From 18364f265dd591ff9dcb37652d37b8840a14ea8690e9346f53b660d0de70dfba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Str=C3=B6der?= Date: Thu, 26 Aug 2021 20:16:29 +0000 Subject: [PATCH 1/2] Accepting request 914040 from home:phiwag:branches:network:ldap Since version 2.5.7 the update from the 2.4 release series to 2.5 has become easier: existing MDB databases can be upgraded (this was already the case before, but the documentation was slightly too cautious). Additionally, slapcat in version 2.5 can read databases from version 2.4, which wasn't possible in earlier 2.5 releases. - Update to upstream version 2.5.7 Fixed lloadd client state tracking (ITS#9624) Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611) Fixed slapd-ldif duplicate controls response (ITS#9497) Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621) Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958) Fixed slapd-mdb idlexp maximum size handling (ITS#9637) Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628) Fixed slapd-sql to add support for ppolicy attributes (ITS#9629) Fixed slapd-sql to close transactions after bind and search (ITS#9630) Fixed slapo-accesslog to make reqMod optional (ITS#9569) Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625) Documentation slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637) slapo-accesslog(5) note that reqMod is optional (ITS#9569) Add ldapvc(1) man page (ITS#9549) Add guide section on load balancer (ITS#9443) Updated guide to document multiprovider as replacement for mirrormode (ITS#9200) Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200) Updated guide to document removal of deprecated options from client tools (ITS#9200) - Major version update to 2.5.6 See https://www.openldap.org/software/release/announce.html for a list of changes. - The threaded version of the OpenLDAP libraries, libldap_r, has been merged with libldap with 2.5. Removed all related downstream changes. Introduce a new compatibility symlink in the other direction: libldap_r pointing to libldap. - Removed the ppolicy-check-password module. It is unmaintained and does not build any more. OBS-URL: https://build.opensuse.org/request/show/914040 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=290 --- ...nique-to-return-filter-used-in-diagn.patch | 66 ------- 0005-pie-compile.dif | 82 +++----- 0007-Recover-on-DB-version-change.dif | 29 --- ...nd-do-not-return-Connection0-entries.patch | 9 +- 0011-openldap-re24-its7796.patch | 80 -------- ...lculation-of-consecutive-number-of-c.patch | 130 ------------- baselibs.conf | 4 +- openldap-2.4.59.tgz | 3 - openldap-2.4.59.tgz.asc | 16 -- openldap-2.5.7.tgz | 3 + openldap-2.5.7.tgz.asc | 16 ++ openldap-r-only.dif | 24 --- openldap2.changes | 74 ++++++- openldap2.spec | 148 ++++---------- ppolicy-check-password-1.2.tar.gz | 3 - ppolicy-check-password.5 | 182 ------------------ ppolicy-check-password.Makefile | 43 ----- ppolicy-check-password.conf | 7 - 18 files changed, 150 insertions(+), 769 deletions(-) delete mode 100644 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch delete mode 100644 0007-Recover-on-DB-version-change.dif delete mode 100644 0011-openldap-re24-its7796.patch delete mode 100644 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch delete mode 100644 openldap-2.4.59.tgz delete mode 100644 openldap-2.4.59.tgz.asc create mode 100644 openldap-2.5.7.tgz create mode 100644 openldap-2.5.7.tgz.asc delete mode 100644 openldap-r-only.dif delete mode 100644 ppolicy-check-password-1.2.tar.gz delete mode 100644 ppolicy-check-password.5 delete mode 100644 ppolicy-check-password.Makefile delete mode 100644 ppolicy-check-password.conf diff --git a/0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch b/0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch deleted file mode 100644 index 2c51124..0000000 --- a/0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 348588561c694784a8106871b0d5fe578007ea4e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michael=20Str=C3=B6der?= -Date: Fri, 26 Oct 2018 16:40:23 +0200 -Subject: [PATCH] ITS#8866 slapo-unique to return filter used in diagnostic - message - ---- - servers/slapd/overlays/unique.c | 27 +++++++++++++++++---------- - 1 file changed, 17 insertions(+), 10 deletions(-) - -diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c -index ed62d03b8..a7723cf5d 100644 ---- a/servers/slapd/overlays/unique.c -+++ b/servers/slapd/overlays/unique.c -@@ -965,6 +965,8 @@ unique_search( - slap_callback cb = { NULL, NULL, NULL, NULL }; /* XXX */ - unique_counter uq = { NULL, 0 }; - int rc; -+ char *errmsg; -+ int errmsgsize; - - Debug(LDAP_DEBUG_TRACE, "==> unique_search %s\n", key->bv_val, 0, 0); - -@@ -998,24 +1000,29 @@ unique_search( - nop->o_bd = on->on_info->oi_origdb; - rc = nop->o_bd->be_search(nop, &nrs); - filter_free_x(nop, nop->ors_filter, 1); -- op->o_tmpfree( key->bv_val, op->o_tmpmemctx ); - - if(rc != LDAP_SUCCESS && rc != LDAP_NO_SUCH_OBJECT) { - op->o_bd->bd_info = (BackendInfo *) on->on_info; - send_ldap_error(op, rs, rc, "unique_search failed"); -- return(rs->sr_err); -- } -- -- Debug(LDAP_DEBUG_TRACE, "=> unique_search found %d records\n", uq.count, 0, 0); -+ rc = rs->sr_err; -+ } else if(uq.count) { -+ Debug(LDAP_DEBUG_TRACE, "=> unique_search found %d records\n", uq.count, 0, 0); - -- if(uq.count) { -+ errmsgsize = sizeof("non-unique attributes found with ") + key->bv_len; -+ errmsg = op->o_tmpalloc(errmsgsize, op->o_tmpmemctx); -+ snprintf( errmsg, errmsgsize, "non-unique attributes found with %s", key->bv_val ); - op->o_bd->bd_info = (BackendInfo *) on->on_info; -- send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, -- "some attributes not unique"); -- return(rs->sr_err); -+ send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, errmsg); -+ op->o_tmpfree(errmsg, op->o_tmpmemctx); -+ rc = rs->sr_err; -+ } else { -+ Debug(LDAP_DEBUG_TRACE, "=> unique_search found no records\n", 0, 0, 0); -+ rc = SLAP_CB_CONTINUE; - } - -- return(SLAP_CB_CONTINUE); -+ op->o_tmpfree( key->bv_val, op->o_tmpmemctx ); -+ -+ return(rc); - } - - static int --- -2.19.1 - diff --git a/0005-pie-compile.dif b/0005-pie-compile.dif index 84b480b..3e040db 100644 --- a/0005-pie-compile.dif +++ b/0005-pie-compile.dif @@ -5,28 +5,28 @@ Subject: pie compile diff --git a/build/top.mk b/build/top.mk -index 633c9a4..c67289d 100644 +index 38ce146d7..d7fee4ec2 100644 --- a/build/top.mk +++ b/build/top.mk -@@ -107,7 +107,7 @@ LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS) +@@ -111,7 +111,7 @@ OL_VERSIONED_SYMBOLS = @OL_VERSIONED_SYMBOLS@ LTSTATIC = @LTSTATIC@ - + LTLINK = $(LIBTOOL) --mode=link \ - $(CC) $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS) + $(CC) -pie $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS) - + LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=compile \ $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c -@@ -116,7 +116,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ - $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) - +@@ -120,7 +120,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ + $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(SYMBOL_VERSION_FLAGS) + LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ - $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c + $(CC) $(LT_CFLAGS) $(PIE_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c - + LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) -@@ -206,7 +206,7 @@ SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LI +@@ -214,7 +214,7 @@ LLOADD_LIBS = @BALANCER_LIBS@ $(LEVENT_LIBS) # Our Defaults CC = $(AC_CC) DEFS = $(LDAP_INCPATH) $(XINCPATH) $(XDEFS) $(AC_DEFS) $(DEFINES) @@ -34,98 +34,68 @@ index 633c9a4..c67289d 100644 +CFLAGS = -fPIE $(AC_CFLAGS) $(DEFS) LDFLAGS = $(LDAP_LIBPATH) $(AC_LDFLAGS) $(XLDFLAGS) LIBS = $(XLIBS) $(XXLIBS) $(AC_LIBS) $(XXXLIBS) - -diff --git a/servers/slapd/back-bdb/Makefile.in b/servers/slapd/back-bdb/Makefile.in -index da7da0c..dcb6d92 100644 ---- a/servers/slapd/back-bdb/Makefile.in -+++ b/servers/slapd/back-bdb/Makefile.in -@@ -33,6 +33,8 @@ LDAP_LIBDIR= ../../../libraries - BUILD_OPT = "--enable-bdb" - BUILD_MOD = @BUILD_BDB@ - -+PIE_CFLAGS="-fPIE" -+ - mod_DEFS = -DSLAPD_IMPORT - MOD_DEFS = $(@BUILD_BDB@_DEFS) - MOD_LIBS = $(BDB_LIBS) -diff --git a/servers/slapd/back-hdb/Makefile.in b/servers/slapd/back-hdb/Makefile.in -index 5af828f..6f43f7b 100644 ---- a/servers/slapd/back-hdb/Makefile.in -+++ b/servers/slapd/back-hdb/Makefile.in -@@ -37,6 +37,8 @@ LDAP_LIBDIR= ../../../libraries - BUILD_OPT = "--enable-hdb" - BUILD_MOD = @BUILD_HDB@ - -+PIE_CFLAGS="-fPIE" -+ - mod_DEFS = -DSLAPD_IMPORT - MOD_DEFS = $(@BUILD_HDB@_DEFS) - MOD_LIBS = $(BDB_LIBS) + diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in -index 392d92e..3a0663d 100644 +index 71400ca1b..6427165c6 100644 --- a/servers/slapd/back-ldap/Makefile.in +++ b/servers/slapd/back-ldap/Makefile.in @@ -26,6 +26,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-ldap" BUILD_MOD = @BUILD_LDAP@ - + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_LDAP@_DEFS) - + diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in -index 5e4abc1..1e8c454 100644 +index 225c8dd19..2f07c067b 100644 --- a/servers/slapd/back-ldif/Makefile.in +++ b/servers/slapd/back-ldif/Makefile.in @@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-ldif" BUILD_MOD = yes - + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(yes_DEFS) - + diff --git a/servers/slapd/back-mdb/Makefile.in b/servers/slapd/back-mdb/Makefile.in -index 9b01d2a..e37520a 100644 +index 6d64824da..9bbf8747d 100644 --- a/servers/slapd/back-mdb/Makefile.in +++ b/servers/slapd/back-mdb/Makefile.in -@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/libmdb +@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/liblmdb BUILD_OPT = "--enable-mdb" BUILD_MOD = @BUILD_MDB@ - + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_MDB@_DEFS) MOD_LIBS = $(MDB_LIBS) diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in -index 9aecdbc..11c962c 100644 +index 200a1c65c..6b2afffb9 100644 --- a/servers/slapd/back-monitor/Makefile.in +++ b/servers/slapd/back-monitor/Makefile.in @@ -30,6 +30,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-monitor" - BUILD_MOD = @BUILD_MONITOR@ - + BUILD_MOD = yes + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT - MOD_DEFS = $(@BUILD_MONITOR@_DEFS) - + MOD_DEFS = $(yes_DEFS) + diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in -index 90ea4b3..ff2f429 100644 +index 71d74a171..60b44afd8 100644 --- a/servers/slapd/back-relay/Makefile.in +++ b/servers/slapd/back-relay/Makefile.in @@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-relay" BUILD_MOD = @BUILD_RELAY@ - + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_RELAY@_DEFS) - --- -1.7.10.4 - diff --git a/0007-Recover-on-DB-version-change.dif b/0007-Recover-on-DB-version-change.dif deleted file mode 100644 index 37f109b..0000000 --- a/0007-Recover-on-DB-version-change.dif +++ /dev/null @@ -1,29 +0,0 @@ -From 895fa6d9b49344e1a92f7df3ed65458519e22f98 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Tue, 5 Oct 2010 14:20:22 +0200 -Subject: Recover on DB version change - -If the libdb Version changed try to recover the database. Note: This will -only succeed if only the format of transaction logs changed. - -diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c -index ac5a6d5..fea5cb4 100644 ---- a/servers/slapd/back-bdb/init.c -+++ b/servers/slapd/back-bdb/init.c -@@ -330,6 +330,13 @@ shm_retry: - rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome, - flags | do_recover, bdb->bi_dbenv_mode ); - -+ if ( rc == DB_VERSION_MISMATCH ) { -+ Debug( LDAP_DEBUG_ANY, -+ LDAP_XSTRING(bdb_db_open) ": bdb version change detected " -+ "trying to recover\n", 0, 0, 0 ); -+ rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome, -+ flags | DB_RECOVER, bdb->bi_dbenv_mode ); -+ } - if ( rc ) { - /* Regular open failed, probably a missing shm environment. - * Start over, do a recovery. --- -1.7.10.4 - diff --git a/0008-In-monitor-backend-do-not-return-Connection0-entries.patch b/0008-In-monitor-backend-do-not-return-Connection0-entries.patch index 1cdb257..0974148 100644 --- a/0008-In-monitor-backend-do-not-return-Connection0-entries.patch +++ b/0008-In-monitor-backend-do-not-return-Connection0-entries.patch @@ -9,10 +9,10 @@ Subject: [PATCH] In monitor backend, do not return Connection0 entries as they 1 file changed, 5 insertions(+) diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c -index c1995b0..2d27738 100644 +index 4d327f243..c4d3c6237 100644 --- a/servers/slapd/back-monitor/conn.c +++ b/servers/slapd/back-monitor/conn.c -@@ -454,6 +454,11 @@ monitor_subsys_conn_create( +@@ -456,6 +456,11 @@ monitor_subsys_conn_create( c != NULL; c = connection_next( c, &connindex ) ) { @@ -22,8 +22,5 @@ index c1995b0..2d27738 100644 + } + monitor_entry_t *mp; - - if ( conn_create( mi, c, &e, ms ) != SLAP_CB_CONTINUE --- -2.1.4 + /* ignore outbound for now, nothing to show */ diff --git a/0011-openldap-re24-its7796.patch b/0011-openldap-re24-its7796.patch deleted file mode 100644 index 1f073dd..0000000 --- a/0011-openldap-re24-its7796.