Accepting request 354705 from home:stroeder:branches:network:ldap

Compared to my obsoleted request #339745: 1. sysconfdir now correctly is /etc/openldap 2. slapd starts with default configuration file (tested on openSUSE 13.2 and Tumbleweed) 3. added Recommends: cyrus-sasl 4. replaced README.dynamic-overlays by README.module-loading with updated text 5. added patch for OpenLDAP ITS#8336 OBS-URL: https://build.opensuse.org/request/show/354705 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=146
2016-01-21 13:36:42 +00:00 · 2016-01-21 13:36:42 +00:00 · 605d80a7bb
commit 605d80a7bb
parent 429b456698
24 changed files with 1919 additions and 392 deletions
--- a/0002-slapd.conf.dif
+++ b/0002-slapd.conf.dif
@ -1,35 +1,38 @@
 From a8be17d4a1db1c6ee24b328f3f34e21ccb02ca3f Mon Sep 17 00:00:00 2001
 From: Ralf Haferkamp <rhafer@suse.de>
 Date: Wed, 16 Jun 2010 14:05:49 +0200
 Subject: slapd.conf
 diff --git a/servers/slapd/slapd.conf b/servers/slapd/slapd.conf
-index 4938b85..9caf292 100644
+index 4938b85..b9bec75 100644
 --- a/servers/slapd/slapd.conf
 +++ b/servers/slapd/slapd.conf
-@@ -3,6 +3,10 @@
+@@ -2,7 +2,11 @@
 # See slapd.conf(5) for details on configuration options.
 # This file should NOT be world readable.
 #
- include		%SYSCONFDIR%/schema/core.schema
+-include		%SYSCONFDIR%/schema/core.schema
-+include		%SYSCONFDIR%/schema/cosine.schema
+include		/etc/openldap/schema/core.schema
-+include		%SYSCONFDIR%/schema/inetorgperson.schema
+include		/etc/openldap/schema/cosine.schema
-+include		%SYSCONFDIR%/schema/rfc2307bis.schema
+include		/etc/openldap/schema/inetorgperson.schema
-+include		%SYSCONFDIR%/schema/yast.schema
+include		/etc/openldap/schema/rfc2307bis.schema
 +include		/etc/openldap/schema/yast.schema
 # Define global ACLs to disable default read access.
-@@ -10,8 +14,8 @@ include		%SYSCONFDIR%/schema/core.schema
+@@ -10,13 +14,13 @@ include		%SYSCONFDIR%/schema/core.schema
 # service AND an understanding of referrals.
 #referral	ldap://root.openldap.org
 -pidfile		%LOCALSTATEDIR%/run/slapd.pid
 -argsfile	%LOCALSTATEDIR%/run/slapd.args
-+pidfile		%LOCALSTATEDIR%/slapd.pid
+pidfile		/run/slapd/slapd.pid
-+argsfile	%LOCALSTATEDIR%/slapd.args
+argsfile	/run/slapd/slapd.args
 # Load dynamic backend modules:
- # modulepath	%MODULEDIR%
+-# modulepath	%MODULEDIR%
 +# modulepath	/usr/lib/openldap
 # moduleload	back_bdb.la
 -# moduleload	back_hdb.la
 +moduleload	back_hdb.la
 # moduleload	back_ldap.la
 # Sample security restrictions
@@ -26,20 +30,30 @@ argsfile	%LOCALSTATEDIR%/run/slapd.args
 # security ssf=1 update_ssf=112 simple_bind=64
@ -75,9 +78,12 @@ index 4938b85..9caf292 100644
 # if no access controls are present, the default policy
 # allows anyone and everyone to read anything but restricts
 # updates to rootdn.  (e.g., "access to * by * read")
-@@ -52,6 +66,8 @@ argsfile	%LOCALSTATEDIR%/run/slapd.args
+@@ -50,8 +64,10 @@ argsfile	%LOCALSTATEDIR%/run/slapd.args
 # BDB database definitions
 #######################################################################
- database	bdb
+-database	bdb
 +database	hdb
 suffix		"dc=my-domain,dc=com"
 +checkpoint      1024    5
 +cachesize       10000
@ -92,6 +98,3 @@ index 4938b85..9caf292 100644
 +directory	/var/lib/ldap
 # Indices to maintain
 index	objectClass	eq
 -- 
 1.7.10.4
--- a/0007-Recover-on-DB-version-change.dif
+++ b/0007-Recover-on-DB-version-change.dif
@ -1,29 +0,0 @@
 From 895fa6d9b49344e1a92f7df3ed65458519e22f98 Mon Sep 17 00:00:00 2001
 From: Ralf Haferkamp <rhafer@suse.de>
 Date: Tue, 5 Oct 2010 14:20:22 +0200
 Subject: Recover on DB version change
 If the libdb Version changed try to recover the database. Note: This will
 only succeed if only the format of transaction logs changed.
 diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c
 index ac5a6d5..fea5cb4 100644
 --- a/servers/slapd/back-bdb/init.c
 +++ b/servers/slapd/back-bdb/init.c
@@ -330,6 +330,13 @@ shm_retry:
 	rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome,
 			flags | do_recover, bdb->bi_dbenv_mode );
 +	if ( rc == DB_VERSION_MISMATCH ) {
 +		Debug( LDAP_DEBUG_ANY,
 +				LDAP_XSTRING(bdb_db_open) ": bdb version change detected "
 +				"trying to recover\n", 0, 0, 0 );
 +		rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome,
 +				flags | DB_RECOVER, bdb->bi_dbenv_mode );
 +	}
 	if ( rc ) {
 		/* Regular open failed, probably a missing shm environment.
 		 * Start over, do a recovery.
 -- 
 1.7.10.4
--- a/0008-In-monitor-backend-do-not-return-Connection0-entries.patch
+++ b/0008-In-monitor-backend-do-not-return-Connection0-entries.patch
@ -1,29 +0,0 @@
 From d4b247e43fe1ea1b3713f3d8f493422d5adcc537 Mon Sep 17 00:00:00 2001
 From: HouzuoGuo <guohouzuo@gmail.com>
 Date: Fri, 13 Mar 2015 16:14:10 +0100
 Subject: [PATCH] In monitor backend, do not return Connection0 entries as they
 are created for internal use only.
 ---
 servers/slapd/back-monitor/conn.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c
 index c1995b0..2d27738 100644
 --- a/servers/slapd/back-monitor/conn.c
 +++ b/servers/slapd/back-monitor/conn.c
@@ -454,6 +454,11 @@ monitor_subsys_conn_create(
 				c != NULL;
 				c = connection_next( c, &connindex ) )
 		{
 +			/* Connection 0 is created by connection_client_setup for internal use only */
 +			if (c->c_connid == 0) {
 +				continue;
 +			}
 +
 			monitor_entry_t 	*mp;
 			if ( conn_create( mi, c, &e, ms ) != SLAP_CB_CONTINUE
 -- 
 2.1.4
--- a/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
+++ b/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
@ -1,27 +0,0 @@
 From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001
 From: Howard Chu <hyc@symas.com>
 Date: Sat, 12 Sep 2015 22:18:22 +0100
 Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert""
 We have never documented our use of assert, so can't expect
 builders to do the right thing.
 This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993.
 The commit fixes CVE-2015-6908.
 diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
 index 85c3e23..c05dcf8 100644
 --- a/libraries/liblber/io.c
 +++ b/libraries/liblber/io.c
@@ -679,7 +679,7 @@ done:
 		return (ber->ber_tag);
 	}
 -	assert( 0 ); /* ber structure is messed up ?*/
 +	/* invalid input */
 	return LBER_DEFAULT;
 }
 -- 
 2.6.3
--- a/README.dynamic-overlays
+++ b/README.dynamic-overlays
@ -1,19 +0,0 @@
 Most of the OpenLDAP overlays are now compiled as dynamic modules in our
 packages. If you want to use any of these in your setup make sure to put
 the correct "olcModuleLoad" or "moduleload" statements in your configuration.
 For details please see the slapd-config(5) and slapd.conf(5) manpages
 (depending on which config mechanism you use).
 For a list of the list of included dynamic modules see the
 "/usr/lib/openldap/modules/" directory.
 For convenience and backwards compatibility some overlays are are still
 compiled statically into the slapd binary. To see which overlays that are
 call "/usr/lib/openldap/slapd -VVV". Currently these are:
 syncprov (the provider part of syncrepl replication)
 ppolicy (a LDAP Password Policy implementation)
 Documentations for the overlays can be found in the respective man pages
 (named "slapo-<overlay-name>") or the OpenLDAP Administration Guide which
 is part of the "openldap2-doc" package.
