diff --git a/0003-LDAPI-socket-location.dif b/0003-LDAPI-socket-location.dif deleted file mode 100644 index 1e4a3d6..0000000 --- a/0003-LDAPI-socket-location.dif +++ /dev/null @@ -1,24 +0,0 @@ -From 82e121e47976ba0058733976b1c5428a6ee33c31 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Wed, 16 Jun 2010 14:06:42 +0200 -Subject: LDAPI socket location - - - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/include/ldap_defaults.h b/include/ldap_defaults.h -index 3e0d4b2..5235339 100644 ---- a/include/ldap_defaults.h -+++ b/include/ldap_defaults.h -@@ -39,7 +39,7 @@ - #define LDAP_ENV_PREFIX "LDAP" - - /* default ldapi:// socket */ --#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" -+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi" - - /* - * SLAPD DEFINITIONS --- -1.7.1 - diff --git a/0004-libldap-use-gethostbyname_r.dif b/0004-libldap-use-gethostbyname_r.dif deleted file mode 100644 index d93e054..0000000 --- a/0004-libldap-use-gethostbyname_r.dif +++ /dev/null @@ -1,33 +0,0 @@ -From 21d21f0d9aed8876722748ef8ba92f75dbcdc771 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Wed, 16 Jun 2010 14:08:03 +0200 -Subject: libldap use gethostbyname_r - - - 1 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c -index 0704f9a..50a3389 100644 ---- a/libraries/libldap/util-int.c -+++ b/libraries/libldap/util-int.c -@@ -52,7 +52,7 @@ extern int h_errno; - #ifndef LDAP_R_COMPILE - # undef HAVE_REENTRANT_FUNCTIONS - # undef HAVE_CTIME_R --# undef HAVE_GETHOSTBYNAME_R -+/* # undef HAVE_GETHOSTBYNAME_R */ - # undef HAVE_GETHOSTBYADDR_R - - #else -@@ -330,7 +330,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) - #define BUFSTART (1024-32) - #define BUFMAX (32*1024-32) - --#if defined(LDAP_R_COMPILE) -+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) - static char *safe_realloc( char **buf, int len ); - - #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) --- -1.7.1 - diff --git a/Syncprov-might-lose-deletes-ITS-6555.dif b/Syncprov-might-lose-deletes-ITS-6555.dif new file mode 100644 index 0000000..9e0bd94 --- /dev/null +++ b/Syncprov-might-lose-deletes-ITS-6555.dif @@ -0,0 +1,38 @@ +From e32aa64d19840a3b76da532d200fa1cb733e0672 Mon Sep 17 00:00:00 2001 +From: ralf +Date: Thu, 20 May 2010 15:08:28 +0000 +Subject: Syncprov might lose deletes (ITS#6555) + +During the refresh phase the sync filter needs to be adjusted (skipping +the "(entrycsn>=cookie)" part that was inserted) when checking whether a +change needs to be replicated, otherwise we lose DELETES that happen during +the refresh phase. + +bnc#606294 + + 1 files changed, 9 insertions(+), 1 deletions(-) + +diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c +index 675568e..030edf5 100644 +--- a/servers/slapd/overlays/syncprov.c ++++ b/servers/slapd/overlays/syncprov.c +@@ -1301,7 +1301,15 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit ) + op2.o_hdr = &oh; + op2.o_extra = op->o_extra; + op2.o_callback = NULL; +- rc = test_filter( &op2, e, ss->s_op->ors_filter ); ++ ldap_pvt_thread_mutex_lock( &ss->s_mutex ); ++ if (ss->s_flags & PS_FIX_FILTER) { ++ /* Skip the AND/GE clause that we stuck on in front. We ++ would lose deletes/mods that happen during the refresh ++ phase otherwise (ITS#6555) */ ++ op2.ors_filter = ss->s_op->ors_filter->f_and->f_next; ++ } ++ ldap_pvt_thread_mutex_unlock( &ss->s_mutex ); ++ rc = test_filter( &op2, e, op2.ors_filter ); + } + + Debug( LDAP_DEBUG_TRACE, "syncprov_matchops: sid %03x fscope %d rc %d\n", +-- +1.7.0.3 + diff --git a/ldapi_url.dif b/ldapi_url.dif new file mode 100644 index 0000000..b8eb3f9 --- /dev/null +++ b/ldapi_url.dif @@ -0,0 +1,11 @@ +--- include/ldap_defaults.h 2004/04/14 14:13:27 1.1 ++++ include/ldap_defaults.h 2004/04/14 14:14:01 +@@ -39,7 +39,7 @@ + #define LDAP_ENV_PREFIX "LDAP" + + /* default ldapi:// socket */ +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi" + + /* + * SLAPD DEFINITIONS diff --git a/openldap-2.4.21.tar.bz2 b/openldap-2.4.21.tar.bz2 new file mode 100644 index 0000000..ef5bbfc --- /dev/null +++ b/openldap-2.4.21.