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff --git a/servers/slapd/back-bdb/filterindex.c b/servers/slapd/back-bdb/filterindex.c -index 71e3ea4..bafef72 100644 ---- a/servers/slapd/back-bdb/filterindex.c -+++ b/servers/slapd/back-bdb/filterindex.c -@@ -741,7 +741,7 @@ equality_candidates( - &db, &mask, &prefix ); - - if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { -- Debug( LDAP_DEBUG_ANY, -+ Debug( LDAP_DEBUG_TRACE, - "<= bdb_equality_candidates: (%s) not indexed\n", - ava->aa_desc->ad_cname.bv_val, 0, 0 ); - return 0; -@@ -858,7 +858,7 @@ approx_candidates( - &db, &mask, &prefix ); - - if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { -- Debug( LDAP_DEBUG_ANY, -+ Debug( LDAP_DEBUG_TRACE, - "<= bdb_approx_candidates: (%s) not indexed\n", - ava->aa_desc->ad_cname.bv_val, 0, 0 ); - return 0; -@@ -978,7 +978,7 @@ substring_candidates( - &db, &mask, &prefix ); - - if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { -- Debug( LDAP_DEBUG_ANY, -+ Debug( LDAP_DEBUG_TRACE, - "<= bdb_substring_candidates: (%s) not indexed\n", - sub->sa_desc->ad_cname.bv_val, 0, 0 ); - return 0; -@@ -1095,7 +1095,7 @@ inequality_candidates( - &db, &mask, &prefix ); - - if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { -- Debug( LDAP_DEBUG_ANY, -+ Debug( LDAP_DEBUG_TRACE, - "<= bdb_inequality_candidates: (%s) not indexed\n", - ava->aa_desc->ad_cname.bv_val, 0, 0 ); - return 0; -diff --git a/servers/slapd/back-mdb/filterindex.c b/servers/slapd/back-mdb/filterindex.c -index 58c1cc8..20c58b7 100644 ---- a/servers/slapd/back-mdb/filterindex.c -+++ b/servers/slapd/back-mdb/filterindex.c -@@ -709,7 +709,7 @@ equality_candidates( - &dbi, &mask, &prefix ); - - if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { -- Debug( LDAP_DEBUG_ANY, -+ Debug( LDAP_DEBUG_TRACE, - "<= mdb_equality_candidates: (%s) not indexed\n", - ava->aa_desc->ad_cname.bv_val, 0, 0 ); - return 0; -@@ -825,7 +825,7 @@ approx_candidates( - &dbi, &mask, &prefix ); - - if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { -- Debug( LDAP_DEBUG_ANY, -+ Debug( LDAP_DEBUG_TRACE, - "<= mdb_approx_candidates: (%s) not indexed\n", - ava->aa_desc->ad_cname.bv_val, 0, 0 ); - return 0; -@@ -944,7 +944,7 @@ substring_candidates( - &dbi, &mask, &prefix ); - - if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { -- Debug( LDAP_DEBUG_ANY, -+ Debug( LDAP_DEBUG_TRACE, - "<= mdb_substring_candidates: (%s) not indexed\n", - sub->sa_desc->ad_cname.bv_val, 0, 0 ); - return 0; -@@ -1060,7 +1060,7 @@ inequality_candidates( - &dbi, &mask, &prefix ); - - if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { -- Debug( LDAP_DEBUG_ANY, -+ Debug( LDAP_DEBUG_TRACE, - "<= mdb_inequality_candidates: (%s) not indexed\n", - ava->aa_desc->ad_cname.bv_val, 0, 0 ); - return 0; diff --git a/0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch b/0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch deleted file mode 100644 index be2a3df..0000000 --- a/0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch +++ /dev/null @@ -1,130 +0,0 @@ -From b026c9236e6b11c158e69572a28eb0efb174234b Mon Sep 17 00:00:00 2001 -From: HouzuoGuo -Date: Wed, 17 Feb 2016 16:10:05 +0100 -Subject: [PATCH] Fix incorrect calculation of consecutive number of characters - in a class, when the input is shorter than 6 chars or consecutive chars - appear at the beginning of input - - -diff --git a/check_password.c b/check_password.c -index 0d9f901..acf8eda 100644 ---- a/check_password.c -+++ b/check_password.c -@@ -355,18 +355,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) - int min_quality = DEFAULT_QUALITY; - int use_cracklib = DEFAULT_CRACKLIB; - -- /** bail out early as cracklib will reject passwords shorter -- * than 6 characters -- */ -- - nLen = strlen (pPasswd); -- if ( nLen < 6) { -- mem_len = realloc_error_message(&szErrStr, mem_len, -- strlen(PASSWORD_TOO_SHORT_SZ) + -- strlen(pEntry->e_name.bv_val) + 1); -- sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); -- goto fail; -- } - - if (read_config_file() == -1) { - syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); -@@ -392,46 +381,38 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) - */ - - if ( max_consecutive_per_class != 0 ) { -- int consec_chars = 1; -- char type[10] = "unkown"; -- char prev_type[10] = "unknown"; -+ char prev_type = '\0'; -+ char this_type = ' '; -+ i = 0; -+ int consec_chars = 0; - for ( i = 0; i < nLen; i++ ) { -- - if ( islower(pPasswd[i]) ) { -- strncpy(type,"lower",10); -+ this_type = 'l'; - } - else if ( isupper(pPasswd[i]) ) { -- strncpy(type,"upper",10); -+ this_type = 'u'; - } - else if ( isdigit(pPasswd[i]) ) { -- strncpy(type,"digit",10); -+ this_type = 'd'; - } - else if ( ispunct(pPasswd[i]) ) { -- strncpy(type,"punct",10); -+ this_type = 'p'; - } - else { -- strncpy(type,"unknown",10); -- } -- -- if ( consec_chars > max_consecutive_per_class ) { -- mem_len = realloc_error_message(&szErrStr, mem_len, -- strlen(CONSEC_FAIL_SZ) + -- strlen(pEntry->e_name.bv_val)); -- sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val); -- goto fail; -+ this_type = ' '; - } -- -- if ( strncmp(type,prev_type,10) == 0 ) { -- consec_chars++; -+ if (this_type == prev_type) { -+ ++consec_chars; -+ } else if (i > 0) { -+ consec_chars = 0; - } -- else { -- if (strncmp("unknown",prev_type,8) != 0) { -- consec_chars = 1; -- } -- else { -- consec_chars++; -- } -- strncpy(prev_type,type,10); -+ prev_type = this_type; -+ if ( consec_chars >= max_consecutive_per_class ) { -+ mem_len = realloc_error_message(&szErrStr, mem_len, -+ strlen(CONSEC_FAIL_SZ) + -+ strlen(pEntry->e_name.bv_val)); -+ sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val); -+ goto fail; - } - } - } -diff --git a/check_password_test.c b/check_password_test.c -index 626d719..d33bd80 100644 ---- a/check_password_test.c -+++ b/check_password_test.c -@@ -90,7 +90,6 @@ void setconf( - } - - int main(void) { -- - // Empty Config, equiv to: - // 5,3,1,0,0,0,0 - setconf(-1,-1,-1,-1,-1,-1,-1); -@@ -109,5 +108,16 @@ int main(void) { - testpass("Test 2.1", "Simp1e", 1); - testpass("Test 2.2", "SimPle", 1); - testpass("Test 2.1", "Simp1e!", 0); -+ -+ setconf(1,0,0,0,0,0,0); -+ testpass("a", "Ab1,", 0); -+ testpass("a", "AAb1,", 1); -+ testpass("a", "Abb1,", 1); -+ -+ setconf(3,0,0,0,0,0,0); -+ testpass("a", "AAAbbb111,,,", 0); -+ testpass("a", "AAAAbbb111,,,,", 1); -+ testpass("a", "AAAbbbb111,,,", 1); -+ - return 0; - } --- -2.7.1 - diff --git a/baselibs.conf b/baselibs.conf index 3b434dc..079cbe0 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,6 +1,6 @@ -libldap-2_4-2 +libldap-2_5-0 provides "openldap2-client- = " obsoletes "openldap2-client- <= " openldap2-devel requires -openldap2- - requires "libldap-2_4-2- = " + requires "libldap-2_5-0- = " diff --git a/openldap-2.4.59.tgz b/openldap-2.4.59.tgz deleted file mode 100644 index ed298b9..0000000 --- a/openldap-2.4.59.