep -%setup -q -n openldap-%{version_main} -a1 -a2 -%patch1 -p1 +%setup -q -n openldap-%{version_main} %patch2 -p1 %patch3 -p1 -%patch4 -p1 +#%patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 cp %{SOURCE5} . %build -%{?suse_update_config:%{suse_update_config -f build}} -libtoolize --force -autoreconf -export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE" +# %{?suse_update_config:%{suse_update_config -f build}} +#libtoolize --force +#autoreconf +# export CFLAGS="${RPM_OPT_FLAGS} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES" +export CFLAGS="-Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES" export STRIP="" -%configure \ - --localstatedir=%{_rundir}/slapd \ - --libexecdir=/usr/lib/openldap \ - --enable-wrappers \ +./configure \ + --prefix=/usr \ + --sysconfdir=%{_sysconfdir} \ + --libdir=%{_libdir} \ + --libexecdir=%{_libdir} \ + --localstatedir=%{_rundir} \ + --enable-wrappers=no \ --enable-spasswd \ --enable-modules \ --enable-shared \ --enable-dynamic \ - --with-tls \ + --with-tls=openssl \ --with-cyrus-sasl \ --enable-crypt \ --enable-ipv6=yes \ %if "%{name}" == "openldap2" --enable-aci \ - --enable-bdb \ - --enable-hdb \ + --enable-bdb=mod \ + --enable-hdb=mod \ --enable-rewrite \ - --enable-ldap=yes \ + --enable-ldap=mod \ --enable-meta=mod \ - --enable-monitor=yes \ + --enable-monitor=mod \ --enable-perl=mod \ + --enable-sock=mod \ --enable-sql=mod \ - --enable-mdb=yes \ + --enable-mdb=mod \ + --enable-relay=mod \ --enable-slp \ --enable-overlays=mod \ - --enable-syncprov=yes \ - --enable-ppolicy=yes \ + --enable-syncprov=mod \ + --enable-ppolicy=mod \ %else --disable-slapd \ %endif --enable-lmpasswd \ - --with-yielding-select + --with-yielding-select \ + || cat config.log make depend make %{?_smp_mflags} %if "%{name}" == "openldap2" +# Build selected contrib overlays +for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +do + make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" +done +# One more level up needed because of passwd/sha2 +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB="" %endif %check @@ -254,50 +303,67 @@ make SLAPD_DEBUG=0 test %endif %install -mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/ -mkdir -p $RPM_BUILD_ROOT/usr/sbin -mkdir -p $RPM_BUILD_ROOT/%{_unitdir} -make STRIP="" DESTDIR=$RPM_BUILD_ROOT install -install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start -install -m 644 slapd.service $RPM_BUILD_ROOT/%{_unitdir} -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 -install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf -install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so* -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so* -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so* -install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/usr/sbin/schema2ldif +mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap +mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap +mkdir -p ${RPM_BUILD_ROOT}/usr/sbin +mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir} +make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +# Additional symbolic link to slapd executable in /usr/sbin/ +%if "%{name}" == "openldap2" +ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd +%endif +%if "%{name}" == "openldap2" +# Install selected contrib overlays +for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +do + make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +done +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +%endif +install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start +install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir} +mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d +mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2 +install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf +install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so* +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so* +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap.so* +install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif %if "%{name}" == "openldap2" %define DOCDIR %{_defaultdocdir}/%{name} -mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates -install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap -install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema -install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG -install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example -install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/ -install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap +mkdir -p ${RPM_BUILD_ROOT}/var/adm/fillup-templates +install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.openldap +install -m 644 %{SOURCE9} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE11} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap +install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG +install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example +install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/ +install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d` rm -rf doc/guide/release -install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \ - $RPM_BUILD_ROOT/%{DOCDIR}/images \ - $RPM_BUILD_ROOT/%{DOCDIR}/drafts -install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide -install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images -install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts +install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \ + ${RPM_BUILD_ROOT}/%{DOCDIR}/images \ + ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts +install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide +install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images +install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts install -m 644 ANNOUNCEMENT \ COPYRIGHT \ LICENSE \ README \ CHANGES \ %{SOURCE5} \ - $RPM_BUILD_ROOT/%{DOCDIR} + ${RPM_BUILD_ROOT}/%{DOCDIR} install -m 644 servers/slapd/slapd.ldif \ - $RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default -rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example -rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README -rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif* -rm -f $RPM_BUILD_ROOT%{_rundir}/slapd/openldap-data/DB_CONFIG.example + ${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default +rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example +rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README +rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif* +rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples # Provide SUSE policy symlink /usr/sbin/rcFOO -> /etc/init.d/FOO # /usr/sbin/service exists only since openSUSE 12.3: @@ -307,16 +373,15 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd ln -s /sbin/service %{buildroot}%{_sbindir}/rcslapd %endif %endif -rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5 +rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct -rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la +rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la #put filelists into files cat >openldap2.filelist <openldap2.filelist <openldap2.filelist <>openldap2.filelist < openldap2-client.filelist < openldap2-devel-static.filelist <<-EOF %_libdir/libldap*.a EOF cat > openldap2-back-perl.filelist < openldap2-back-sock.filelist < openldap2-back-meta.filelist < openldap2-back-sql.filelist < openldap2-contrib.filelist <openldap2-doc.filelist <&1 > /dev/null; -then - # create a backup of the schema shipped with 2.3 - # at least core.schema changed between 2.3 and 2.4 - TEMPDIR=`mktemp -d /etc/openldap/schema.backup.XXXXXX` - echo "Schema backup created in $TEMPDIR" - cp -p --remove-destination /etc/openldap/schema/* $TEMPDIR - echo $TEMPDIR > /etc/openldap/UPDATE_NEEDED ; -fi +/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || : if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then - touch /var/run/enable_slapd_service + touch %{_rundir}/enable_slapd_service fi %service_add_pre slapd.service @@ -486,7 +560,7 @@ fi %{fillup_only -n openldap ldap} %{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER} %service_add_post slapd.service -if [ -f /var/run/enable_slapd_service ]; then +if [ -f %{_rundir}/enable_slapd_service ]; then /usr/bin/systemctl --quiet enable slapd fi @@ -502,6 +576,9 @@ fi %files -n openldap2-back-perl -f openldap2-back-perl.filelist %defattr(-,root,root) +%files -n openldap2-back-sock -f openldap2-back-sock.filelist +%defattr(-,root,root) + %files -n openldap2-back-meta -f openldap2-back-meta.filelist %defattr(-,root,root) @@ -511,6 +588,9 @@ fi %files -n openldap2-doc -f openldap2-doc.filelist %defattr(-,root,root) +%files -n openldap2-contrib -f openldap2-contrib.filelist +%defattr(-,root,root) + %else %post -n libldap-2_4-2 -p /sbin/ldconfig diff --git a/rfc2307bis.schema b/rfc2307bis.schema new file mode 100644 index 0000000..e187de0 --- /dev/null +++ b/rfc2307bis.schema @@ -0,0 +1,288 @@ +# builtin +# +#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' +# DESC 'An integer uniquely identifying a user in an administrative domain' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +# SINGLE-VALUE ) + +# builtin +# +#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' +# DESC 'An integer uniquely identifying a group in an +# administrative domain' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +# SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos' + DESC 'The GECOS field; the common name' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' + DESC 'The absolute path to the home directory' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' + DESC 'The path to the login shell' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' + DESC 'Netgroup triple' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' + DESC 'Service port number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' + DESC 'Service protocol name' + SUP name ) + +attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' + DESC 'IP protocol number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' + DESC 'ONC RPC number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' + DESC 'IPv4 addresses as a dotted decimal omitting leading + zeros or IPv6 addresses as defined in RFC2373' + SUP name ) + +attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' + DESC 'IP network as a dotted decimal, eg. 192.168, + omitting leading zeros' + SUP name + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' + DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, + omitting leading zeros' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress' + DESC 'MAC address in maximal, colon separated hex + notation, eg. 00:00:92:90:ee:e2' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' + DESC 