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7140bb913a95765134daf5ee17254d938f54c981790d328e6cd3ca7ad6cea915 +size 4421498 diff --git a/openldap-2.4.23.tar.bz2 b/openldap-2.4.23.tar.bz2 deleted file mode 100644 index 1ab37f7..0000000 --- a/openldap-2.4.23.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:56349b44f6219fa305e9ebaffd6f2c2c57e3229a1f1c850f6fc5f6ba4e06c03a -size 4223407 diff --git a/openldap-rc.tgz b/openldap-rc.tgz index 769d82c..1c3fbc9 100644 --- a/openldap-rc.tgz +++ b/openldap-rc.tgz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:f84fdc87394660f5e3ac1977d0f6c6d1aa0c66f4f26c59e49b21807bf95f00c6 -size 4535 +oid sha256:7461807939d700bfa6fbcbf16c0bceddd42683d8163a61d9a5923a5620450ac0 +size 4552 diff --git a/openldap2-client.changes b/openldap2-client.changes index c92a54f..58841dd 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,48 +1,3 @@ -------------------------------------------------------------------- -Thu Aug 26 14:04:06 UTC 2010 - rhafer@novell.com - -- Fix listener URIs in init script to make SLP registration work - again (bnc#620389) - -------------------------------------------------------------------- -Fri Jul 23 07:49:40 UTC 2010 - rhafer@novell.com - -- Fixed RPM Group and Summary Tags (bnc#624980) - -------------------------------------------------------------------- -Thu Jul 1 13:02:13 UTC 2010 - rhafer@novell.com - -- Updated to 2.4.23: - * Fixed libldap to return server's error code (ITS#6569) - * Fixed libldap memleaks (ITS#6568) - * Fixed liblutil off-by-one with delta (ITS#6541) - * Fixed slapd acls with glued databases (ITS#6468) - * Fixed slapd syncrepl rid logging (ITS#6533) - * Fixed slapd modrdn handling of invalid values (bnc#612430, - ITS#6570) - * Fixed slapd-bdb hasSubordinates computation (ITS#6549) - * Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474) - * Fixed slapd-bdb entry cache delete failure (ITS#6577) - * Fixed slapd-ldap to return control responses (ITS#6530) - * Fixed slapo-ppolicy to use Debug (ITS#6566) - * Fixed slapo-refint to zero out freed DN vals (ITS#6572) - * Fixed slapo-rwm to use Debug (ITS#6566) - * Fixed slapo-sssvlv to use Debug (ITS#6566) - * Fixed slapo-syncprov lost deletes in refresh phase (bnc#606294, - ITS#6555) - * Fixed slapo-valsort to use Debug (ITS#6566) - * Fixed contrib/nssov network.c missing patch (ITS#6562) -- New subpackage openldap2-back-sql. Contains the SQL backend - module plus some documentation (bnc#395719) -- generate Patches from git tree (resulted in all patches being - renamed) -- installing binaries without stripping them is done by setting - the STRIP enviroment variable instead for patching the Makefile - now -- Fixed a bug in the syncprov overlay which could lead to not - replicate delete Operations (ITS#6555, bnc#606294) -- BuildRequires cleanup - ------------------------------------------------------------------- Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com diff --git a/openldap2-client.spec b/openldap2-client.spec index cd58ff2..51137f4 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -1,5 +1,5 @@ # -# spec file for package openldap2 (Version 2.4.21) +# spec file for package openldap2-client (Version 2.4.21) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,25 +19,25 @@ %define run_test_suite 1 -Name: openldap2-client -BuildRequires: cyrus-sasl-devel libopenssl-devel -%if %sles_version == 9 || %sles_version == 10 -BuildRequires: -libopenssl-devel -pwdutils openssl-devel +Name: openldap2-client +BuildRequires: cyrus-sasl-devel db-devel libopenssl-devel tcpd-devel +%if %sles_version == 9 +BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel %endif -Version: 2.4.23 -Release: 4 +%if %sles_version == 10 +BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel +%endif +Version: 2.4.21 +Release: 6 Url: http://www.openldap.org License: BSD3c(or similar) ; openldap 2.8 %if "%{name}" == "openldap2" -BuildRequires: unixODBC-devel openslp-devel db-devel tcpd-devel -%if %sles_version == 9 || %sles_version == 10 -BuildRequires: -db-devel libdb-4_5-devel -%endif -Group: Productivity/Networking/LDAP/Servers +BuildRequires: openslp-devel +Group: Productivity/Networking/LDAP/Clients Conflicts: openldap Requires: libldap-2_4-2 = %{version} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -Summary: The OpenLDAP Server +Summary: The OpenLDAP commandline client tools %else Group: Productivity/Networking/LDAP/Clients Conflicts: openldap-client @@ -53,12 +53,15 @@ Source4: sasl-slapd.conf Source5: README.update Source6: schema2ldif Source100: openldap-2.3.37.tar.bz2 -Patch1: 0001-build-adjustments.dif -Patch2: 0002-slapd.conf.dif -Patch3: 0003-LDAPI-socket-location.dif -Patch4: 0004-libldap-use-gethostbyname_r.dif -Patch5: 0005-pie-compile.dif -Patch6: 0006-assorted-fixes-for-back-config-DELETE-support.dif +Patch1: openldap2.dif +Patch2: slapd_conf.dif +Patch4: ldapi_url.dif +Patch5: slapd-back-hdb-fortify.dif +Patch6: libldap-gethostbyname_r.dif +Patch7: pie-compile.dif +Patch11: slapd-bconfig-del-db.dif +Patch12: Syncprov-might-lose-deletes-ITS-6555.dif +Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -113,21 +116,6 @@ Authors: -------- The OpenLDAP Project -%package -n openldap2-back-sql -License: BSD3c(or similar) -Summary: OpenLDAP SQL Back-End -Requires: openldap2 = %{version} -AutoReqProv: on -Group: Productivity/Networking/LDAP/Servers - -%description -n openldap2-back-sql -The primary purpose of this OpenLDAP backend is to present information -stored in a Relational (SQL) Database as an LDAP subtree without the need -to do any programming. - -Authors: --------- - The OpenLDAP Project %else %description @@ -185,14 +173,17 @@ Authors: %prep %setup -q -n openldap-%{version} -a1 -a2 -b100 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%patch1 +%patch2 +%patch4 +%patch5 +%patch6 %if %suse_version > 920 -%patch5 -p1 +%patch7 %endif -%patch6 -p1 +%patch11 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif @@ -205,10 +196,13 @@ cd ../openldap-2.3.37 libtoolize --force autoreconf export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE" -export STRIP="" -%configure \ +./configure --prefix=/usr \ + --exec-prefix=/usr \ + --sysconfdir=%{_sysconfdir} \ --localstatedir=/var/run/slapd \ --libexecdir=/usr/lib/openldap \ + --libdir=%{_libdir} \ + --mandir=%{_mandir} \ --enable-wrappers \ --enable-aclgroups \ --enable-spasswd \ @@ -228,7 +222,6 @@ export STRIP="" --enable-meta=mod \ --enable-monitor=yes \ --enable-perl=mod \ - --enable-sql=mod \ --enable-slp \ --enable-overlays=yes \ %else @@ -286,7 +279,7 @@ make SLAPD_DEBUG=0 test %install mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/usr/sbin -make STRIP="" DESTDIR=$RPM_BUILD_ROOT install +make DESTDIR=$RPM_BUILD_ROOT install install -m 755 rc.ldap $RPM_BUILD_ROOT/etc/init.d/ldap ln -sf ../../etc/init.d/ldap $RPM_BUILD_ROOT/usr/sbin/rcldap mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d @@ -320,10 +313,10 @@ rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5 +rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sql.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la - #put filelists into files cat >openldap2.filelist < openldap2-back-meta.filelist < openldap2-back-sql.filelist < -Date: Wed, 16 Jun 2010 14:04:07 +0200 -Subject: build-adjustments - -- Don't strip binaries -- Adjusted modules path -- don't use automake macro - - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/build/top.mk b/build/top.mk -index 0794173..eb4c825 100644 ---- a/build/top.mk -+++ b/build/top.mk -@@ -40,7 +40,7 @@ libdir = @libdir@ +Index: build/top.mk +=================================================================== +--- build/top.mk.orig ++++ build/top.mk +@@ -39,7 +39,7 @@ libdir = @libdir@ libexecdir = @libexecdir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -22,10 +11,19 @@ index 0794173..eb4c825 100644 sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@$(ldap_subdir) -diff --git a/configure.in b/configure.in -index ba05a5a..e658b81 100644 ---- a/configure.in -+++ b/configure.in +@@ -58,7 +58,7 @@ INSTALL_PROGRAM = $(INSTALL) + INSTALL_DATA = $(INSTALL) -m 644 + INSTALL_SCRIPT = $(INSTALL) + +-STRIP = -s ++#STRIP = -s + + LINT = lint + 5LINT = 5lint +Index: configure.in +=================================================================== +--- configure.in.orig ++++ configure.in @@ -67,7 +67,9 @@ dnl Determine host platform dnl we try not to use this for much AC_CANONICAL_TARGET([]) @@ -37,6 +35,4 @@ index ba05a5a..e658b81 100644 AC_SUBST(PACKAGE)dnl AC_SUBST(VERSION)dnl AC_DEFINE_UNQUOTED(OPENLDAP_PACKAGE,"$PACKAGE",Package) --- -1.7.1 diff --git a/openldap2.spec b/openldap2.spec index 04adec8..c037261 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -20,24 +20,24 @@ %define run_test_suite 1 Name: openldap2 -BuildRequires: cyrus-sasl-devel libopenssl-devel -%if %sles_version == 9 || %sles_version == 10 -BuildRequires: -libopenssl-devel -pwdutils openssl-devel +BuildRequires: cyrus-sasl-devel db-devel libopenssl-devel tcpd-devel +%if %sles_version == 9 +BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel %endif -Version: 2.4.23 -Release: 4 +%if %sles_version == 10 +BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel +%endif +Version: 2.4.21 +Release: 6 Url: http://www.openldap.org License: BSD3c(or similar) ; openldap 2.8 %if "%{name}" == "openldap2" -BuildRequires: unixODBC-devel openslp-devel db-devel tcpd-devel -%if %sles_version == 9 || %sles_version == 10 -BuildRequires: -db-devel libdb-4_5-devel -%endif -Group: Productivity/Networking/LDAP/Servers +BuildRequires: openslp-devel +Group: Productivity/Networking/LDAP/Clients Conflicts: openldap Requires: libldap-2_4-2 = %{version} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -Summary: The OpenLDAP Server +Summary: The OpenLDAP commandline client tools %else Group: Productivity/Networking/LDAP/Clients Conflicts: openldap-client @@ -53,12 +53,15 @@ Source4: sasl-slapd.conf Source5: README.update Source6: schema2ldif Source100: openldap-2.3.37.tar.bz2 -Patch1: 0001-build-adjustments.dif -Patch2: 0002-slapd.conf.dif -Patch3: 0003-LDAPI-socket-location.dif -Patch4: 0004-libldap-use-gethostbyname_r.dif -Patch5: 0005-pie-compile.dif -Patch6: 0006-assorted-fixes-for-back-config-DELETE-support.dif +Patch1: openldap2.dif +Patch2: slapd_conf.dif +Patch4: ldapi_url.dif +Patch5: slapd-back-hdb-fortify.dif +Patch6: libldap-gethostbyname_r.dif +Patch7: pie-compile.dif +Patch11: slapd-bconfig-del-db.dif +Patch12: Syncprov-might-lose-deletes-ITS-6555.dif +Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -113,21 +116,6 @@ Authors: -------- The OpenLDAP Project -%package -n openldap2-back-sql -License: BSD3c(or similar) -Summary: OpenLDAP SQL Back-End -Requires: openldap2 = %{version} -AutoReqProv: on -Group: Productivity/Networking/LDAP/Servers - -%description -n openldap2-back-sql -The primary purpose of this OpenLDAP backend is to present information -stored in a Relational (SQL) Database as an LDAP subtree without the need -to do any programming. - -Authors: --------- - The OpenLDAP Project %else %description @@ -185,14 +173,17 @@ Authors: %prep %setup -q -n openldap-%{version} -a1 -a2 -b100 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%patch1 +%patch2 +%patch4 +%patch5 +%patch6 %if %suse_version > 920 -%patch5 -p1 +%patch7 %endif -%patch6 -p1 +%patch11 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif @@ -205,10 +196,13 @@ cd ../openldap-2.3.37 libtoolize --force autoreconf export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE" -export STRIP="" -%configure \ +./configure --prefix=/usr \ + --exec-prefix=/usr \ + --sysconfdir=%{_sysconfdir} \ --localstatedir=/var/run/slapd \ --libexecdir=/usr/lib/openldap \ + --libdir=%{_libdir} \ + --mandir=%{_mandir} \ --enable-wrappers \ --enable-aclgroups \ --enable-spasswd \ @@ -228,7 +222,6 @@ export STRIP="" --enable-meta=mod \ --enable-monitor=yes \ --enable-perl=mod \ - --enable-sql=mod \ --enable-slp \ --enable-overlays=yes \ %else @@ -286,7 +279,7 @@ make SLAPD_DEBUG=0 test %install mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/usr/sbin -make STRIP="" DESTDIR=$RPM_BUILD_ROOT install +make DESTDIR=$RPM_BUILD_ROOT install install -m 755 rc.ldap $RPM_BUILD_ROOT/etc/init.d/ldap ln -sf ../../etc/init.d/ldap $RPM_BUILD_ROOT/usr/sbin/rcldap mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d @@ -320,10 +313,10 @@ rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5 +rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sql.