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:99f37d6747d88206c470067eda624d5e48c1011e943ec0ab217bae8712e22f34 -size 5886272 diff --git a/openldap-2.4.59.tgz.asc b/openldap-2.4.59.tgz.asc deleted file mode 100644 index 6db1d79..0000000 --- a/openldap-2.4.59.tgz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEPOJptTmLyLeFZF6Yf2fV/Rzhy84FAmC5T1oACgkQf2fV/Rzh -y85Ukw//S/hsn6w62rKkwJtFl6zcCI5TlmbsKQdGVszhuqP2g58ZiJ2tzM/eucDK -w7nustTdccBmWsIfBc5HONzXhDwZxTm65GBH6p/dsJuzruVw4M/e6l799tSbsVR3 -WsYxTWBKJ8MpqBtzvH/TV4HCCTk2YkhdxKirKbo7wfuNpsVN8iodhGayg/DJHZVQ -idE6mpejyBU3CPk0ZE2oixOxlr6ij4KNQ7fnpjE0055EuuKLzQsuJsitSDDSG1o/ -UPyNzrBkjxzZlxmnO6olQ5AS/H7qgFRv77/ChPd7+AErvyrp0nDU4Rv6pkv3DHVM -tL+ZBEETx7DUatpOjqO0mZ2+fkbMtSB0HQt9js9yRBoA1YdVWtnUYQ5jyCpz6xED -TpMRnzCsXxeG7xWOGCKG1aZ3vIPo8wVbKjdWLvgjCzNHK4jZXy5ilZOo1SE0OtMo -BfDzKse/OI8yM2CaHbKiJwYO0AssgwRwP4umOnYiSFIdKSHEvbObGePSCQZyLivc -nG6jXIxG2e6xc4yCAHiyEyt3n/rcHJBgeqCHzQOkNZVAHcpbjk19R0PPS/08lKvh -MoO9DiuLlNOLJQM56xhSsfCLr7dJzFAyH+n1EQUHZ/H7m4voakuGi2c5adtHc4IP -0CyI3xjHABCSnqqiRuz9JYZZwRnyy126MbtozUZVdlAiib8/JQs= -=Nc3V ------END PGP SIGNATURE----- diff --git a/openldap-2.5.7.tgz b/openldap-2.5.7.tgz new file mode 100644 index 0000000..d65fda1 --- /dev/null +++ b/openldap-2.5.7.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea9757001bc36295037f0030ede16810a1bb7438bbe8f871a35cc2a2b439d9ab +size 6426051 diff --git a/openldap-2.5.7.tgz.asc b/openldap-2.5.7.tgz.asc new file mode 100644 index 0000000..f3062ce --- /dev/null +++ b/openldap-2.5.7.tgz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEPOJptTmLyLeFZF6Yf2fV/Rzhy84FAmEdSNIACgkQf2fV/Rzh +y84ZQw/9EunOfNC69+AUa70l83LU88xX3j2t2pPbeTRrOXIIHvYDAaMne0lxVh9o +AC5zWzGET/TxL/4cxrWqTsQubfjiOamxelQbG2sN5L86Jgxekq8PfrCGLL/YBAcU +H51kcQjGMmBZvJ5sTGtjcw6y0SF0R6qpZGjJwsYv59IuLsWsGpncIaAmkN5+hT1f +VGHuQ1TtI55VeYKlcb/afsa6ePAMs4XnhV3xyfxb2DLoXhSu7juX7zQFRSUnBN5C +XU9GKoAlgJ4qkXgpDMtKR4mG0Atl7tX7DcUkcZBsALXfVOdq/HJWTHmLTbFNZYse +eKYys79MdGge1DQinMyxVT/XoaLCT24PoTebDY7hSQ2h/PN21p62oop2xCcdSQ8w +Kxs8VdYRxpvvGaH+hfE3FtN5ryTDIDD9K6u3Z9TBco0biEIdr81QrxzaomG3IQFB +I7KFoj2JovDl6hWSSM8IRhlFMfMZPlcqnyiN/k5CmIDle/afEWoBJqIuKS/nJly6 +nYk4NSiVzKInHdDgxul07uqiiEcFOj7H956BKoGpyriARvHs9gyWAiM+WPm0iBIn +/jEU98xdhsEnaXPWFyyVwZ1DjisaMXxGpE5tY2rvZkp/oTd7QJOBOHwIveLJ25pD +mGlVRKuT9Nz8gWbOqsWbYJwf/qsUXh5Cn3M7UEEr9nxdICan0K8= +=UH2t +-----END PGP SIGNATURE----- diff --git a/openldap-r-only.dif b/openldap-r-only.dif deleted file mode 100644 index 40b03a9..0000000 --- a/openldap-r-only.dif +++ /dev/null @@ -1,24 +0,0 @@ -From: Jan Engelhardt -Date: 2017-07-04 13:53:32.386698982 +0200 - -Build all own programs exclusively with libldap_r and not libldap. - -References: http://bugzilla.redhat.com/1370065 -References: http://bugzilla.opensuse.org/996551 ---- - build/top.mk | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: openldap-2.4.45/build/top.mk -=================================================================== ---- openldap-2.4.45.orig/build/top.mk -+++ openldap-2.4.45/build/top.mk -@@ -171,7 +171,7 @@ LDAP_LIBLUNICODE_A = $(LDAP_LIBDIR)/libl - LDAP_LIBLUTIL_A = $(LDAP_LIBDIR)/liblutil/liblutil.a - - LDAP_L = $(LDAP_LIBLUTIL_A) \ -- $(LDAP_LIBLDAP_LA) $(LDAP_LIBLBER_LA) -+ $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) - SLAPD_L = $(LDAP_LIBLUNICODE_A) $(LDAP_LIBREWRITE_A) \ - $(LDAP_LIBLUTIL_A) $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) - diff --git a/openldap2.changes b/openldap2.changes index 0f62144..8964c84 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,58 @@ +------------------------------------------------------------------- +Tue Aug 24 13:04:36 UTC 2021 - Philipp Wagner + +- Update to upstream version 2.5.7 + Fixed lloadd client state tracking (ITS#9624) + Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611) + Fixed slapd-ldif duplicate controls response (ITS#9497) + Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621) + Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958) + Fixed slapd-mdb idlexp maximum size handling (ITS#9637) + Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628) + Fixed slapd-sql to add support for ppolicy attributes (ITS#9629) + Fixed slapd-sql to close transactions after bind and search (ITS#9630) + Fixed slapo-accesslog to make reqMod optional (ITS#9569) + Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625) + Documentation + slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637) + slapo-accesslog(5) note that reqMod is optional (ITS#9569) + Add ldapvc(1) man page (ITS#9549) + Add guide section on load balancer (ITS#9443) + Updated guide to document multiprovider as replacement for mirrormode (ITS#9200) + Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200) + Updated guide to document removal of deprecated options from client tools (ITS#9200) + +------------------------------------------------------------------- +Fri Jul 30 13:30:05 UTC 2021 - Philipp Wagner + +- Major version update to 2.5.6 + See https://www.openldap.org/software/release/announce.html for a list of + changes. +- The threaded version of the OpenLDAP libraries, libldap_r, has been merged + with libldap with 2.5. Removed all related downstream changes. + Introduce a new compatibility symlink in the other direction: libldap_r + pointing to libldap. +- Removed the ppolicy-check-password module. It is unmaintained and does not + build any more. +- Removed patch 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch + Fixed upstream in 2.5 (ITS#8866) +- Updated patch 0005-pie-compile.dif + Removed the hunks on back-bdb and back-hdb, which are retired backends in 2.5. +- Removed patch 0007-Recover-on-DB-version-change.dif + The back-bdb backend was retired. +- Removed patch 0011-openldap-re24-its7796.patch + Fixed upstream in 2.5 (ITS#7796) +- Remove non-existant configure arguments: + --enable-rewrite, --enable-monitor, --enable-lmpasswd +- Add the --enable-dynacl configure option, which is required for --enable-aci +- Add the --with-argon2 configure option and remove it from the contrib + modules, since it is now official (ITS#9453). +- Pass mandir to smbk5pwd to ensure the man page ends up in /usr/share. +- Include the new overlays in libdir/openldap in the