diff --git a/openldap-2.3.37-liblber-length-decoding.dif b/openldap-2.3.37-liblber-length-decoding.dif new file mode 100644 index 0000000..9d21493 --- /dev/null +++ b/openldap-2.3.37-liblber-length-decoding.dif @@ -0,0 +1,93 @@ +Index: libraries/liblber/io.c +=================================================================== +--- libraries/liblber/io.c.orig ++++ libraries/liblber/io.c +@@ -495,14 +495,18 @@ ber_get_next( + } + + while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr < +- (char *)&ber->ber_len + LENSIZE*2 -1) { ++ (char *)&ber->ber_len + LENSIZE*2) { + ber_slen_t sblen; + char buf[sizeof(ber->ber_len)-1]; + ber_len_t tlen = 0; + ++ /* The tag & len can be at most 9 bytes; we try to read up to 8 here */ + sock_errset(0); +- sblen=ber_int_sb_read( sb, ber->ber_rwptr, +- ((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr); ++ sblen=((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr; ++ /* Trying to read the last len byte of a 9 byte tag+len */ ++ if (sblen<1) ++ sblen = 1; ++ sblen=ber_int_sb_read( sb, ber->ber_rwptr, sblen ); + if (sblen<=0) return LBER_DEFAULT; + ber->ber_rwptr += sblen; + +@@ -552,7 +556,7 @@ ber_get_next( + int i; + unsigned char *p = (unsigned char *)ber->ber_ptr; + int llen = *p++ & 0x7f; +- if (llen > (int)sizeof(ber_len_t)) { ++ if (llen > LENSIZE) { + sock_errset(ERANGE); + return LBER_DEFAULT; + } +Index: libraries/libldap/result.c +=================================================================== +--- libraries/libldap/result.c.orig ++++ libraries/libldap/result.c +@@ -296,18 +296,20 @@ + #endif + + if ( !lc_ready ) { ++ int err; + rc = ldap_int_select( ld, tvp ); +-#ifdef LDAP_DEBUG + if ( rc == -1 ) { ++ err = sock_errno(); ++#ifdef LDAP_DEBUG + Debug( LDAP_DEBUG_TRACE, + "ldap_int_select returned -1: errno %d\n", +- sock_errno(), 0, 0 ); +- } ++ err, 0, 0 ); + #endif ++ } + + if ( rc == 0 || ( rc == -1 && ( + !LDAP_BOOL_GET(&ld->ld_options, LDAP_BOOL_RESTART) +- || sock_errno() != EINTR ))) ++ || err != EINTR ))) + { + ld->ld_errno = (rc == -1 ? LDAP_SERVER_DOWN : + LDAP_TIMEOUT); +@@ -410,7 +412,7 @@ + LDAPRequest *lr, *tmplr; + LDAPConn *lc; + BerElement tmpber; +- int rc, refer_cnt, hadref, simple_request; ++ int rc, refer_cnt, hadref, simple_request, err; + ber_int_t lderr; + + #ifdef LDAP_CONNECTIONLESS +@@ -469,15 +471,16 @@ + } + if ( tag != LDAP_TAG_MESSAGE ) { + if ( tag == LBER_DEFAULT) { ++ err = sock_errno(); + #ifdef LDAP_DEBUG + Debug( LDAP_DEBUG_CONNS, + "ber_get_next failed.\n", 0, 0, 0 ); +-#endif ++#endif + #ifdef EWOULDBLOCK +- if ( sock_errno() == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING; ++ if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING; + #endif + #ifdef EAGAIN +- if ( sock_errno() == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING; ++ if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING; + #endif + ld->ld_errno = LDAP_SERVER_DOWN; + return -1; diff --git a/openldap-2.3.37-libldap-gethostbyname_r.dif b/openldap-2.3.37-libldap-gethostbyname_r.dif new file mode 100644 index 0000000..a653681 --- /dev/null +++ b/openldap-2.3.37-libldap-gethostbyname_r.dif @@ -0,0 +1,20 @@ +--- libraries/libldap/util-int.c 2005/08/23 16:07:09 1.1 ++++ libraries/libldap/util-int.c 2005/08/23 16:16:03 +@@ -52,7 +52,7 @@ + #ifndef LDAP_R_COMPILE + # undef HAVE_REENTRANT_FUNCTIONS + # undef HAVE_CTIME_R +-# undef HAVE_GETHOSTBYNAME_R ++/* # undef HAVE_GETHOSTBYNAME_R */ + # undef HAVE_GETHOSTBYADDR_R + + #else +@@ -110,7 +110,7 @@ + #define BUFSTART (1024-32) + #define BUFMAX (32*1024-32) + +-#if defined(LDAP_R_COMPILE) ++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) + static char *safe_realloc( char **buf, int len ); + + #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) diff --git a/openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif b/openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif new file mode 100644 index 0000000..2e455a4 --- /dev/null +++ b/openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif @@ -0,0 +1,23 @@ +Index: libraries/libldap/request.c +=================================================================== +--- libraries/libldap/request.c.orig ++++ libraries/libldap/request.c +@@ -601,6 +601,9 @@ ldap_free_connection( LDAP *ld, LDAPConn + } else { + prevlc->lconn_next = tmplc->lconn_next; + } ++ if ( ld->ld_defconn == lc ) { ++ ld->ld_defconn = NULL; ++ } + break; + } + prevlc = tmplc; +@@ -631,6 +634,8 @@ ldap_free_connection( LDAP *ld, LDAPConn + } + if ( lc->lconn_sb != ld->ld_sb ) { + ber_sockbuf_free( lc->lconn_sb ); ++ } else { ++ ber_int_sb_close( lc->lconn_sb ); + } + if ( lc->lconn_rebind_queue != NULL) { + int i; diff --git a/openldap-2.3.37-libldap-ldapi_url.dif b/openldap-2.3.37-libldap-ldapi_url.dif new file mode 100644 index 0000000..b8eb3f9 --- /dev/null +++ b/openldap-2.3.37-libldap-ldapi_url.dif @@ -0,0 +1,11 @@ +--- include/ldap_defaults.h 2004/04/14 14:13:27 1.1 ++++ include/ldap_defaults.h 2004/04/14 14:14:01 +@@ -39,7 +39,7 @@ + #define LDAP_ENV_PREFIX "LDAP" + + /* default ldapi:// socket */ +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi" + + /* + * SLAPD DEFINITIONS diff --git a/openldap-2.3.37-libldap-ntlm.diff b/openldap-2.3.37-libldap-ntlm.diff new file mode 100644 index 0000000..15dc01e --- /dev/null +++ b/openldap-2.3.37-libldap-ntlm.diff @@ -0,0 +1,195 @@ +Index: include/ldap.h +=================================================================== +--- include/ldap.h.orig ++++ include/ldap.h +@@ -2118,5 +2118,26 @@ LDAP_F( const char * ) + ldap_passwordpolicy_err2txt LDAP_P(( LDAPPasswordPolicyError )); + #endif /* LDAP_CONTROL_PASSWORDPOLICYREQUEST */ + ++/* ++ * hacks for NTLM ++ */ ++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) ++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) ++LDAP_F( int ) ++ldap_ntlm_bind LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp )); ++LDAP_F( int ) ++ldap_parse_ntlm_bind_result LDAP_P(( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge)); ++ ++ + LDAP_END_DECL + #endif /* _LDAP_H */ +Index: libraries/libldap/Makefile.in +=================================================================== +--- libraries/libldap/Makefile.in.orig ++++ libraries/libldap/Makefile.in +@@ -20,7 +20,7 @@ PROGRAMS = apitest dntest ftest ltest + SRCS = bind.c open.c result.c error.c compare.c search.c \ + controls.c messages.c references.c extended.c cyrus.c \ + modify.c add.c modrdn.c delete.c abandon.c \ +- sasl.c sbind.c kbind.c unbind.c cancel.c \ ++ sasl.c ntlm.c sbind.c kbind.c unbind.c cancel.c \ + filter.c free.c sort.c passwd.c whoami.c \ + getdn.c getentry.c getattr.c getvalues.c addentry.c \ + request.c os-ip.c url.c sortctrl.c vlvctrl.c \ +@@ -31,7 +31,7 @@ SRCS = bind.c open.c result.c error.c co + OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ + controls.lo messages.lo references.lo extended.lo cyrus.lo \ + modify.lo add.lo modrdn.lo delete.lo abandon.lo \ +- sasl.lo sbind.lo kbind.lo unbind.lo cancel.lo \ ++ sasl.lo ntlm.lo sbind.lo kbind.lo unbind.lo cancel.lo \ + filter.lo free.lo sort.lo passwd.lo whoami.lo \ + getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ + request.lo os-ip.lo url.lo sortctrl.lo vlvctrl.lo \ +Index: libraries/libldap/ntlm.c +=================================================================== +--- /dev/null ++++ libraries/libldap/ntlm.c +@@ -0,0 +1,137 @@ ++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ ++/* ++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. ++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file ++ */ ++ ++/* Mostly copied from sasl.c */ ++ ++#include "portable.h" ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include "ldap-int.h" ++ ++int ++ldap_ntlm_bind( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp ) ++{ ++ BerElement *ber; ++ int rc; ++ ber_int_t id; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( msgidp != NULL ); ++ ++ if( msgidp == NULL ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ /* create a message to send */ ++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ assert( LBER_VALID( ber ) ); ++ ++ LDAP_NEXT_MSGID( ld, id ); ++ rc = ber_printf( ber, "{it{istON}" /*}*/, ++ id, LDAP_REQ_BIND, ++ ld->ld_version, dn, tag, ++ cred ); ++ ++ /* Put Server Controls */ ++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { ++ ld->ld_errno = LDAP_ENCODING_ERROR; ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ /* send the message */ ++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); ++ ++ if(*msgidp < 0) ++ return ld->ld_errno; ++ ++ return LDAP_SUCCESS; ++} ++ ++int ++ldap_parse_ntlm_bind_result( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge) ++{ ++ ber_int_t errcode; ++ ber_tag_t tag; ++ BerElement *ber; ++ ber_len_t len; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( res != NULL ); ++ ++ if ( ld == NULL || res == NULL ) { ++ return LDAP_PARAM_ERROR; ++ } ++ ++ if( res->lm_msgtype != LDAP_RES_BIND ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ ld->ld_error = NULL; ++ } ++ if ( ld->ld_matched ) { ++ LDAP_FREE( ld->ld_matched ); ++ ld->ld_matched = NULL; ++ } ++ ++ /* parse results */ ++ ++ ber = ber_dup( res->lm_ber ); ++ ++ if( ber == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ tag = ber_scanf( ber, "{ioa" /*}*/, ++ &errcode, challenge, &ld->ld_error ); ++ ber_free( ber, 0 ); ++ ++ if( tag == LBER_ERROR ) { ++ ld->ld_errno = LDAP_DECODING_ERROR; ++ return ld->ld_errno; ++ } ++ ++ ld->ld_errno = errcode; ++ ++ return( ld->ld_errno ); ++} diff --git a/openldap-2.3.37-libldap-sasl-max-buff-size.dif b/openldap-2.3.37-libldap-sasl-max-buff-size.dif new file mode 100644 index 0000000..5b3be38 --- /dev/null +++ b/openldap-2.3.37-libldap-sasl-max-buff-size.dif @@ -0,0 +1,17 @@ +Index: libraries/libldap/cyrus.c +=================================================================== +RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/cyrus.c,v +retrieving revision 1.139 +retrieving revision 1.140 +diff -u -r1.139 -r1.140 +--- libraries/libldap/cyrus.c 2 Jan 2007 19:00:58 -0000 1.139 ++++ libraries/libldap/cyrus.c 23 Apr 2007 12:21:48 -0000 1.140 +@@ -208,7 +208,7 @@ + | buf[2] << 8 + | buf[3]; + +- if ( size > SASL_MAX_BUFF_SIZE ) { ++ if ( size >= SASL_MAX_BUFF_SIZE ) { + /* somebody is trying to mess me up. */ + ber_log_printf( LDAP_DEBUG_ANY, debuglevel, + "sb_sasl_pkt_length: received illegal packet length " diff --git a/openldap-2.3.37-libldap-ssl.dif b/openldap-2.3.37-libldap-ssl.dif new file mode 100644 index 0000000..c7d371c --- /dev/null +++ b/openldap-2.3.37-libldap-ssl.dif @@ -0,0 +1,15 @@ +Index: libraries/libldap/tls.c +=================================================================== +--- libraries/libldap/tls.c 2013-11-12 17:09:55.284965672 +0100 ++++ libraries/libldap/tls.c 2013-11-12 17:10:22.829163042 +0100 +@@ -918,10 +918,6 @@ + { + /* If peer cert was bad, treat as if no cert was given */ + if (SSL_get_verify_result(s)) { +- /* If we can send an alert, do so */ +- if (SSL_version(s) != SSL2_VERSION) { +- ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_BAD_CERTIFICATE); +- } + return NULL; + } + return SSL_get_peer_certificate(s); diff --git a/openldap-2.3.37-libldap-suid.diff b/openldap-2.3.37-libldap-suid.diff new file mode 100644 index 0000000..13368a1 --- /dev/null +++ b/openldap-2.3.37-libldap-suid.diff @@ -0,0 +1,18 @@ +Index: libraries/libldap/init.c +=================================================================== +--- libraries/libldap/init.c.orig ++++ libraries/libldap/init.c +@@ -579,6 +579,7 @@ void ldap_int_initialize( struct ldapopt + #endif + + openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); ++ if( getuid() == geteuid() ){ + openldap_ldap_init_w_userconf(LDAP_USERRC_FILE); + + { +@@ -608,4 +609,5 @@ void ldap_int_initialize( struct ldapopt + } + + openldap_ldap_init_w_env(gopts, NULL); ++ } + } diff --git a/openldap-2.3.37-libldap-tls_chkhost-its6239.dif b/openldap-2.3.37-libldap-tls_chkhost-its6239.dif new file mode 100644 index 0000000..abac817 --- /dev/null +++ b/openldap-2.3.37-libldap-tls_chkhost-its6239.dif @@ -0,0 +1,121 @@ +Index: openldap-2.3.32/libraries/libldap/tls.c +=================================================================== +--- openldap-2.3.32.orig/libraries/libldap/tls.c ++++ openldap-2.3.32/libraries/libldap/tls.c +@@ -981,7 +981,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v + X509 *x; + const char *name; + char *ptr; +- int ntype = IS_DNS; ++ int ntype = IS_DNS, nlen; + #ifdef