'rpc.bootparamd parameter' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile' + DESC 'Boot image name' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' + DESC 'Name of a A generic NIS map' + SUP name ) + +attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' + DESC 'A generic NIS entry' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' + DESC 'NIS public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' + DESC 'NIS secret key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' + DESC 'NIS domain' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + +attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' + DESC 'automount Map Name' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey' + DESC 'Automount Key value' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' + DESC 'Automount information' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY + DESC 'Abstraction of an account with POSIX attributes' + MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) + MAY ( userPassword $ loginShell $ gecos $ + description ) ) + +objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY + DESC 'Additional attributes for shadow passwords' + MUST uid + MAY ( userPassword $ description $ + shadowLastChange $ shadowMin $ shadowMax $ + shadowWarning $ shadowInactive $ + shadowExpire $ shadowFlag ) ) + +objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY + DESC 'Abstraction of a group of accounts' + MUST gidNumber + MAY ( userPassword $ memberUid $ + description ) ) + +objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL + DESC 'Abstraction an Internet Protocol service. + Maps an IP port and protocol (such as tcp or udp) + to one or more names; the distinguished value of + the cn attribute denotes the services canonical + name' + MUST ( cn $ ipServicePort $ ipServiceProtocol ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL + DESC 'Abstraction of an IP protocol. Maps a protocol number + to one or more names. The distinguished value of the cn + attribute denotes the protocols canonical name' + MUST ( cn $ ipProtocolNumber ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL + DESC 'Abstraction of an Open Network Computing (ONC) + [RFC1057] Remote Procedure Call (RPC) binding. + This class maps an ONC RPC number to a name. + The distinguished value of the cn attribute denotes + the RPC services canonical name' + MUST ( cn $ oncRpcNumber ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY + DESC 'Abstraction of a host, an IP device. The distinguished + value of the cn attribute denotes the hosts canonical + name. Device SHOULD be used as a structural class' + MUST ( cn $ ipHostNumber ) + MAY ( userPassword $ l $ description $ manager ) ) + +objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL + DESC 'Abstraction of a network. The distinguished value of + the cn attribute denotes the networks canonical name' + MUST ipNetworkNumber + MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) + +objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL + DESC 'Abstraction of a netgroup. May refer to other netgroups' + MUST cn + MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) + +objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL + DESC 'A generic abstraction of a NIS map' + MUST nisMapName + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL + DESC 'An entry in a NIS map' + MUST ( cn $ nisMapEntry $ nisMapName ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY + DESC 'A device with a MAC address; device SHOULD be + used as a structural class' + MAY macAddress ) + +objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY + DESC 'A device with boot parameters; device SHOULD be + used as a structural class' + MAY ( bootFile $ bootParameter ) ) + +objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY + DESC 'An object with a public and secret key' + MUST ( cn $ nisPublicKey $ nisSecretKey ) + MAY ( uidNumber $ description ) ) + +objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY + DESC 'Associates a NIS domain with a naming context' + MUST nisDomain ) + +objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL + MUST ( automountMapName ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL + DESC 'Automount information' + MUST ( automountKey $ automountInformation ) + MAY description ) +## namedObject is needed for groups without members +objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top + STRUCTURAL MAY cn ) + diff --git a/slapd.conf.example b/slapd.conf.example new file mode 100644 index 0000000..7fa15c7 --- /dev/null +++ b/slapd.conf.example @@ -0,0 +1,354 @@ +############################################################################ +# See slapd.conf(5) for details on configuration options. +# This file SHOULD NOT be world readable. +# +# Important note: +# You surely have to adjust some settings to meet your (security) +# requirements. +# At least you should replace suffix "dc=example,dc=com" by +# something meaningful for your setup. +# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos +# KDC then you MUST add decent ACLs for protecting user credentials! +# +# Read the man pages before changing something! +# +# You can debug the config by running (as root while slapd stopped): +# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535 +############################################################################ + +#--------------------------------------------------------------------------- +# slapd global parameters +#--------------------------------------------------------------------------- + +# serverID must be unique across all provider replicas +# for using multi-master replication (MMR) +serverID 99 + +# only alter this when you know what you're doing +#threads 4 + +# Run-time files +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +# for more debugging set: +#loglevel config stats stats2 +loglevel stats + +#--------------------------------------------------------------------------- +# Load runtime loadable modules +#--------------------------------------------------------------------------- + +# Load additional backend modules installed by package 'openldap2' +# The following backends are statically built-in and therefore don't have +# to be loaded here: +# config, ldif, monitor, bdb, hdb, ldap, mdb, relay +#moduleload back_ +#moduleload back_ +#moduleload back_mdb +#moduleload back_meta +#moduleload back_sock + +# Load additional overlay modules installed by package 'openldap2' +# The following overlay are statically built-in and therefore don't have +# to be loaded here: +# ppolicy, syncprov +#moduleload accesslog +#moduleload constraint +#moduleload dds +#moduleload deref +#moduleload dynlist +#moduleload memberof +moduleload refint +#moduleload sssvlv +#moduleload translucent +moduleload unique +#moduleload valsort + +# Load additional overlay modules installed by package 'openldap2-contrib' +#moduleload allowed +#moduleload lastbind +#moduleload noopsrch +#moduleload pw-pbkdf2 +#moduleload pw-sha2 +#moduleload smbk5pwd + +#--------------------------------------------------------------------------- +# Include schema files +#--------------------------------------------------------------------------- + +# Schema files installed by package 'openldap2' +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/rfc2307bis.schema +include /etc/openldap/schema/ppolicy.schema +#include /etc/openldap/schema/yast.schema + +# Schema file installed by package 'dhcp-server' +#include /etc/openldap/schema/dhcp.schema + +# Schema file installed by package 'samba' +#include /etc/openldap/schema/samba3.schema + +# Schema file installed by package 'krb5-plugin-kdb-ldap' +#include /usr/share/doc/packages/krb5/kerberos.schema + +#--------------------------------------------------------------------------- +# Transport Layer Security (TLS) configuration +#--------------------------------------------------------------------------- + +# require at least TLS 1.0 and highly secure ciphers +#TLSProtocolMin 3.1 +#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH + +# TLS certificate and key files +#TLSCACertificateFile /etc/ssl/ca-bundle.pem +#TLSCertificateFile /etc/openldap/ssl.crt/server.crt +#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key + +# For enabling Perfect Forward Secrecy (PFS), see dhparam(1) +#TLSDHParamFile /etc/openldap/ssl.key/dhparam + +#--------------------------------------------------------------------------- +# Password hashing +#--------------------------------------------------------------------------- + +#password-hash {CRYPT} +# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations +#password-crypt-salt-format "$6$%.12s" + +#--------------------------------------------------------------------------- +# Security requirements +#--------------------------------------------------------------------------- + +#disallow bind_anon +#require bind LDAPv3 strong + +# SSF value for ldapi:// +localSSF 256 + +# minimum required SSF value (security strength factor) +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 +#security ssf=128 update_ssf=256 simple_bind=128 +security ssf=0 + +#--------------------------------------------------------------------------- +# Global access control (ACLs) +#--------------------------------------------------------------------------- + +# Root DSE: allow anyone to read it +access to + dn.base="" + by * read + +# Sub schema sub entry: allow anyone to read it +access to + dn.base="cn=Subschema" + by * read + +#--------------------------------------------------------------------------- +# Authz-DN mappings +#--------------------------------------------------------------------------- + +# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used +# System user root is mapped to the rootdn in database dc=example,dc=com +# which has also read access on config and monitor databases +authz-regexp + "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth" + "cn=root,dc=example,dc=com" + +# Map local system user to LDAP entry +# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used +authz-regexp + "gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth" + "ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))" + +# this maps the attribute uid to a LDAP entry +# if one of the typical password-based SASL mechs was used +authz-regexp + "uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth" + "ldap:///dc=example,dc=com??sub?(uid=$1)" + +# this maps the attribute uid to a LDAP entry +# if one of the Kerberos based SASL mechs was used +#authz-regexp +# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth" +# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))" + +# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used +#authz-regexp +# "(.