packages. +- Add the pkgconfig files to the devel package. +- Remove compat macro for _fillupdir, which was introduced in Nov 2017 and + should be widely available now. + ------------------------------------------------------------------- Fri Jun 4 00:06:15 UTC 2021 - Michael Ströder @@ -191,7 +246,7 @@ OpenLDAP 2.4.51 Release (2020/08/11) ------------------------------------------------------------------- Mon Jun 8 12:46:34 UTC 2020 - Callum Farmer -- Revert changes to libexecdir +- Revert changes to libexecdir ------------------------------------------------------------------- Sun Jun 7 10:20:45 UTC 2020 - Michael Ströder @@ -448,7 +503,7 @@ Mon Nov 12 14:25:52 UTC 2018 - Dominique Leuenberger ------------------------------------------------------------------- Thu Nov 8 15:25:08 UTC 2018 - varkoly@suse.com -- bsc#1111388 openldap and /var/lib/ldap/DB_CONFIG* (transactional-update) +- bsc#1111388 openldap and /var/lib/ldap/DB_CONFIG* (transactional-update) ------------------------------------------------------------------- Fri Oct 26 14:58:41 UTC 2018 - Michael Ströder @@ -462,7 +517,7 @@ Fri Aug 17 07:46:47 UTC 2018 - ckowalczyk@suse.com - Fix slapd segfaults in mdb_env_reader_dest + with patch 0016-Clear-shared-key-only-in-close-function.patch -+ (bsc#1089640) ++ (bsc#1089640) ------------------------------------------------------------------- Fri Jun 29 16:23:22 UTC 2018 - michael@stroeder.com @@ -572,7 +627,7 @@ Mon Dec 11 22:51:03 UTC 2017 - michael@stroeder.com ------------------------------------------------------------------- Thu Nov 23 13:36:52 UTC 2017 - rbrown@suse.com -- Replace references to /var/adm/fillup-templates with new +- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) ------------------------------------------------------------------- @@ -632,7 +687,7 @@ Tue Jun 6 13:47:18 UTC 2017 - hguo@suse.com - There is no change made about the package itself, this is only copying over some changelog texts from SLE package: -- bug#976172 owned by hguo@suse.com: openldap2 - missing +- bug#976172 owned by hguo@suse.com: openldap2 - missing /usr/share/doc/packages/openldap2/guide/admin/guide.html - bug#916914 owned by varkoly@suse.com: VUL-0: CVE-2015-1546: openldap2: slapd crash in valueReturnFilter cleanup @@ -1978,7 +2033,7 @@ Wed Jun 11 13:03:29 CEST 2008 - rhafer@suse.de ------------------------------------------------------------------- Fri May 16 13:24:11 CEST 2008 - rhafer@suse.de -- Support update from 2.3 releases (bnc#390247) +- Support update from 2.3 releases (bnc#390247) ------------------------------------------------------------------- Thu May 8 08:55:00 CEST 2008 - rhafer@suse.de @@ -2065,7 +2120,7 @@ Wed Feb 20 09:49:30 CET 2008 - rhafer@suse.de * Fixed slapd modrdn check for valid new DN (ITS#5344) * Fixed slapd multi-step SASL binds (ITS#5298) * Fixed slapd overlay ordering when moving to slapd.d (ITS#5284) - * Fixed slapd NULL printf (ITS#5264) + * Fixed slapd NULL printf (ITS#5264) * Fixed slapd NULL set values (ITS#5286) * Fixed slapd timestamp race condition (ITS#5370) * Fixed slapd cn=config crash on delete (ITS#5343) @@ -2439,7 +2494,7 @@ Wed May 10 10:20:16 CEST 2006 - rhafer@suse.de Fri Mar 24 13:48:52 CET 2006 - rhafer@suse.de - Backported fix from CVS for occasional crashes in referral - chasing code (as used in e.g. back-meta/back-ldap). + chasing code (as used in e.g. back-meta/back-ldap). (Bug: #160566, ITS: #4448) ------------------------------------------------------------------- @@ -2720,7 +2775,7 @@ Tue Aug 3 14:48:25 CEST 2004 - rhafer@suse.de new sysconfig variable (OPENLDAP_REGISTER_SLP) to be able to switch SLP registration on and off. (Bugzilla #39865) - removed unneeded README.update - + ------------------------------------------------------------------- Fri Apr 30 16:46:50 CEST 2004 - rhafer@suse.de @@ -3255,4 +3310,3 @@ Tue Nov 7 18:52:54 CET 2000 - choeger@suse.de Fri Oct 6 11:35:47 CEST 2000 - choeger@suse.de - first package of openldap2 (v2.0.6) - diff --git a/openldap2.spec b/openldap2.spec index 55f1cc4..71e0f59 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -16,16 +16,8 @@ # -#Compat macro for new _fillupdir macro introduced in Nov 2017 -%if ! %{defined _fillupdir} - %define _fillupdir /var/adm/fillup-templates -%endif - %define run_test_suite 0 -%define version_main 2.4.59 -%define name_ppolicy_check_module ppolicy-check-password -%define version_ppolicy_check_module 1.2 -%define ppolicy_docdir %{_docdir}/openldap-%{name_ppolicy_check_module}-%{version_ppolicy_check_module} +%define version_main 2.5.7 %define slapdrundir %{_rundir}/slapd Name: openldap2 @@ -54,19 +46,10 @@ Source21: slapd-ldif-update-crc.sh Source22: update-crc.sh Source23: slapd.conf Source24: slapd.conf.olctemplate -Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch Patch3: 0003-LDAPI-socket-location.dif Patch5: 0005-pie-compile.dif -Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch -Patch11: 0011-openldap-re24-its7796.patch -Patch15: openldap-r-only.dif Patch16: 0016-Clear-shared-key-only-in-close-function.patch -Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz -Source201: %{name_ppolicy_check_module}.Makefile -Source202: %{name_ppolicy_check_module}.conf -Source203: %{name_ppolicy_check_module}.5 -Patch200: 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel @@ -85,7 +68,7 @@ BuildRequires: pkgconfig(systemd) %{?systemd_requires} %endif Requires: /usr/bin/awk -Requires: libldap-2_4-2 = %{version_main} +Requires: libldap-2_5-0 = %{version_main} Recommends: cyrus-sasl Conflicts: openldap PreReq: %fillup_prereq @@ -163,7 +146,6 @@ cloak denyop lastbind writes last bind timestamp to entry noopsrch handles no-op search control -pw-argon2 generates/validates Argon2 password hashes pw-sha2 generates/validates SHA-2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes smbk5pwd generates Samba3 password hashes (heimdal krb disabled) @@ -181,7 +163,7 @@ The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts. %package client Summary: OpenLDAP client utilities Group: Productivity/Networking/LDAP/Clients -Requires: libldap-2_4-2 = %{version_main} +Requires: libldap-2_5-0 = %{version_main} %description client OpenLDAP client utilities such as ldapadd, ldapsearch, ldapmodify. @@ -195,7 +177,7 @@ Obsoletes: openldap2-devel-64bit %endif # Conflicts: openldap-devel -Requires: libldap-2_4-2 = %{version_main} +Requires: libldap-2_5-0 = %{version_main} Recommends: cyrus-sasl-devel %description devel @@ -213,55 +195,23 @@ Requires: openldap2-devel = %version This package provides the static versions of the