--- a/README.module-loading
+++ b/README.module-loading
@ -0,0 +1,25 @@
 All of the OpenLDAP backends (except back-config) and overlays are now 
 compiled as dynamic modules in our packages. If you want to use any of 
 these in your setup make sure to put the correct "olcModuleLoad" or 
 "moduleload" statements in your configuration.
 For details please see the slapd-config(5) and slapd.conf(5) manpages
 (depending on which config mechanism you use).
 For a list of the included dynamic modules list all modules files:
 ls /usr/lib*/openldap/*.so
 Or just the backend files:
 ls /usr/lib*/openldap/back_*.so
 Documentations for the overlays can be found in the respective man pages or 
 the OpenLDAP Administration Guide which is part of the "openldap2-doc" 
 package.
 Backend man-pages:
 man 5 slapo-<back_name>
 Overlays man-pages:
 man 5 slapo-<name>
--- a/SuSEfirewall2.openldap
+++ b/SuSEfirewall2.openldap
@ -0,0 +1,17 @@
 ## Name: OpenLDAP Server
 ## Description: Opens ports for the OpenLDAP Server (slapd).
 # space separated list of allowed TCP ports
 TCP="ldap ldaps"
 # space separated list of allowed UDP ports
 UDP="ldap"
 # space separated list of allowed RPC services
 RPC=""
 # space separated list of allowed IP protocols
 IP=""
 # space separated list of allowed UDP broadcast ports
 BROADCAST=""
--- a/addonschema.tar.gz
+++ b/addonschema.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a1a0de4fe8c80b0210a706a9e8313b3c2f8b72b2de88961acf433a4e09752a4f
 size 3480
--- a/ldapns.schema
+++ b/ldapns.schema
@ -0,0 +1,23 @@
 # $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $
 # LDAP Name Service Additional Schema
 # http://www.iana.org/assignments/gssapi-service-names
 attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
 	DESC 'IANA GSS-API authorized service name'
 	EQUALITY caseIgnoreMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
 objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
 	DESC 'Auxiliary object class for adding authorizedService attribute'
 	SUP top
 	AUXILIARY
 	MAY authorizedService )
 objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
 	DESC 'Auxiliary object class for adding host attribute'
 	SUP top
 	AUXILIARY
 	MAY host )
--- a/openldap-2.4.42.tgz
+++ b/openldap-2.4.42.tgz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:eeb7b0e2c5852bfd2650e83909bb6152835c0b862fab10b63954dc1bcbba8e63
 size 5645925
--- a/openldap-2.4.43.tgz
+++ b/openldap-2.4.43.tgz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:34d78e5598a2b0360d26a9050fcdbbe198c65493b013bb607839d5598b6978c8
 size 5654057
--- a/openldap-rc.tgz
+++ b/openldap-rc.tgz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5ec6d4241cd2080d20f9d8da8d76e51cfbe88ab14cdb9cbff4fea1348ce174c4
 size 4018
--- a/openldap-re24-its7796.patch
+++ b/openldap-re24-its7796.patch
@ -0,0 +1,80 @@
 diff --git a/servers/slapd/back-bdb/filterindex.c b/servers/slapd/back-bdb/filterindex.c
 index 71e3ea4..bafef72 100644
 --- a/servers/slapd/back-bdb/filterindex.c
 +++ b/servers/slapd/back-bdb/filterindex.c
@@ -741,7 +741,7 @@ equality_candidates(
 		&db, &mask, &prefix );
 	if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
 -		Debug( LDAP_DEBUG_ANY,
 +		Debug( LDAP_DEBUG_TRACE,
 			"<= bdb_equality_candidates: (%s) not indexed\n", 
 			ava->aa_desc->ad_cname.bv_val, 0, 0 );
 		return 0;
@@ -858,7 +858,7 @@ approx_candidates(
 		&db, &mask, &prefix );
 	if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