+)" +# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))" + + +#=========================================================================== +# Database specific configuration sections below +# Required order of databases: +# config (first), ...others..., monitor (last) +#=========================================================================== + + +#--------------------------------------------------------------------------- +# cn=config // Configuration database (always first!) +# see slapd-config(5) +#--------------------------------------------------------------------------- + +database config + +# Cleartext passwords, especially for the rootdn, should +# be avoid! See slappasswd(8) and slapd.conf(5) for details. +# Best thing is not to set rootpw at all! +# For local config access by root use LDAPI with SASL/EXTERNAL instead +# (see above). +#rootpw secret + +access to + dn.subtree="cn=config" + by dn.exact="cn=root,dc=example,dc=com" manage + by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read + by * none + + +#--------------------------------------------------------------------------- +# dc=example,dc=com // Example MDB database to be used by normal clients +# see slapd-mdb(5) +#--------------------------------------------------------------------------- + +database mdb + +suffix "dc=example,dc=com" + +# rootdn has to be set for overlays' internal operations +rootdn "cn=root,dc=example,dc=com" + +# Cleartext passwords, especially for the rootdn, should +# be avoid! See slappasswd(8) and slapd.conf(5) for details. +# Best thing is not to set rootpw at all! +rootpw secret + +# The database directory MUST exist prior to running slapd and +# SHOULD only be accessible by the slapd user 'ldap'. +# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db +directory /var/lib/ldap/example-db + +# Permissions of database files created +mode 0600 + +# extra information to be available in cn=monitor for this database +monitoring on + +# Perform ACL checks on the content of a new entry being added +add_content_acl on + +# backend-specific database parameters +checkpoint 1024 5 +# 100 MB (you can raise the limit later) +maxsize 104857600 + +# Indices to maintain +# +# Whenever you change indexing configuration you have to re-run slapindex +# while slapd being stopped! +# Don't forget to fix ownership/permissions of newly generated index files +# afterwards! + +# set always! +index objectClass eq + +# for typical address book use +index cn,sn,givenName,mail eq,sub + +# for user management +index uid,uidNumber,gidNumber eq + +# for authz-regexp mapping of Kerberos principal name +#index krbPrincipalName,krbPrincipalAlias eq + +# for authz-regexp mapping of client cert subject DNs +#index seeAlso eq + +# for syncrepl +index entryUUID,entryCSN eq + +# access control lists (ACLs) for dc=example,dc=com +# see slapd.access(5) for details on access control lists (ACLs) + +# full read access also to 'userPassword' for group of replicas +# and control is forwarded to subsequent ACLs +access to + dn.subtree=dc=example,dc=com + by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read + by * break + +# write-only access to 'userPassword' for user, auth access else +access to + attrs=userPassword + by self =w + by * auth + +# 'userPKCS' must only be accessible by self +access to + attrs=userPKCS12 + by self write + by * none + +# No access to history of passwords +#access to +# attrs=pwdHistory +# by * none + +# Catch-all ACL for the rest +access to + dn.subtree=dc=example,dc=com + by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage + by self read + by users read + by * auth + +# see slapo-ppolicy(5) +overlay ppolicy +# Default password policy entry +#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com +# Hash clear-text userPassword values sent in with add/modify operations +#ppolicy_hash_cleartext +# Return AccountLocked error code to client +#ppolicy_use_lockout + +# see slapo-refint(5) +overlay refint +refint_attributes member seeAlso +refint_nothing cn=dummy + +# Check sub-tree wide uniqueness of certain attributes +# see slapo-unique(5) +# you have to add eq-index for efficient uniqueness check! +# Note that filter part is currently ignored because of OpenLDAP ITS#6825 +overlay unique +unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub" +unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))" +#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub" +#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub" +#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub" +#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub" + +#overlay syncprov +#mirrormode on + + +#--------------------------------------------------------------------------- +# cn=monitor // Monitoring database (always last!) +# see slapd-monitor(5) +#--------------------------------------------------------------------------- + +database monitor + +access to + dn.subtree="cn=monitor" + by dn.exact="cn=root,dc=example,dc=com" write + by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write + by users read diff --git a/slapd.service b/slapd.service new file mode 100644 index 0000000..81ba83d --- /dev/null +++ b/slapd.