OpenLDAP libraries for development. -%package -n libldap-2_4-2 +%package -n libldap-2_5-0 Summary: OpenLDAP Client Libraries Group: Productivity/Networking/LDAP/Clients Recommends: libldap-data >= %{version_main} -%description -n libldap-2_4-2 +%description -n libldap-2_5-0 This package contains the OpenLDAP client libraries. -%package ppolicy-check-password -Version: %{version_ppolicy_check_module} -Release: 0 -Summary: Password quality check module for OpenLDAP -Group: Productivity/Networking/LDAP/Servers -URL: https://github.com/onyxpoint/ppolicy-check-password -BuildRequires: cracklib-devel -Requires: openldap2 = %version_main -Recommends: cracklib -Recommends: cracklib-dict-full - -%description ppolicy-check-password -An implementation of password quality check module, based on the original -work done by LDAP Toolbox Project (https://ltd-project.org), that works -together with OpenLDAP password policy overlay (ppolicy), to enforce -password strength policies. - %prep -# Unpack ppolicy check module -%setup -b 200 -q -n %{name_ppolicy_check_module}-%{version_ppolicy_check_module} -%patch200 -p1 -cd .. -# Compress the manual page of ppolicy check module -gzip -k %{S:203} - -# Unpack and patch OpenLDAP 2.4 +# Unpack and patch OpenLDAP 2.5 %setup -q -a 9 -n openldap-%{version_main} -%patch1 -p1 %patch3 -p1 %patch5 -p1 -%patch7 -p1 %patch8 -p1 -%patch11 -p1 -%patch15 -p1 %patch16 -p1 cp %{SOURCE5} . -# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ -mv ../%{name_ppolicy_check_module}-%{version_ppolicy_check_module} contrib/slapd-modules/%{name_ppolicy_check_module} -cp %{S:201} contrib/slapd-modules/%{name_ppolicy_check_module}/Makefile - %build %global _lto_cflags %{_lto_cflags} -ffat-lto-objects export CFLAGS="%{optflags} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DLDAP_USE_NON_BLOCKING_TLS" @@ -281,13 +231,10 @@ export STRIP="" --with-cyrus-sasl \ --enable-crypt \ --enable-ipv6=yes \ + --enable-dynacl \ --enable-aci \ - --enable-bdb=mod \ - --enable-hdb=mod \ - --enable-rewrite \ --enable-ldap=mod \ --enable-meta=mod \ - --enable-monitor=mod \ --enable-perl=mod \ --enable-sock=mod \ --enable-sql=mod \ @@ -297,21 +244,19 @@ export STRIP="" --enable-overlays=mod \ --enable-syncprov=mod \ --enable-ppolicy=mod \ - --enable-lmpasswd \ --with-yielding-select \ + --with-argon2 \ || cat config.log make depend make %{?_smp_mflags} # Build selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/argon2 passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" done # slapo-smbk5pwd only for Samba password hashes make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB="" -# Build ppolicy-check-password module -make -C contrib/slapd-modules/%{name_ppolicy_check_module} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" # Create ldap user %sysusers_generate_pre %{SOURCE19} ldap @@ -349,12 +294,12 @@ make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdi # Additional symbolic link to slapd executable in /usr/sbin/ ln -s %{_libdir}/slapd %{buildroot}%{_sbindir}/slapd # Install selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/argon2 passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install done # slapo-smbk5pwd only for Samba password hashes -make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install install -m 755 %{SOURCE13} %{buildroot}/usr/lib/openldap/start install -m 644 %{SOURCE14} %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{_sysconfdir}/openldap/slapd.d @@ -362,7 +307,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/sasl2 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sasl2/slapd.conf install -m 755 -d %{buildroot}/var/lib/ldap chmod a+x %{buildroot}%{_libdir}/liblber.so* -chmod a+x %{buildroot}%{_libdir}/libldap_r.so* +chmod a+x %{buildroot}%{_libdir}/libldap.so* install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif mkdir -p %{buildroot}%{_tmpfilesdir}/ install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/ @@ -373,18 +318,6 @@ install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc -# Install ppolicy check module -make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install -install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf -# Install ppolicy check module's doc files -pushd contrib/slapd-modules/%{name_ppolicy_check_module} -mkdir -p "%{buildroot}%ppolicy_docdir" -install -m 0644 README "%{buildroot}%ppolicy_docdir" -install -m 0644 LICENSE "%{buildroot}%ppolicy_docdir" -popd -# Install ppolicy check module's manual page -install -m 0644 %{S:203}.gz %{buildroot}%{_mandir}/man5/ - mkdir -p %{buildroot}%{_fillupdir} install -m 644 %{SOURCE16} %{buildroot}%{_fillupdir}/sysconfig.openldap install -m 644 *.ldif %{buildroot}%{_sysconfdir}/openldap/schema @@ -401,7 +334,6 @@ rm -rf doc/guide/release install -d %{buildroot}%{DOCDIR}/adminguide \ %{buildroot}%{DOCDIR}/images \ %{buildroot}%{DOCDIR}/drafts -install -m 644 %{buildroot}/etc/openldap/DB_CONFIG.example %{buildroot}%{DOCDIR}/ install -m 644 doc/guide/admin/* %{buildroot}%{DOCDIR}/adminguide install -m 644 doc/guide/images/*.gif %{buildroot}%{DOCDIR}/images install -m 644 doc/drafts/* %{buildroot}%{DOCDIR}/drafts @@ -413,10 +345,8 @@ install -m 644 ANNOUNCEMENT \ %{buildroot}%{DOCDIR} install -m 644 servers/slapd/slapd.ldif \ %{buildroot}%{DOCDIR}/slapd.ldif.default -rm -f %{buildroot}/etc/openldap/DB_CONFIG.example rm -f %{buildroot}/etc/openldap/schema/README rm -f %{buildroot}/etc/openldap/slapd.ldif* -rm -f %{buildroot}%{slapdrundir}/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd @@ -429,14 +359,12 @@ rm -f %{buildroot}/usr/share/man/man5/slapd-passwd.5 rm -f %{buildroot}/usr/share/man/man5/slapd-shell.5 rm -f %{buildroot}/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct -rm -f %{buildroot}%{_libdir}/lib*.la +# Keep .la files for modules in the openldap subdirectory, which are consumed +# in this form. +rm -f %{buildroot}%{_libdir}/*.la -# Make ldap_r the only copy in the system [rh#1370065]. -# libldap.so is only for `gcc/ld -lldap`. Make no libldap-2.4.so.2. -rm -f "%{buildroot}%{_libdir}"/libldap-2.4.so* -ln -fs libldap_r.so "%{buildroot}%{_libdir}/libldap.so" -gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ - -Wl,-soname -Wl,libldap-2.4.so.2 -L "%{buildroot}%{_libdir}" -lldap_r +# Provide a libldap_r for backwards-compatibility with OpenLDAP < 2.5. +ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so" %pre -f ldap.pre %service_add_pre slapd.service @@ -446,9 +374,9 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ %tmpfiles_create %{name}.conf %service_add_post slapd.service -%post -n libldap-2_4-2 -p /sbin/ldconfig +%post -n libldap-2_5-0 -p /sbin/ldconfig -%postun -n libldap-2_4-2 -p /sbin/ldconfig +%postun -n libldap-2_5-0 -p /sbin/ldconfig %preun %service_del_preun slapd.service @@ -474,24 +402,24 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ %{_fillupdir}/sysconfig.openldap %{_sbindir}/slap* %{_sbindir}/rcslapd -%{_libdir}/openldap/back_bdb* -%{_libdir}/openldap/back_hdb* %{_libdir}/openldap/back_ldap* %{_libdir}/openldap/back_mdb* -%{_libdir}/openldap/back_monitor* %{_libdir}/openldap/back_relay* %{_libdir}/openldap/accesslog* %{_libdir}/openldap/auditlog* +%{_libdir}/openldap/autoca* %{_libdir}/openldap/collect* %{_libdir}/openldap/constraint* %{_libdir}/openldap/dds* %{_libdir}/openldap/deref* %{_libdir}/openldap/dyngroup* %{_libdir}/openldap/dynlist* +%{_libdir}/openldap/homedir* %{_libdir}/openldap/memberof* +%{_libdir}/openldap/otp* %{_libdir}/openldap/pcache* -%{_libdir}/openldap/ppolicy-2.4.