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la - #put filelists into files cat >openldap2.filelist < openldap2-back-meta.filelist < openldap2-back-sql.filelist < -Date: Wed, 16 Jun 2010 14:08:30 +0200 -Subject: pie compile - - - 12 files changed, 35 insertions(+), 2 deletions(-) - -diff --git a/build/top.mk b/build/top.mk -index eb4c825..4cb3da8 100644 ---- a/build/top.mk -+++ b/build/top.mk -@@ -178,9 +178,9 @@ SLAPD_L = $(LDAP_LIBLUNICODE_A) $(LDAP_LIBREWRITE_A) \ +Index: build/top.mk +=================================================================== +--- build/top.mk.orig ++++ build/top.mk +@@ -178,9 +178,9 @@ SLAPD_L = $(LDAP_LIBLUNICODE_A) $(LDAP_L WRAP_LIBS = @WRAP_LIBS@ # AutoConfig generated AC_CC = @CC@ @@ -22,11 +14,11 @@ index eb4c825..4cb3da8 100644 AC_LIBS = @LIBS@ KRB4_LIBS = @KRB4_LIBS@ -diff --git a/libraries/liblunicode/Makefile.in b/libraries/liblunicode/Makefile.in -index 5348baa..7332d4e 100644 ---- a/libraries/liblunicode/Makefile.in -+++ b/libraries/liblunicode/Makefile.in -@@ -35,6 +35,9 @@ $(XXDIR)/uctable.h: $(XXDIR)/ucgendat.c $(srcdir)/UnicodeData.txt $(srcdir)/Comp +Index: libraries/liblunicode/Makefile.in +=================================================================== +--- libraries/liblunicode/Makefile.in.orig ++++ libraries/liblunicode/Makefile.in +@@ -35,6 +35,9 @@ $(XXDIR)/uctable.h: $(XXDIR)/ucgendat.c $(MAKE) ucgendat ./ucgendat $(srcdir)/UnicodeData.txt -x $(srcdir)/CompositionExclusions.txt @@ -36,10 +28,10 @@ index 5348baa..7332d4e 100644 ucgendat: $(XLIBS) ucgendat.o $(LTLINK) -o $@ ucgendat.o $(LIBS) -diff --git a/libraries/liblutil/Makefile.in b/libraries/liblutil/Makefile.in -index b527966..a04e18e 100644 ---- a/libraries/liblutil/Makefile.in -+++ b/libraries/liblutil/Makefile.in +Index: libraries/liblutil/Makefile.in +=================================================================== +--- libraries/liblutil/Makefile.in.orig ++++ libraries/liblutil/Makefile.in @@ -19,6 +19,9 @@ PROGRAM = testavl LDAP_INCDIR= ../../include LDAP_LIBDIR= ../../libraries @@ -50,25 +42,11 @@ index b527966..a04e18e 100644 NT_SRCS = ntservice.c NT_OBJS = ntservice.o slapdmsg.res -diff --git a/libraries/librewrite/Makefile.in b/libraries/librewrite/Makefile.in -index 72678c1..a4e0bcc 100644 ---- a/libraries/librewrite/Makefile.in -+++ b/libraries/librewrite/Makefile.in -@@ -26,6 +26,9 @@ OBJS = config.o context.o info.o ldapmap.o map.o params.o rule.o \ - LDAP_INCDIR= ../../include - LDAP_LIBDIR= ../../libraries - -+PIE_CFLAGS="-fPIE" -+PIE_LDFLAGS="-pie" -+ - LIBRARY = librewrite.a - PROGRAMS = rewrite - XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A) \ -diff --git a/servers/slapd/Makefile.in b/servers/slapd/Makefile.in -index c170d79..23a18eb 100644 ---- a/servers/slapd/Makefile.in -+++ b/servers/slapd/Makefile.in -@@ -69,6 +69,9 @@ SLAPD_DYNAMIC_BACKENDS=@SLAPD_DYNAMIC_BACKENDS@ +Index: servers/slapd/Makefile.in +=================================================================== +--- servers/slapd/Makefile.in.orig ++++ servers/slapd/Makefile.in +@@ -69,6 +69,9 @@ SLAPD_DYNAMIC_BACKENDS=@SLAPD_DYNAMIC_BA SLAPI_LIBS=@LIBSLAPI@ @SLAPI_LIBS@ @@ -78,10 +56,10 @@ index c170d79..23a18eb 100644 XDEFS = $(MODULES_CPPFLAGS) XLDFLAGS = $(MODULES_LDFLAGS) -diff --git a/servers/slapd/back-bdb/Makefile.in b/servers/slapd/back-bdb/Makefile.in -index f44dab2..d919931 100644 ---- a/servers/slapd/back-bdb/Makefile.in -+++ b/servers/slapd/back-bdb/Makefile.in +Index: servers/slapd/back-bdb/Makefile.in +=================================================================== +--- servers/slapd/back-bdb/Makefile.in.orig ++++ servers/slapd/back-bdb/Makefile.in @@ -37,6 +37,9 @@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_BDB@_DEFS) MOD_LIBS = $(BDB_LIBS) @@ -92,10 +70,10 @@ index f44dab2..d919931 100644 shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) -diff --git a/servers/slapd/back-hdb/Makefile.in b/servers/slapd/back-hdb/Makefile.in -index 5d8381c..a80d8c0 100644 ---- a/servers/slapd/back-hdb/Makefile.in -+++ b/servers/slapd/back-hdb/Makefile.in +Index: servers/slapd/back-hdb/Makefile.in +=================================================================== +--- servers/slapd/back-hdb/Makefile.in.orig ++++ servers/slapd/back-hdb/Makefile.in @@ -41,6 +41,9 @@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_HDB@_DEFS) MOD_LIBS = $(BDB_LIBS) @@ -106,52 +84,24 @@ index 5d8381c..a80d8c0 100644 shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) -diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in -index 64a4af8..51495d5 100644 ---- a/servers/slapd/back-ldap/Makefile.in -+++ b/servers/slapd/back-ldap/Makefile.in -@@ -29,6 +29,9 @@ BUILD_MOD = @BUILD_LDAP@ - mod_DEFS = -DSLAPD_IMPORT - MOD_DEFS = $(@BUILD_LDAP@_DEFS) +Index: servers/slapd/overlays/Makefile.in +=================================================================== +--- servers/slapd/overlays/Makefile.in.orig ++++ servers/slapd/overlays/Makefile.in +@@ -45,6 +45,9 @@ LTONLY_MOD = $(LTONLY_mod) + LDAP_INCDIR= ../../../include + LDAP_LIBDIR= ../../../libraries +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + - shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) - NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) - UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) -diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in -index 29450ae..c47641f 100644 ---- a/servers/slapd/back-ldif/Makefile.in -+++ b/servers/slapd/back-ldif/Makefile.in -@@ -25,6 +25,9 @@ BUILD_MOD = yes - mod_DEFS = -DSLAPD_IMPORT - MOD_DEFS = $(yes_DEFS) + MOD_DEFS = -DSLAPD_IMPORT -+PIE_CFLAGS="-fPIE" -+PIE_LDFLAGS="-pie" -+ shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) - NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) - UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) -diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in -index 6005b2d..a8f45a7 100644 ---- a/servers/slapd/back-monitor/Makefile.in -+++ b/servers/slapd/back-monitor/Makefile.in -@@ -33,6 +33,9 @@ BUILD_MOD = @BUILD_MONITOR@ - mod_DEFS = -DSLAPD_IMPORT - MOD_DEFS = $(@BUILD_MONITOR@_DEFS) - -+PIE_CFLAGS="-fPIE" -+PIE_LDFLAGS="-pie" -+ - shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) - NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) - UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) -diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in -index a408f34..518c7e5 100644 ---- a/servers/slapd/back-relay/Makefile.in -+++ b/servers/slapd/back-relay/Makefile.in +Index: servers/slapd/back-relay/Makefile.in +=================================================================== +--- servers/slapd/back-relay/Makefile.in.orig ++++ servers/slapd/back-relay/Makefile.in @@ -25,6 +25,9 @@ BUILD_MOD = @BUILD_RELAY@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_RELAY@_DEFS) @@ -162,20 +112,59 @@ index a408f34..518c7e5 100644 shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) -diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in -index 0b7ce5c..7a48574 100644 ---- a/servers/slapd/overlays/Makefile.in -+++ b/servers/slapd/overlays/Makefile.in -@@ -46,6 +46,9 @@ LTONLY_MOD = $(LTONLY_mod) - LDAP_INCDIR= ../../../include - LDAP_LIBDIR= ../../../libraries +Index: servers/slapd/back-ldif/Makefile.in +=================================================================== +--- servers/slapd/back-ldif/Makefile.in.orig ++++ servers/slapd/back-ldif/Makefile.in +@@ -25,6 +25,9 @@ BUILD_MOD = yes + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(yes_DEFS) +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + - MOD_DEFS = -DSLAPD_IMPORT - shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) --- -1.7.1 - + NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) +Index: libraries/librewrite/Makefile.in +=================================================================== +--- libraries/librewrite/Makefile.in.orig ++++ libraries/librewrite/Makefile.in +@@ -26,6 +26,9 @@ OBJS = config.o context.o info.o ldapmap + LDAP_INCDIR= ../../include + LDAP_LIBDIR= ../../libraries + ++PIE_CFLAGS="-fPIE" ++PIE_LDFLAGS="-pie" ++ + LIBRARY = librewrite.a + PROGRAMS = rewrite + XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A) \ +Index: servers/slapd/back-ldap/Makefile.in +=================================================================== +--- servers/slapd/back-ldap/Makefile.in.orig ++++ servers/slapd/back-ldap/Makefile.in +@@ -29,6 +29,9 @@ BUILD_MOD = @BUILD_LDAP@ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(@BUILD_LDAP@_DEFS) + ++PIE_CFLAGS="-fPIE" ++PIE_LDFLAGS="-pie" ++ + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) + NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) +Index: servers/slapd/back-monitor/Makefile.in +=================================================================== +--- servers/slapd/back-monitor/Makefile.in.orig ++++ servers/slapd/back-monitor/Makefile.in +@@ -33,6 +33,9 @@ BUILD_MOD = @BUILD_MONITOR@ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(@BUILD_MONITOR@_DEFS) + ++PIE_CFLAGS="-fPIE" ++PIE_LDFLAGS="-pie" ++ + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) + NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) diff --git a/slapd-back-hdb-fortify.dif b/slapd-back-hdb-fortify.dif new file mode 100644 index 0000000..6dcea6e --- /dev/null +++ b/slapd-back-hdb-fortify.dif @@ -0,0 +1,13 @@ +Index: servers/slapd/back-bdb/dn2id.c +=================================================================== +--- servers/slapd/back-bdb/dn2id.c.orig ++++ servers/slapd/back-bdb/dn2id.c +@@ -676,7 +676,7 @@ hdb_dn2id_delete( + d->nrdnlen[0] = (BEI(e)->bei_nrdn.bv_len >> 8) | 0x80; + dlen[0] = d->nrdnlen[0]; + dlen[1] = d->nrdnlen[1]; +- strcpy( d->nrdn, BEI(e)->bei_nrdn.bv_val ); ++ memcpy ( d->nrdn, BEI(e)->bei_nrdn.bv_val, BEI(e)->bei_nrdn.bv_len + 1); + data.data = d; + + rc = db->cursor( db, txn, &cursor, bdb->bi_db_opflags ); diff --git a/0006-assorted-fixes-for-back-config-DELETE-support.dif b/slapd-bconfig-del-db.dif similarity index 66% rename from 0006-assorted-fixes-for-back-config-DELETE-support.dif rename to slapd-bconfig-del-db.dif index 44f9946..620232b 100644 --- a/0006-assorted-fixes-for-back-config-DELETE-support.dif +++ b/slapd-bconfig-del-db.dif @@ -1,16 +1,8 @@ -From a998fdc90747f222d261e714ea7e757ad0345f56 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Wed, 16 Jun 2010 14:08:56 +0200 -Subject: assorted fixes for back-config DELETE support - - - 1 files changed, 16 insertions(+), 2 deletions(-) - -diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c -index 8626f21..4ec085f 100644 ---- a/servers/slapd/bconfig.c -+++ b/servers/slapd/bconfig.c -@@ -5924,13 +5924,26 @@ config_back_delete( Operation *op, SlapReply *rs ) +Index: servers/slapd/bconfig.c +=================================================================== +--- servers/slapd/bconfig.c.orig ++++ servers/slapd/bconfig.c +@@ -5492,13 +5492,26 @@ config_back_delete( Operation *op, SlapR rs->sr_err = LDAP_UNWILLING_TO_PERFORM; } else if ( op->o_abandon ) { rs->sr_err = SLAPD_ABANDON; @@ -39,7 +31,7 @@ index 8626f21..4ec085f 100644 /* remove CfEntryInfo from the siblings list */ if ( ce->ce_parent->ce_kids == ce ) { -@@ -5992,6 +6005,7 @@ config_back_delete( Operation *op, SlapReply *rs ) +@@ -5560,6 +5573,7 @@ config_back_delete( Operation *op, SlapR #else rs->sr_err = LDAP_UNWILLING_TO_PERFORM; #endif /* SLAP_CONFIG_DELETE */ @@ -47,6 +39,3 @@ index 8626f21..4ec085f 100644 send_ldap_result( op, rs ); return rs->sr_err; } --- -1.7.1 - diff --git a/slapd-modrdn-crash-ITS-6570.dif b/slapd-modrdn-crash-ITS-6570.dif new file mode 100644 index 0000000..667950c --- /dev/null +++ b/slapd-modrdn-crash-ITS-6570.dif @@ -0,0 +1,100 @@ +From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001 +From: hyc +Date: Sun, 6 Jun 2010 22:02:32 +0000 +Subject: slapd modrdn crash (ITS#6570) + +part #1 reject RDNs with binary BER values +part #2 reject RDNs with empty values + +Unauthenticated LDAP clients could crash the server by submitting a +specially crafted LDAP ModRDN operatoin. + +Part #1: +OpenLDAP crashes with segfault during the processing of a modrdn call with +maliciously formed destination rdn string. No authentication is required to +trigger this vulnerability. + +Part #2: +OpenLDAP crashes at a null pointer dereference during the processing of modrdn +call with maliciously formed destination rdn string. No authentication is +required to