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenLDAP Server Daemon +After=syslog.target network.target + +[Service] +Type=forking +ExecStart=/usr/lib/openldap/start + +[Install] +WantedBy=multi-user.target + diff --git a/start b/start new file mode 100644 index 0000000..e4aaf0e --- /dev/null +++ b/start @@ -0,0 +1,208 @@ +#! /bin/sh +# Copyright (c) 1997-2000 SuSE GmbH Nuernberg, Germany. +# Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany. +# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# Author: Carsten Hoeger +# Ralf Haferkamp +# +# /etc/init.d/ldap +# +### BEGIN INIT INFO +# Provides: ldap +# Required-Start: $network $remote_fs +# Required-Stop: $network $remote_fs +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: OpenLDAP Server (slapd) +# Description: Start and Stop the OpenLDAP Server (slapd) to +# provide LDAP directory services. +### END INIT INFO + +# Determine the base and follow a runlevel link name. +base=${0##*/} +link=${base#*[SK][0-9][0-9]} + +test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap + +SLAPD_BIN=/usr/sbin/slapd +LDAP_URLS="" +LDAPS_URLS="" +LDAPI_URLS="" +SLAPD_CONFIG_ARG="-F /etc/openldap/slapd.d" +SLAPD_PID_DIR="/var/run/slapd/" + +test -x $SLAPD_BIN || exit 5 + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v ditto but be verbose in local rc status +# rc_status -v -r ditto and clear the local rc status +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear local rc status (overall remains) +# rc_exit exit appropriate to overall rc status +. /etc/rc.status + +# First reset status of this service +rc_reset + +function init_ldap_listener_urls(){ + case "$OPENLDAP_START_LDAP" in + [Yy][Ee][Ss]) + if [ -n "$OPENLDAP_LDAP_INTERFACES" ] + then + for iface in $OPENLDAP_LDAP_INTERFACES ;do + LDAP_URLS="$LDAP_URLS ldap://$iface" + done + else + LDAP_URLS="ldap:///" + fi + ;; + esac +} + +function init_ldapi_listener_urls(){ + case "$OPENLDAP_START_LDAPI" in + [Yy][Ee][Ss]) + if [ -n "$OPENLDAP_LDAPI_INTERFACES" ] + then + for iface in $OPENLDAP_LDAPI_INTERFACES ;do + esc_iface=`echo "$iface" | sed -e s'/\\//\\%2f/'g` + LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface" + done + else + LDAPI_URLS="ldapi:///" + fi + ;; + esac +} + +function init_ldaps_listener_urls(){ + case "$OPENLDAP_START_LDAPS" in + [Yy][Ee][Ss]) + if [ -n "$OPENLDAP_LDAPS_INTERFACES" ] + then + for iface in $OPENLDAP_LDAPS_INTERFACES ;do + LDAPS_URLS="$LDAPS_URLS ldaps://$iface" + done + else + LDAPS_URLS="ldaps:///" + fi + ;; + esac +} + +function check_connection(){ + SLAPD_TIMEOUT=10 + START=$( date +%s) + while [ $(( $( date +%s) - ${START} )) -lt ${SLAPD_TIMEOUT} ]; do + ldapsearch -x -H "$LDAP_URLS $LDAPI_URLS $LDAPS_URLS" -b "" -s base &>/dev/null + LDAPSEARCH_RC=$? + if [ ${LDAPSEARCH_RC} -ge 0 ] && [ ${LDAPSEARCH_RC} -le 80 ] ; then break + else sleep 1 + fi + done +} + +depth=0; + +function chown_database_dirs_bconfig() { + ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}') + for dir in $ldapdir; do + [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ + chown -R $OPENLDAP_USER $dir 2>/dev/null + [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ + chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null + done +} + +function chown_database_dirs() { + ldapdir=`grep ^directory $1 | awk '{print $2}'` + for dir in $ldapdir; do + [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ + chown -R $OPENLDAP_USER $dir 2>/dev/null + [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ + chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null + done + includes=`grep ^include $1 | awk '{print $2}'` + if [ $depth -le 50 ]; then + depth=$(( $depth + 1 )); + for i in $includes; do + chown_database_dirs "$i" ; + done + fi +} + +USER_CMD="" +GROUP_CMD="" +[ ! "x$OPENLDAP_USER" = "x" ] && USER_CMD="-u $OPENLDAP_USER" +[ ! "x$OPENLDAP_GROUP" = "x" ] && GROUP_CMD="-g $OPENLDAP_GROUP" +[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf" + + +if [ -f /etc/openldap/UPDATE_NEEDED ]; then + rc_failed 6 + echo " The configuration of your LDAP server needs to be updated." + echo " Please see /usr/share/doc/packages/openldap2/README.update" + echo " for details." + echo " After the update please remove the file:" + echo " /etc/openldap/UPDATE_NEEDED" + rc_status -v + exit +fi +# chown backend directories if OPENLDAP_CHOWN_DIRS ist set +if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then + if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then + if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then + chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null + chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null + chown_database_dirs_bconfig "/etc/openldap/slapd.d" + # assume back-config usage if slapd.conf is not present but slapd.d is + elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then + chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null + chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null + chown_database_dirs_bconfig "/etc/openldap/slapd.d" + else + chown_database_dirs "/etc/openldap/slapd.conf" + chgrp $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null + fi + if test -f /etc/sasl2/slapd.conf ; then + chgrp $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null + chmod 640 /etc/sasl2/slapd.conf 2>/dev/null + fi + if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then + keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/} + if test -f $keytabfile ; then + chgrp $OPENLDAP_GROUP $keytabfile 2>/dev/null + chmod g+r $keytabfile 2>/dev/null + fi + fi + fi +fi +if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then + export KRB5_KTNAME=$OPENLDAP_KRB5_KEYTAB +fi +case "$OPENLDAP_REGISTER_SLP" in + [Yy][Ee][Ss]) + SLAPD_SLP_REG="-o slp=on" + ;; + *) + SLAPD_SLP_REG="-o slp=off" + ;; +esac + +init_ldap_listener_urls +init_ldapi_listener_urls +init_ldaps_listener_urls + +if [ ! -d $SLAPD_PID_DIR ]; then + mkdir -p $SLAPD_PID_DIR + chown ldap:ldap $SLAPD_PID_DIR +fi +echo -n "Starting ldap-server" +exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \ + $SLAPD_CONFIG_ARG $USER_CMD $GROUP_CMD \ + $OPENLDAP_SLAPD_PARAMS $SLAPD_SLP_REG + diff --git a/sysconfig.openldap b/sysconfig.openldap new file mode 100644 index 0000000..e690678 --- /dev/null +++ b/sysconfig.openldap @@ -0,0 +1,158 @@ +## Path: Network/LDAP +## Description: Basic Configuration of the OpenLDAP Directory Server + +## Type: yesno +## Default: yes +## ServiceRestart: ldap +# +# If set to "no" the LDAP server will not accept any "normal" LDAP connections +# but just connections over "ldaps" or "ldapi". Setting this to "no" does only +# make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set +# "yes". +# +OPENLDAP_START_LDAP="yes" + +## Type: yesno +## Default: no +## ServiceRestart: ldap +# +# If set to "yes" the "ldap over ssl" feature of slapd will be enabled. Don't +# forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile" options +# to the /etc/openldap/slapd.conf (man slapd.conf). +# Note: Don't confuse this with "START_TLS", the preferred method for +# making encrypted LDAP connections, which is enabled as soon as You +# specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your config +# file +# +OPENLDAP_START_LDAPS="no" + +## Type: yesno +## Default: no +## ServiceRestart: ldap +# +# If set to "yes", "ldap over IPC" feature of slapd will be enabled. +# The ldap server creates a Unix domain socket as /var/run/slapd/ldapi. +# Default: no +# +OPENLDAP_START_LDAPI="yes" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# If not empty, additional parameters for slapd daemon. +# Default: "" +# +OPENLDAP_SLAPD_PARAMS="" + +## Type: string +## Default: ldap +## ServiceRestart: ldap +# +# specifies a user, as which the openldap server should be executed +# Default: ldap +# +OPENLDAP_USER="ldap" + +## Type: string +## Default: ldap +## ServiceRestart: ldap +# +# specifies a group, as which the openldap server should be executed +# Default: ldap +# +OPENLDAP_GROUP="ldap" + +## Type: yesno +## Default: yes +## ServiceRestart: ldap +# +# If set to "yes" the init scripts will change the owner/group of the +# different backend database directories (e.g. /var/lib/ldap) to the +# user/group specified above +# +OPENLDAP_CHOWN_DIRS="yes" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# Use this to specify the interfaces that the server such accept +# LDAP connections from. The values are specified in the format +#
:, where address is an IP address and port is the +# portnumber, the daemon should listen to (defaulting to 389). If this +# parameter is empty the server will attach to all interfaces. This +# parameter is only evaluated if "OPENLDAP_START_LDAP" is set to +# "yes" +# Default: "" +# +OPENLDAP_LDAP_INTERFACES="" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# Use this to specify the interfaces that the server such accept +# LDAPS connections from. The values are specified in the format +#
:, where address is an IP address and port is the +# portnumber, the daemon should listen to (defaulting to 636). If this +# parameter is empty the server will attach to all interfaces. This +# parameter is only evaluated if "OPENLDAP_START_LDAPS" is set to +# "yes" +# Default: "" +# +OPENLDAP_LDAPS_INTERFACES="" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# Use this to specify the paths of the Unix Domain Sockets that +# the server should create an accept incoming LDAPI connections +# on. This parameter is only evaluated if "OPENLDAP_START_LDAPI" +# is set to "yes". +# Default: "" +# +OPENLDAP_LDAPI_INTERFACES="" + +## Type: yesno +## Default: "yes" +## ServiceRestart: ldap +# +# If set to "no" the LDAP server will not try itself at a running SLP +# daemon. +# Default: "yes" +# +OPENLDAP_REGISTER_SLP="no" + +## Type: string +## Default: "" +## ServiceRestart: ldap +# +# Set this to the name of the keytab, if you want to use a non-default +# Kerberos Keytab. If OPENLDAP_CHOWN_DIRS is set to "yes" the permissions of +# this file will be changed so that the group OPENLDAP_GROUP has read +# access to the file. +# Example: OPENLDAP_KRB5_KEYTAB="FILE:/etc/openldap/krb5.keytab +# Default: "" +# +OPENLDAP_KRB5_KEYTAB="" + +## Type: string +## Default: "files" +## ServiceRestart: ldap +# +# Here you can configure which of the configuration backends you want to +# use. Possible values are "files" for slapd.conf(5) styleconfiguration or +# "ldap" for the slapd-config(5) LDAP based configuration backend. +# +OPENLDAP_CONFIG_BACKEND="" + +## Type: yesno +## Default: "yes" +## ServiceRestart: ldap +# +# Here you can configure if the slapd shall start with or without memory limit. +# +OPENLDAP_MEMORY_LIMIT="yes" + diff --git a/yast.schema b/yast.schema new file mode 100644 index 0000000..99a4ffb --- /dev/null +++ b/yast.schema @@ -0,0 +1,202 @@ +## Some macros +objectidentifier SUSE 1.3.6.1.4.1.7057 +objectidentifier SUSE.YaST SUSE:10.1 +objectidentifier SUSE.YaST.ModuleConfig SUSE:10.1.2 +objectidentifier SUSE.YaST.ModuleConfig.OC SUSE.YaST.ModuleConfig:1 +objectidentifier SUSE.YaST.ModuleConfig.Attr SUSE.YaST.ModuleConfig:2 + +# Attributes + +# deprecated +# +#attributetype ( SUSE.YaST.ModuleConfig.Attr:1 NAME ( 'userConfigDn' ) +# DESC 'Where is the configuration for user management stored' +# EQUALITY distinguishedNameMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:2 NAME ( 'suseDefaultBase' ) + DESC 'Base DN where new Objects should be created by default' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:3 NAME ( 'suseNextUniqueId' ) + DESC 'Next unused unique ID, can be used to generate directory wide uniqe IDs' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:4 NAME ( 'suseMinUniqueId' ) + DESC 'lower Border for Unique IDs' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:5 NAME ( 'suseMaxUniqueId' ) + DESC 'upper Border for Unique IDs' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:6 NAME ( 'suseDefaultTemplate' ) + DESC 'The DN of a template that should be used by default' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:7 NAME ( 'suseSearchFilter' ) + DESC 'Search filter to localize Objects' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) + +# deprecated +# +#attributetype ( SUSE.YaST.ModuleConfig.Attr:8 NAME ( 'DefaultObjectClass' ) +# DESC 'ObjectClass that new Objects should use' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +#attributetype ( SUSE.YaST.ModuleConfig.Attr:9 NAME ( 'suseRequiredAttribute' ) +# DESC '' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# +#attributetype ( SUSE.YaST.ModuleConfig.Attr:10 NAME ( 'allowedAttribute' ) +# DESC '' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:11 NAME ( 'suseDefaultValue' ) + DESC 'an Attribute-Value-Assertions to define defaults for specific Attributes' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:12 NAME ( 'suseNamingAttribute' ) + DESC 'AttributeType that should be used as the RDN' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:15 NAME ( 'suseSecondaryGroup' ) + DESC 'seconday group DN' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:16 NAME ( 'suseMinPasswordLength' ) + DESC 'minimum Password length for new users' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:17 NAME ( 'suseMaxPasswordLength' ) + DESC 'maximum Password length for new users' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:18 NAME ( 'susePasswordHash' ) + DESC 'Hash method to use for new users' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:19 NAME ( 'suseSkelDir' ) + DESC '' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:20 NAME ( 'susePlugin' ) + DESC 'plugin to use upon user/ group creation' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:21 NAME ( 'suseMapAttribute' ) + DESC '' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:22 NAME ( 'suseImapServer' ) + DESC '' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:23 NAME ( 'suseImapAdmin' ) + DESC '' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:24 NAME ( 'suseImapDefaultQuota' ) + DESC '' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( SUSE.YaST.ModuleConfig.Attr:25 NAME ( 'suseImapUseSsl' ) + DESC '' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +# ObjectClasses +objectClass ( SUSE.YaST.ModuleConfig.OC:2 NAME 'suseModuleConfiguration' + SUP top STRUCTURAL + DESC 'Contains configuration of Management Modules' + MUST ( cn ) + MAY ( suseDefaultBase )) + +objectClass ( SUSE.YaST.ModuleConfig.OC:3 NAME 'suseUserConfiguration' + SUP suseModuleConfiguration STRUCTURAL + DESC 'Configuration of user management tools' + MAY ( suseMinPasswordLength $ suseMaxPasswordLength $ + susePasswordHash $ suseSkelDir $ suseNextUniqueId $ suseMinUniqueId $ + suseMaxUniqueId $ suseDefaultTemplate $ suseSearchFilter $ + suseMapAttribute )) + +objectClass ( SUSE.YaST.ModuleConfig.OC:4 NAME 'suseObjectTemplate' + SUP top STRUCTURAL + DESC 'Base Class for Object-Templates' + MUST ( cn ) + MAY ( susePlugin $ suseDefaultValue $ suseNamingAttribute )) + +objectClass ( SUSE.YaST.ModuleConfig.OC:5 NAME 'suseUserTemplate' + SUP suseObjectTemplate STRUCTURAL + DESC 'User object template' + MUST ( cn ) + MAY ( suseSecondaryGroup )) + +objectClass ( SUSE.YaST.ModuleConfig.OC:6 NAME 'suseGroupTemplate' + SUP suseObjectTemplate STRUCTURAL + DESC 'Group object template' + MUST ( cn )) + +objectClass ( SUSE.YaST.ModuleConfig.OC:7 NAME 'suseGroupConfiguration' + SUP suseModuleConfiguration STRUCTURAL + DESC 'Configuration of user management tools' + MAY ( suseNextUniqueId $ suseMinUniqueId $ suseMaxUniqueId $ + suseDefaultTemplate $ suseSearchFilter $ suseMapAttribute )) + +objectClass ( SUSE.YaST.ModuleConfig.OC:8 NAME 'suseCaConfiguration' + SUP suseModuleConfiguration STRUCTURAL + DESC 'Configuration of CA management tools') + +objectClass ( SUSE.YaST.ModuleConfig.OC:9 NAME 'suseDnsConfiguration' + SUP suseModuleConfiguration STRUCTURAL + DESC 'Configuration of mail server management tools') + +objectClass ( SUSE.YaST.ModuleConfig.OC:10 NAME 'suseDhcpConfiguration' + SUP suseModuleConfiguration STRUCTURAL + DESC 'Configuration of DHCP server management tools') + +objectClass ( SUSE.YaST.ModuleConfig.OC:11 NAME 'suseMailConfiguration' + SUP suseModuleConfiguration STRUCTURAL + DESC 'Configuration of IMAP user management tools' + MUST ( suseImapServer $ suseImapAdmin $ suseImapDefaultQuota $ + suseImapUseSsl )) +