LDAP_PF_INET6 + struct in6_addr addr; + #else +@@ -995,6 +995,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v + } else { + name = name_in; + } ++ nlen = strlen(name); + + x = tls_get_cert((SSL *)s); + if (!x) { +@@ -1028,15 +1029,14 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v + ex = X509_get_ext(x, i); + alt = X509V3_EXT_d2i(ex); + if (alt) { +- int n, len1 = 0, len2 = 0; ++ int n, len2 = 0; + char *domain = NULL; + GENERAL_NAME *gn; + + if (ntype == IS_DNS) { +- len1 = strlen(name); + domain = strchr(name, '.'); + if (domain) { +- len2 = len1 - (domain-name); ++ len2 = nlen - (domain-name); + } + } + n = sk_GENERAL_NAME_num(alt); +@@ -1054,7 +1054,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v + if (sl == 0) continue; + + /* Is this an exact match? */ +- if ((len1 == sl) && !strncasecmp(name, sn, len1)) { ++ if ((nlen == sl) && !strncasecmp(name, sn, nlen)) { + break; + } + +@@ -1094,13 +1094,27 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v + + if (ret != LDAP_SUCCESS) { + X509_NAME *xn; +- char buf[2048]; +- buf[0] = '\0'; ++ X509_NAME_ENTRY *ne; ++ ASN1_OBJECT *obj; ++ ASN1_STRING *cn = NULL; ++ int navas; ++ ++ /* find the last CN */ ++ obj = OBJ_nid2obj( NID_commonName ); ++ if ( !obj ) goto no_cn; /* should never happen */ + + xn = X509_get_subject_name(x); +- if( X509_NAME_get_text_by_NID( xn, NID_commonName, +- buf, sizeof(buf)) == -1) +- { ++ navas = X509_NAME_entry_count( xn ); ++ for ( i=navas-1; i>=0; i-- ) { ++ ne = X509_NAME_get_entry( xn, i ); ++ if ( !OBJ_cmp( ne->object, obj )) { ++ cn = X509_NAME_ENTRY_get_data( ne ); ++ break; ++ } ++ } ++ ++ if( !cn ){ ++no_cn: + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get common name from peer certificate.\n", + 0, 0, 0 ); +@@ -1111,21 +1125,20 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v + ld->ld_error = LDAP_STRDUP( + _("TLS: unable to get CN from peer certificate")); + +- } else if (strcasecmp(name, buf) == 0 ) { ++ } else if ( cn->length == nlen && ++ strncasecmp( name, (char *) cn->data, nlen ) == 0 ) { + ret = LDAP_SUCCESS; + +- } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) { ++ } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) { + char *domain = strchr(name, '.'); + if( domain ) { +- size_t dlen = 0; +- size_t sl; ++ size_t dlen; + +- sl = strlen(name); +- dlen = sl - (domain-name); +- sl = strlen(buf); ++ dlen = nlen - (domain-name); + + /* Is this a wildcard match? */ +- if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) { ++ if ((dlen == cn->length-1) && ++ !strncasecmp(domain, (char *) &cn->data[1], dlen)) { + ret = LDAP_SUCCESS; + } + } +@@ -1133,8 +1146,8 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v + + if( ret == LDAP_LOCAL_ERROR ) { + Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " +- "common name in certificate (%s).\n", +- name, buf, 0 ); ++ "common name in certificate (%.*s).\n", ++ name, cn->length, cn->data ); + ret = LDAP_CONNECT_ERROR; + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); diff --git a/openldap-2.3.37-libldap-utf8-ADcanonical.dif b/openldap-2.3.37-libldap-utf8-ADcanonical.dif new file mode 100644 index 0000000..8fa03f4 --- /dev/null +++ b/openldap-2.3.37-libldap-utf8-ADcanonical.dif @@ -0,0 +1,107 @@ +Index: libraries/libldap/getdn.c +=================================================================== +--- libraries/libldap/getdn.c.orig ++++ libraries/libldap/getdn.c +@@ -2377,12 +2377,12 @@ strval2DCEstr( struct berval *val, char + + /* + * Length of the (supposedly) AD canonical string representation, +- * accounting for escaped hex of UTF-8 chars ++ * accounting for chars that need to be escaped + */ + static int + strval2ADstrlen( struct berval *val, unsigned flags, ber_len_t *len ) + { +- ber_len_t l; ++ ber_len_t l, cl; + char *p; + + assert( val != NULL ); +@@ -2393,37 +2393,31 @@ strval2ADstrlen( struct berval *val, uns + return( 0 ); + } + +- if ( flags & LDAP_AVA_NONPRINTABLE ) { +- /* +- * FIXME: Turn the value into a binary encoded BER? +- */ +- return( -1 ); +- +- } else { +- for ( l = 0, p = val->bv_val; p[ 0 ]; p++ ) { +- if ( LDAP_DN_NEEDESCAPE_AD( p[ 0 ] ) ) { +- l += 2; +- +- } else { +- l++; +- } ++ for ( l = 0, p = val->bv_val; p[ 0 ]; p += cl ) { ++ cl = LDAP_UTF8_CHARLEN2( p, cl ); ++ if ( cl == 0 ) { ++ /* illegal utf-8 char */ ++ return -1; ++ } else if ( (cl == 1) && LDAP_DN_NEEDESCAPE_AD( p[ 0 ] ) ) { ++ l += 2; ++ } else { ++ l += cl; + } + } + + *len = l; +- ++ + return( 0 ); + } + + /* +- * convert to (supposedly) AD string representation, +- * escaping with hex the UTF-8 stuff; ++ * convert to (supposedly) AD string representation, + * assume the destination has enough room for escaping + */ + static int + strval2ADstr( struct berval *val, char *str, unsigned flags, ber_len_t *len ) + { +- ber_len_t s, d; ++ ber_len_t s, d, cl; + + assert( val != NULL ); + assert( str != NULL ); +@@ -2434,24 +2428,20 @@ strval2ADstr( struct berval *val, char * + return( 0 ); + } + +- if ( flags & LDAP_AVA_NONPRINTABLE ) { +- /* +- * FIXME: Turn the value into a binary encoded BER? +- */ +- *len = 0; +- return( -1 ); +- +- } else { +- +- /* +- * we assume the string has enough room for the hex encoding +- * of the value +- */ ++ /* ++ * we assume the string has enough room for the escaping ++ * of the value ++ */ + +- for ( s = 0, d = 0; s < val->bv_len; ) { +- if ( LDAP_DN_NEEDESCAPE_AD( val->bv_val[ s ] ) ) { +- str[ d++ ] = '\\'; +- } ++ for ( s = 0, d = 0; s < val->bv_len; ) { ++ cl = LDAP_UTF8_CHARLEN2( val->bv_val+s, cl ); ++ if ( cl == 0 ) { ++ /* illegal utf-8 char */ ++ return -1; ++ } else if ( (cl == 1) && LDAP_DN_NEEDESCAPE_AD(val->bv_val[ s ]) ) { ++ str[ d++ ] = '\\'; ++ } ++ for (; cl--;) { + str[ d++ ] = val->bv_val[ s++ ]; + } + } diff --git a/openldap-rc.tgz b/openldap-rc.tgz index 1ca111d..3ff5191 100644 --- a/openldap-rc.tgz +++ b/openldap-rc.tgz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c8c4eb50b6ab04db5b01e3fa1f37d537b2415d5676560a4d6b435e360f84ebac -size 4765 +oid sha256:21d21950b2c2dde8601ef4d28a0acd154852d7ec4938400bebddd4da7510a970 +size 4034 diff --git a/openldap2-client.changes b/openldap2-client.changes index ff2a70c..5cc8a30 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Tue Feb 11 08:49:43 UTC 2014 - varkoly@suse.com + +- Add systemd style service definition +- FATE#315028 remove memory limit for slapd +- FATE#315415: LDAP compat packages required for older SLES versions + For this reson following patches were applied: + openldap-2.3.37-libldap-suid.diff + openldap-2.3.37-libldap-ldapi_url.dif + openldap-2.3.37-libldap-ntlm.diff + openldap-2.3.37-libldap-gethostbyname_r.dif + openldap-2.3.37-libldap-sasl-max-buff-size.dif + openldap-2.3.37-libldap-utf8-ADcanonical.dif + openldap-2.3.37-liblber-length-decoding.dif + openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif + openldap-2.3.37-libldap-tls_chkhost-its6239.dif + openldap-2.3.37-libldap-ssl.dif + ------------------------------------------------------------------- Wed Dec 11 13:29:51 UTC 2013 - matz@suse.de diff --git a/openldap2-client.spec b/openldap2-client.spec index c63da99..290160b 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -1,7 +1,7 @@ # # spec file for package openldap2-client # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,6 +17,7 @@ %define run_test_suite 0 +%define version_main 2.4.38 Name: openldap2-client Summary: The OpenLDAP commandline client tools @@ -44,7 +45,7 @@ BuildRequires: -libdb-4_8-devel BuildRequires: libdb-4_5-devel %endif Conflicts: openldap -Requires: libldap-2_4-2 = %{version} +Requires: libldap-2_4-2 = %{version_main} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep %else %if 0%{?suse_version} >= 1140 @@ -52,9 +53,10 @@ PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/group BuildRequires: krb5-mini %endif Conflicts: openldap-client -Requires: libldap-2_4-2 = %{version} +Requires: libldap-2_4-2 = %{version_main} +Requires: systemd %endif -Source: openldap-%{version}.tgz +Source: openldap-%{version_main}.tgz Source1: openldap-rc.tgz Source2: addonschema.tar.gz Source3: DB_CONFIG @@ -71,6 +73,16 @@ Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch100: openldap-2.3.37.dif +Patch101: openldap-2.3.37-libldap-suid.diff +Patch102: openldap-2.3.37-libldap-ldapi_url.dif +Patch103: openldap-2.3.37-libldap-ntlm.diff +Patch104: openldap-2.3.37-libldap-gethostbyname_r.dif +Patch105: openldap-2.3.37-libldap-sasl-max-buff-size.dif +Patch106: openldap-2.3.37-libldap-utf8-ADcanonical.dif +Patch107: openldap-2.3.37-liblber-length-decoding.dif +Patch108: openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif +Patch109: openldap-2.3.37-libldap-tls_chkhost-its6239.dif +Patch110: openldap-2.3.37-libldap-ssl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %if "%{name}" == "openldap2" @@ -82,8 +94,9 @@ service that has an X.500 back-end. %package -n openldap2-back-perl Summary: OpenLDAP Perl Back-End +License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Servers -Requires: openldap2 = %{version} +Requires: openldap2 = %{version_main} Requires: perl = %{perl_version} %description -n openldap2-back-perl @@ -92,8 +105,9 @@ different LDAP operations. %package -n openldap2-back-meta Summary: OpenLDAP Meta Back-End +License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Servers -Requires: openldap2 = %{version} +Requires: openldap2 = %{version_main} Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz %description -n openldap2-back-meta @@ -104,8 +118,9 @@ Information Tree (DIT). %package -n openldap2-back-sql Summary: OpenLDAP SQL Back-End +License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Servers -Requires: openldap2 = %{version} +Requires: openldap2 = %{version_main} %description -n openldap2-back-sql The primary purpose of this OpenLDAP backend is to present information @@ -114,6 +129,7 @@ to do any programming. %package -n openldap2-doc Summary: OpenLDAP Documentation +License: OLDAP-2.8 Group: Documentation/Other Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README %if 0%{?suse_version} > 1110 @@ -123,6 +139,22 @@ BuildArch: noarch %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts +%package -n compat-libldap-2_3-0 +Summary: OpenLDAP Client Libraries +License: BSD-3-Clause and OLDAP-2.8 and OLDAP-2.8 +Group: Productivity/Networking/LDAP/Clients +Version: 2.3.37 +Release: 2. + +%description -n compat-libldap-2_3-0 +This package contains the OpenLDAP client libraries. + + + +Authors: +-------- + The OpenLDAP Project + %else %description @@ -130,6 +162,7 @@ This package contains the OpenLDAP client utilities. %package -n openldap2-devel Summary: Libraries, Header Files and Documentation for OpenLDAP +License: OLDAP-2.8 Group: Development/Libraries/C and C++ # bug437293 %ifarch ppc64 @@ -137,7 +170,7 @@ Obsoletes: openldap2-devel-64bit %endif # Conflicts: openldap-devel -Requires: libldap-2_4-2 = %{version} +Requires: libldap-2_4-2 = %{version_main} %description -n openldap2-devel This package provides the OpenLDAP libraries, header files, and @@ -145,6 +178,7 @@ documentation. %package -n openldap2-devel-static Summary: Static libraries for the OpenLDAP libraries +License: OLDAP-2.8 Group: Development/Libraries/C and C++ Requires: openldap2-devel = %version %if %sles_version == 10 @@ -160,6 +194,7 @@ for development. %package -n libldap-2_4-2 Summary: OpenLDAP Client Libraries +License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Clients %description -n libldap-2_4-2 @@ -168,7 +203,7 @@ This package contains the OpenLDAP client libraries. %endif %prep -%setup -q -n openldap-%{version} -a1 -a2 -b100 +%setup -q -n openldap-%{version_main} -a1 -a2 -b100 %patch1 -p1 %patch2 -p1 %patch3 -p1 @@ -180,6 +215,16 @@ cp %{SOURCE5} . cp %{SOURCE6} . cd ../openldap-2.3.37 %patch100 +%patch101 +%patch102 +%patch103 +%patch104 +%patch105 +%patch106 +%patch107 +%patch108 +%patch109 -p1 +%patch110 %build %{?suse_update_config:%{suse_update_config -f build}} @@ -222,7 +267,7 @@ export STRIP="" make depend make %{?jobs:-j%jobs} %if "%{name}" == "openldap2" -%if %suse_version < 1130 +#%if %suse_version < 1130 # build a static slapcat binary from the OpenLDAP 2.3 release # to be able to update existing databases cd ../openldap-2.3.37 @@ -230,18 +275,18 @@ cd ../openldap-2.3.37 libtoolize --force #aclocal -I build autoreconf -export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED" +export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS" ./configure --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc \ --localstatedir=/var/run/slapd --libexecdir=/usr/lib/openldap \ --libdir=%{_libdir} --mandir=%{_mandir} --enable-aci \ --enable-hdb --enable-bdb --enable-ldbm --enable-crypt \ --enable-ipv6=no \ --enable-ldap --enable-monitor --enable-meta --enable-rewrite \ - --enable-dynamic=no --enable-shared=no + --enable-dynamic=no --enable-shared=yes make depend -make %{?jobs:-j%jobs} +make -C libraries %{?jobs:-j%jobs} -%endif +#%endif %endif %check @@ -270,11 +315,12 @@ make SLAPD_DEBUG=0 test %endif %install -mkdir -p $RPM_BUILD_ROOT/etc/init.d +mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/ mkdir -p $RPM_BUILD_ROOT/usr/sbin +mkdir -p $RPM_BUILD_ROOT/usr/lib/systemd/system make STRIP="" DESTDIR=$RPM_BUILD_ROOT install -install -m 755 rc.ldap $RPM_BUILD_ROOT/etc/init.d/ldap -ln -sf ../../etc/init.d/ldap $RPM_BUILD_ROOT/usr/sbin/rcldap +install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start +install -m 644 slapd.service $RPM_BUILD_ROOT/usr/lib/systemd/system mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf @@ -319,6 +365,10 @@ mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples # install 2.3 slapcat install -m 755 ../openldap-2.3.37/servers/slapd/slapcat $RPM_BUILD_ROOT/usr/sbin/openldap-2.3-slapcat %endif +# install sle-10 compat libraries +pushd ../openldap-2.3.37/libraries +make DESTDIR=$RPM_BUILD_ROOT install +popd %endif rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5 @@ -334,21 +384,19 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la #put filelists into files cat >openldap2.filelist <openldap2.filelist <>openldap2.filelist < compat-libldap.filelist < openldap2-client.filelist < openldap2-client.filelist < libldap.filelist < openldap2-devel.filelist <= 1140 @@ -52,9 +53,10 @@ PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/group BuildRequires: krb5-mini %endif Conflicts: openldap-client -Requires: libldap-2_4-2 = %{version} +Requires: libldap-2_4-2 = %{version_main} +Requires: systemd %endif -Source: openldap-%{version}.tgz +Source: openldap-%{version_main}.tgz Source1: openldap-rc.tgz Source2: addonschema.tar.gz Source3: DB_CONFIG @@ -71,6 +73,16 @@ Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch100: openldap-2.3.37.dif +Patch101: openldap-2.3.37-libldap-suid.diff +Patch102: openldap-2.3.37-libldap-ldapi_url.dif +Patch103: openldap-2.3.37-libldap-ntlm.diff +Patch104: openldap-2.3.37-libldap-gethostbyname_r.dif +Patch105: openldap-2.3.37-libldap-sasl-max-buff-size.dif +Patch106: openldap-2.3.37-libldap-utf8-ADcanonical.dif +Patch107: openldap-2.3.37-liblber-length-decoding.dif +Patch108: openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif +Patch109: openldap-2.3.37-libldap-tls_chkhost-its6239.dif +Patch110: openldap-2.3.37-libldap-ssl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %if "%{name}" == "openldap2" @@ -82,8 +94,9 @@ service that has an X.500 back-end. %package -n openldap2-back-perl Summary: OpenLDAP Perl Back-End +License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Servers -Requires: openldap2 = %{version} +Requires: openldap2 = %{version_main} Requires: perl = %{perl_version} %description -n openldap2-back-perl @@ -92,8 +105,9 @@ different LDAP operations. %package -n openldap2-back-meta Summary: OpenLDAP Meta Back-End +License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Servers -Requires: openldap2 = %{version} +Requires: openldap2 = %{version_main} Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz %description -n openldap2-back-meta @@ -104,8 +118,9 @@ Information Tree (DIT). %package -n openldap2-back-sql Summary: OpenLDAP SQL Back-End +License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Servers -Requires: openldap2 = %{version} +Requires: openldap2 = %{version_main} %description -n openldap2-back-sql The primary purpose of this OpenLDAP backend is to present information @@ -114,6 +129,7 @@ to do any programming. %package -n openldap2-doc Summary: OpenLDAP Documentation +License: OLDAP-2.8 Group: Documentation/Other Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README %if 0%{?suse_version} > 1110 @@ -123,6 +139,22 @@ BuildArch: noarch %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts +%package -n compat-libldap-2_3-0 +Summary: OpenLDAP Client Libraries +License: BSD-3-Clause and OLDAP-2.8 and OLDAP-2.8 +Group: Productivity/Networking/LDAP/Clients +Version: 2.3.37 +Release: 2. + +%description -n compat-libldap-2_3-0 +This package contains the OpenLDAP client libraries. + + + +Authors: +-------- + The OpenLDAP Project + %else %description @@ -130,6 +162,7 @@ This package contains the OpenLDAP client utilities. %package -n openldap2-devel Summary: Libraries, Header Files and Documentation for OpenLDAP +License: OLDAP-2.8 Group: Development/Libraries/C and C++ # bug437293 %ifarch ppc64 @@ -137,7 +170,7 @@ Obsoletes: openldap2-devel-64bit %endif # Conflicts: openldap-devel -Requires: libldap-2_4-2 = %{version} +Requires: libldap-2_4-2 = %{version_main} %description -n openldap2-devel This package provides the OpenLDAP libraries, header files, and @@ -145,6 +178,7 @@ documentation. %package -n openldap2-devel-static Summary: Static libraries for the OpenLDAP libraries +License: OLDAP-2.8 Group: Development/Libraries/C and C++ Requires: openldap2-devel = %version %if %sles_version == 10 @@ -160,6 +194,7 @@ for development. %package -n libldap-2_4-2 Summary: OpenLDAP Client Libraries +License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Clients %description -n libldap-2_4-2 @@ -168,7 +203,7 @@ This package contains the OpenLDAP client libraries. %endif %prep -%setup -q -n openldap-%{version} -a1 -a2 -b100 +%setup -q -n openldap-%{version_main} -a1 -a2 -b100 %patch1 -p1 %patch2 -p1 %patch3 -p1 @@ -180,6 +215,16 @@ cp %{SOURCE5} . cp %{SOURCE6} . cd ../openldap-2.3.37 %patch100 +%patch101 +%patch102 +%patch103 +%patch104 +%patch105 +%patch106 +%patch107 +%patch108 +%patch109 -p1 +%patch110 %build %{?suse_update_config:%{suse_update_config -f build}} @@ -222,7 +267,7 @@ export STRIP="" make depend make %{?jobs:-j%jobs} %if "%{name}" == "openldap2" -%if %suse_version < 1130 +#%if %suse_version < 1130 # build a static slapcat binary from the OpenLDAP 2.3 release # to be able to update existing databases cd ../openldap-2.3.37 @@ -230,18 +275,18 @@ cd ../openldap-2.3.37 libtoolize --force #aclocal -I build autoreconf -export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED" +export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS" ./configure --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc \ --localstatedir=/var/run/slapd --libexecdir=/usr/lib/openldap \ --libdir=%{_libdir} --mandir=%{_mandir} --enable-aci \ --enable-hdb --enable-bdb --enable-ldbm --enable-crypt \ --enable-ipv6=no \ --enable-ldap --enable-monitor --enable-meta --enable-rewrite \ - --enable-dynamic=no --enable-shared=no + --enable-dynamic=no --enable-shared=yes make depend -make %{?jobs:-j%jobs} +make -C libraries %{?jobs:-j%jobs} -%endif +#%endif %endif %check @@ -270,11 +315,12 @@ make SLAPD_DEBUG=0 test %endif %install -mkdir -p $RPM_BUILD_ROOT/etc/init.d +mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/ mkdir -p $RPM_BUILD_ROOT/usr/sbin +mkdir -p $RPM_BUILD_ROOT/usr/lib/systemd/system make STRIP="" DESTDIR=$RPM_BUILD_ROOT install -install -m 755 rc.ldap $RPM_BUILD_ROOT/etc/init.d/ldap -ln -sf ../../etc/init.d/ldap $RPM_BUILD_ROOT/usr/sbin/rcldap +install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start +install -m 644 slapd.service $RPM_BUILD_ROOT/usr/lib/systemd/system mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf @@ -319,6 +365,10 @@ mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples # install 2.3 slapcat install -m 755 ../openldap-2.3.37/servers/slapd/slapcat $RPM_BUILD_ROOT/usr/sbin/openldap-2.3-slapcat %endif +# install sle-10 compat libraries +pushd ../openldap-2.3.37/libraries +make DESTDIR=$RPM_BUILD_ROOT install +popd %endif rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5 @@ -334,21 +384,19 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la #put filelists into files cat >openldap2.filelist <openldap2.filelist <>openldap2.filelist < compat-libldap.filelist < openldap2-client.filelist < openldap2-client.filelist < libldap.filelist < openldap2-devel.filelist <