trigger this vulnerability. + + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c +index 3534e7f..75d2204 100644 +--- a/servers/slapd/dn.c ++++ b/servers/slapd/dn.c +@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) + ava->la_attr = ad->ad_cname; + + if( ava->la_flags & LDAP_AVA_BINARY ) { +- if( ava->la_value.bv_len == 0 ) { +- /* BER encoding is empty */ +- return LDAP_INVALID_SYNTAX; +- } ++ /* AVA is binary encoded, not supported */ ++ return LDAP_INVALID_SYNTAX; + + /* Do not allow X-ORDERED 'VALUES' naming attributes */ + } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { + return LDAP_INVALID_SYNTAX; + +- /* AVA is binary encoded, don't muck with it */ + } else if( flags & SLAP_LDAPDN_PRETTY ) { + transf = ad->ad_type->sat_syntax->ssyn_pretty; + if( !transf ) { +@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) + ava->la_value = bv; + ava->la_flags |= LDAP_AVA_FREE_VALUE; + } ++ /* reject empty values */ ++ if (!ava->la_value.bv_len) { ++ return LDAP_INVALID_SYNTAX; ++ } + } + rc = LDAP_SUCCESS; + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index e386ef9..e143a7b 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -445,12 +445,19 @@ slap_modrdn2mods( + mod_tmp->sml_values[1].bv_val = NULL; + if( desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); +- (void) (*desc->ad_type->sat_equality->smr_normalize)( ++ rs->sr_err = desc->ad_type->sat_equality->smr_normalize( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, + desc->ad_type->sat_syntax, + desc->ad_type->sat_equality, + &mod_tmp->sml_values[0], + &mod_tmp->sml_nvalues[0], NULL ); ++ if (rs->sr_err != LDAP_SUCCESS) { ++ ch_free(mod_tmp->sml_nvalues); ++ ch_free(mod_tmp->sml_values[0].bv_val); ++ ch_free(mod_tmp->sml_values); ++ ch_free(mod_tmp); ++ goto done; ++ } + mod_tmp->sml_nvalues[1].bv_val = NULL; + } else { + mod_tmp->sml_nvalues = NULL; +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 68e6d28..d2f4708 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -1732,8 +1732,9 @@ UTF8StringNormalize( + ? LDAP_UTF8_APPROX : 0; + + val = UTF8bvnormalize( val, &tmp, flags, ctx ); ++ /* out of memory or syntax error, the former is unlikely */ + if( val == NULL ) { +- return LDAP_OTHER; ++ return LDAP_INVALID_SYNTAX; + } + + /* collapse spaces (in place) */ +-- +1.7.0.3 + diff --git a/0002-slapd.conf.dif b/slapd_conf.dif similarity index 80% rename from 0002-slapd.conf.dif rename to slapd_conf.dif index 70adde1..5f22516 100644 --- a/0002-slapd.conf.dif +++ b/slapd_conf.dif @@ -1,15 +1,5 @@ -From d9c1061b77eec147e6d1df8b466d4b17b89e6890 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Wed, 16 Jun 2010 14:05:49 +0200 -Subject: slapd.conf - - - 1 files changed, 33 insertions(+), 17 deletions(-) - -diff --git a/servers/slapd/slapd.conf b/servers/slapd/slapd.conf -index 4938b85..9caf292 100644 ---- a/servers/slapd/slapd.conf -+++ b/servers/slapd/slapd.conf +--- servers/slapd/slapd.conf 2007/02/21 16:27:01 1.1 ++++ servers/slapd/slapd.conf 2007/02/21 16:29:20 @@ -3,6 +3,10 @@ # This file should NOT be world readable. # @@ -21,7 +11,7 @@ index 4938b85..9caf292 100644 # Define global ACLs to disable default read access. -@@ -10,8 +14,8 @@ include %SYSCONFDIR%/schema/core.schema +@@ -10,8 +14,8 @@ # service AND an understanding of referrals. #referral ldap://root.openldap.org @@ -32,7 +22,7 @@ index 4938b85..9caf292 100644 # Load dynamic backend modules: # modulepath %MODULEDIR% -@@ -26,20 +30,30 @@ argsfile %LOCALSTATEDIR%/run/slapd.args +@@ -26,20 +30,30 @@ # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: @@ -77,7 +67,7 @@ index 4938b85..9caf292 100644 # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") -@@ -52,6 +66,8 @@ argsfile %LOCALSTATEDIR%/run/slapd.args +@@ -52,6 +66,8 @@ database bdb suffix "dc=my-domain,dc=com" @@ -86,7 +76,7 @@ index 4938b85..9caf292 100644 rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. -@@ -60,6 +76,6 @@ rootpw secret +@@ -60,6 +76,6 @@ # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. @@ -94,6 +84,3 @@ index 4938b85..9caf292 100644 +directory /var/lib/ldap # Indices to maintain index objectClass eq --- -1.7.1 -