* -%{_libdir}/openldap/ppolicy.* +%{_libdir}/openldap/ppolicy* +%{_libdir}/openldap/remoteauth* %{_libdir}/openldap/refint* %{_libdir}/openldap/retcode* %{_libdir}/openldap/rwm* @@ -511,16 +439,20 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ %dir %attr(0750, ldap, ldap) %{_sharedstatedir}/ldap %ghost %attr(0750, ldap, ldap) %{slapdrundir} %doc %{_mandir}/man8/sl* +%doc %{_mandir}/man8/lloadd.* +%doc %{_mandir}/man5/lloadd.conf.* %doc %{_mandir}/man5/slapd.* -%doc %{_mandir}/man5/slapd-bdb.* +%doc %{_mandir}/man5/slapd-asyncmeta.* %doc %{_mandir}/man5/slapd-config.* -%doc %{_mandir}/man5/slapd-hdb.* %doc %{_mandir}/man5/slapd-ldap.* %doc %{_mandir}/man5/slapd-ldif.* %doc %{_mandir}/man5/slapd-mdb.* %doc %{_mandir}/man5/slapd-monitor.* +%doc %{_mandir}/man5/slapd-pw-* %doc %{_mandir}/man5/slapd-relay.* +%doc %{_mandir}/man5/slapd-wt.* %doc %{_mandir}/man5/slapo-* +%doc %{_mandir}/man5/slappw-argon2.* %dir %{DOCDIR} %doc %{DOCDIR}/ANNOUNCEMENT %doc %{DOCDIR}/COPYRIGHT @@ -528,7 +460,6 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ %doc %{DOCDIR}/README* %doc %{DOCDIR}/CHANGES %doc %{DOCDIR}/slapd.ldif.default -%doc %{DOCDIR}/DB_CONFIG.example %files back-perl %defattr(-,root,root) @@ -574,14 +505,12 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ %{_libdir}/openldap/autogroup.* %{_libdir}/openldap/lastbind.* %{_libdir}/openldap/noopsrch.* -%{_libdir}/openldap/pw-argon2.* %{_libdir}/openldap/pw-sha2.* %{_libdir}/openldap/pw-pbkdf2.* %{_libdir}/openldap/denyop.* %{_libdir}/openldap/cloak.* %{_libdir}/openldap/smbk5pwd.* %{_libdir}/openldap/trace.* -%doc %{_mandir}/man5/slapd-pw-argon2.* %files client %defattr(-,root,root) @@ -598,12 +527,13 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ /usr/bin/ldapsearch /usr/bin/ldappasswd /usr/bin/ldapurl +/usr/bin/ldapvc /usr/bin/ldapwhoami -%files -n libldap-2_4-2 +%files -n libldap-2_5-0 %defattr(-,root,root) -%{_libdir}/liblber*2.4.so.* -%{_libdir}/libldap*2.4.so.* +%{_libdir}/liblber*2.5.so.* +%{_libdir}/libldap*2.5.so.* %files devel %defattr(-,root,root) @@ -614,17 +544,11 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ %{_includedir}/*.h %{_libdir}/liblber.so %{_libdir}/libldap*.so +%{_libdir}/pkgconfig/*.pc %files devel-static %defattr(-,root,root) %_libdir/liblber.a %_libdir/libldap*.a -%files ppolicy-check-password -%defattr(-,root,root) -%doc %{ppolicy_docdir}/ -%config(noreplace) /etc/openldap/check_password.conf -%{_libdir}/openldap/ppolicy-check-password.* -%{_mandir}/man5/ppolicy-check-password.* - %changelog diff --git a/ppolicy-check-password-1.2.tar.gz b/ppolicy-check-password-1.2.tar.gz deleted file mode 100644 index 529f122..0000000 --- a/ppolicy-check-password-1.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:840517adc7fa60cb45050ba203437e29458542d9d7f23e906520e0b2fca56fe9 -size 10354 diff --git a/ppolicy-check-password.5 b/ppolicy-check-password.5 deleted file mode 100644 index e817350..0000000 --- a/ppolicy-check-password.5 +++ /dev/null @@ -1,182 +0,0 @@ -.\"/* -.\" * All rights reserved -.\" * Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -.\" * Authors: Howard Guo -.\" * -.\" * This program is free software; you can redistribute it and/or -.\" * modify it under the terms of the GNU General Public License -.\" * as published by the Free Software Foundation; either version 2 -.\" * of the License, or (at your option) any later version. -.\" * -.\" * This program is distributed in the hope that it will be useful, -.\" * but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -.\" * GNU General Public License for more details. -.\" */ -.\" -.TH PPOLICY-CHECK-PASSWORD 5 "2016/02/18" "OpenLDAP password quality check" -.SH NAME -ppolicy\-check\-password \- Password quality checker for OpenLDAP ppolicy overlay -.SH SYNOPSIS -pwdCheckModule ppolicy-check-password.so -.SH DESCRIPTION -ppolicy\-check\-password is an implementation of password quality check module, it can be plugged into OpenLDAP -.BR slapo\-ppolicy (5) -overlay to enforce organisational password strength policies for password-change operations. - -.SH PREREQUISITES -In order to use the module, you should enable and configure -.BR slapo\-ppolicy (5) -overlay on the OpenLDAP server. You may use the following example to enable ppolicy overlay: -.HP 4 -Enable ppolicy overlay - -To enable ppolicy overlay on the server using static configuration file -.BR slapd.conf (5) -, first enable ppolicy schema by adding line: - -.br -include /etc/openldap/schema/ppolicy.schema - -and then append the following lines to the database definition in which password policy should be enforced: - -.br -overlay ppolicy -.br -ppolicy_default "cn=PolicyContainer,dc=my-domain,dc=com" - -Save slapd.conf and (re)start OpenLDAP server. - -If you use cn=config (online configuration) instead of static configuration file, add the schema /etc/openldap/schema/ppolicy.ldif to cn=schema,cn=config, then enable ppolicy overlay in olcDatabase. -.LP - -.HP 4 -Create ppolicy container entry - -The ppolicy container entry stores attributes that describe the password policy in detail, create the entry with - -.BR ldapadd (1) -: - -.br -dn: cn=PolicyContainer,dc=my-domain,dc=com -.br -cn: PolicyContainer -.br -objectClass: pwdPolicy -.br -objectClass: person -.br -objectClass: top -.br -pwdAllowUserChange: TRUE -.br -pwdAttribute: userPassword -.br -pwdCheckQuality: 2 -.br -pwdExpireWarning: 600 -.br -pwdFailureCountInterval: -.br -pwdGraceAuthNLimit: 5 -.br -pwdInHistory: 5 -.br -pwdLockout: TRUE -.br -pwdLockoutDuration: 0 -.br -pwdMaxAge: 0 -.br -pwdMaxFailure: -.br -pwdMinAge: 0 -.br -pwdMinLength: 5 -.br -pwdMustChange: FALSE -.br -pwdSafeModify: FALSE -.br -sn: dummy value -.br - -The password policy becomes effective immediately, there is no need to restart OpenLDAP server. -.LP - -.HP 4 -Enable ppolicy-check-password.so module - -Modify the ppolicy container entry with -.BR ldapmodify (1) -: - -.br -dn: cn=PolicyContainer,dc=my-domain,dc=com -.br -changeType: modify -.br -add: objectClass -.br -objectClass: pwdPolicyChecker -.br -\- -.br -add: pwdCheckModule -.br -pwdCheckModule: ppolicy-check-password.so - -The password check module becomes effective immediately, there is no need to restart OpenLDAP server. -.LP - -.SH CONFIGURATION - -The password check module reads configuration parameters from -.B /etc/openldap/check_password.conf - -Edits made to the configuration file become effective immediately, there is no need to restart OpenLDAP server. - -List of parameters: -.TP -.BI use_cracklib \ 1|0 -CrackLib is a library for checking that a password is not easily crackable, making sure that the password is not based on simple patterns or dictionary words. If the parameter is set to 1, cracklib will be involved and new passwords must pass cracklib quality check in addition to all other policies such as min_points -.TP -.BI min_points \ -The parameter holds an integer value in between 0 and 4. The value denotes "quality points" that a password must acquire in order to pass the check. Usage of each character class awards one quality point. If the parameeter is set to 0, the check is disabled. - -The character classes are: upper case letters, lower case letters, numeric digits, punctuations. -.TP -.BI min_upper \ -The minimal number of upper case characters a password must contain. If the parameter is set to 0, the check is disabled. -.TP -.BI min_lower \ -The minimal number of lower case characters a password must contain. If the parameter is set to 0, the check is disabled. -.TP -.BI min_digit \ -The minimal number of numeric digit characters a password must contain. If the parameter is set to 0, the check is disabled. -.TP -.BI min_punct \ -The minimal number of punctuation characters a password must contain. If the parameter is set to 0, the check is disabled. -.TP -.BI max_consecutive_per_class \ -The maximum number of characters from each character class that may appear consecutively. If the parameter is set to 0, the check is disabled. - -.SH USAGE -After the module is enabled, the OpenLDAP server will invoke the password checker module on every user password change, the new user password must pass all quality checks before it is accepted. If the new password does not pass quality checks, the detailed reason will be logged on the OpenLDAP server, and the client will receive a Constraint Violation and a generic error message "Password fails quality checking policy" \- the lack of details is by design. - -If the password change is carried out by RootDN, password checker module will not enforce the quality checks, and any password is acceptable. - -.SH FILES -.TP -/etc/openldap/check_password.conf -Define the password strength policy. -.SH SEE ALSO -.BR slapd.conf (5), -.BR slapd\-config (5), -.BR slapd (8), -.BR slapo\-ppolicy (5) - -.SH ACKNOWLEDGEMENTS -.P -The module was originally authored by LTB-project (ltb\-project.org), and further maintained by Onyx Point (onyxpoint.com). diff --git a/ppolicy-check-password.Makefile b/ppolicy-check-password.Makefile deleted file mode 100644 index afdfd3f..0000000 --- a/ppolicy-check-password.Makefile +++ /dev/null @@ -1,43 +0,0 @@ -LDAP_SRC = ../../.. -LDAP_BUILD = $(LDAP_SRC) -LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd -LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ - $(LDAP_BUILD)/libraries/liblber/liblber.la - -LIBTOOL = $(LDAP_BUILD)/libtool -CC = gcc -OPT = -g -O2 -Wall -fpic -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"/usr/share/cracklib/pw_dict\"" -DCONFIG_FILE="\"/etc/openldap/check_password.conf\"" -lcrack -INCS = $(LDAP_INC) -LIBS = $(LDAP_LIB) - -PROGRAMS = ppolicy-check-password.la -LTVER = 0:0:0 - -prefix=/usr/local -exec_prefix=$(prefix) -ldap_subdir=/openldap - -libdir=$(exec_prefix)/lib64 -libexecdir=$(exec_prefix)/libexec -moduledir=$(libdir)$(ldap_subdir) - -.SUFFIXES: .c .o .lo - -.c.lo: - $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< - -all: $(PROGRAMS) - -ppolicy-check-password.la: check_password.lo - $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ - -rpath $(moduledir) -module -o $@ $? $(LIBS) - -clean: - rm -rf *.o *.lo *.la .libs - -install: $(PROGRAMS) - mkdir -p $(DESTDIR)$(moduledir) - for p in $(PROGRAMS) ; do \ - $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ - done - diff --git a/ppolicy-check-password.conf b/ppolicy-check-password.conf deleted file mode 100644 index 26786c5..0000000 --- a/ppolicy-check-password.conf +++ /dev/null @@ -1,7 +0,0 @@ -use_cracklib 1 -min_points 3 -min_upper 0 -min_lower 0 -min_digit 0 -min_punct 0 -max_consecutive_per_class 5 From 02d24c9d35ffef58c5a2c3fbce2c3faf74c41e1b9eb09f0be8611e2f2f9a8a52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Str=C3=B6der?= Date: Fri, 27 Aug 2021 13:57:23 +0000 Subject: [PATCH 2/2] Accepting request 914625 from home:phiwag:branches:network:ldap Updated the changelog to mention removed patches, which is required for to pass the factory submission bot. OBS-URL: https://build.opensuse.org/request/show/914625 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=291 --- openldap2.changes | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/openldap2.changes b/openldap2.changes index 8964c84..f540faf 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -29,11 +29,14 @@ Fri Jul 30 13:30:05 UTC 2021 - Philipp Wagner See https://www.openldap.org/software/release/announce.html for a list of changes. - The threaded version of the OpenLDAP libraries, libldap_r, has been merged - with libldap with 2.5. Removed all related downstream changes. + with libldap with 2.5. Removed all related downstream changes, including the + openldap-r-only.dif patch. Introduce a new compatibility symlink in the other direction: libldap_r pointing to libldap. - Removed the ppolicy-check-password module. It is unmaintained and does not - build any more. + build any more. As part of that also remove the patch + patch 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch, which + is applied to this module. - Removed patch 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch Fixed upstream in 2.5 (ITS#8866) - Updated patch 0005-pie-compile.dif