 -		Debug( LDAP_DEBUG_ANY,
 +		Debug( LDAP_DEBUG_TRACE,
 			"<= bdb_approx_candidates: (%s) not indexed\n",
 			ava->aa_desc->ad_cname.bv_val, 0, 0 );
 		return 0;
@@ -978,7 +978,7 @@ substring_candidates(
 		&db, &mask, &prefix );
 	if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
 -		Debug( LDAP_DEBUG_ANY,
 +		Debug( LDAP_DEBUG_TRACE,
 			"<= bdb_substring_candidates: (%s) not indexed\n",
 			sub->sa_desc->ad_cname.bv_val, 0, 0 );
 		return 0;
@@ -1095,7 +1095,7 @@ inequality_candidates(
 		&db, &mask, &prefix );
 	if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
 -		Debug( LDAP_DEBUG_ANY,
 +		Debug( LDAP_DEBUG_TRACE,
 			"<= bdb_inequality_candidates: (%s) not indexed\n", 
 			ava->aa_desc->ad_cname.bv_val, 0, 0 );
 		return 0;
 diff --git a/servers/slapd/back-mdb/filterindex.c b/servers/slapd/back-mdb/filterindex.c
 index 58c1cc8..20c58b7 100644
 --- a/servers/slapd/back-mdb/filterindex.c
 +++ b/servers/slapd/back-mdb/filterindex.c
@@ -709,7 +709,7 @@ equality_candidates(
 		&dbi, &mask, &prefix );
 	if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
 -		Debug( LDAP_DEBUG_ANY,
 +		Debug( LDAP_DEBUG_TRACE,
 			"<= mdb_equality_candidates: (%s) not indexed\n", 
 			ava->aa_desc->ad_cname.bv_val, 0, 0 );
 		return 0;
@@ -825,7 +825,7 @@ approx_candidates(
 		&dbi, &mask, &prefix );
 	if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
 -		Debug( LDAP_DEBUG_ANY,
 +		Debug( LDAP_DEBUG_TRACE,
 			"<= mdb_approx_candidates: (%s) not indexed\n",
 			ava->aa_desc->ad_cname.bv_val, 0, 0 );
 		return 0;
@@ -944,7 +944,7 @@ substring_candidates(
 		&dbi, &mask, &prefix );
 	if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
 -		Debug( LDAP_DEBUG_ANY,
 +		Debug( LDAP_DEBUG_TRACE,
 			"<= mdb_substring_candidates: (%s) not indexed\n",
 			sub->sa_desc->ad_cname.bv_val, 0, 0 );
 		return 0;
@@ -1060,7 +1060,7 @@ inequality_candidates(
 		&dbi, &mask, &prefix );
 	if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
 -		Debug( LDAP_DEBUG_ANY,
 +		Debug( LDAP_DEBUG_TRACE,
 			"<= mdb_inequality_candidates: (%s) not indexed\n", 
 			ava->aa_desc->ad_cname.bv_val, 0, 0 );
 		return 0;
--- a/openldap-re24-its8336.patch
+++ b/openldap-re24-its8336.patch
@ -0,0 +1,25 @@
 From fd7bfbc0df0ade534bea84914d385ecf2a73f678 Mon Sep 17 00:00:00 2001
 From: Howard Chu <hyc@openldap.org>
 Date: Tue, 8 Dec 2015 18:17:24 +0000
 Subject: ITS#8336 fix page_search_root assert on FreeDB
 Let "illegal" branch pages thru on the FreeDB - the condition
 is only temporary and will be fixed by the time rebalance finishes.
 diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
 index fa0c9e5..a624cba 100644
 --- a/libraries/liblmdb/mdb.c
 +++ b/libraries/liblmdb/mdb.c
@@ -5279,7 +5279,11 @@ mdb_page_search_root(MDB_cursor *mc, MDB_val *key, int flags)
 		indx_t		i;
 		DPRINTF(("branch page %"Z"u has %u keys", mp->mp_pgno, NUMKEYS(mp)));
 -		mdb_cassert(mc, NUMKEYS(mp) > 1);
 +		/* Don't assert on branch pages in the FreeDB. We can get here
 +		 * while in the process of rebalancing a FreeDB branch page; we must
 +		 * let that proceed. ITS#8336
 +		 */
 +		mdb_cassert(mc, !mc->mc_dbi || NUMKEYS(mp) > 1);
 		DPRINTF(("found index 0 to page %"Z"u", NODEPGNO(NODEPTR(mp, 0))));
 		if (flags & (MDB_PS_FIRST|MDB_PS_LAST)) {
--- a/openldap2-client.changes
+++ b/openldap2-client.changes
@ -1,5 +1,37 @@
 -------------------------------------------------------------------
-Wed Dec  2 12:51:10 UTC 2015 - hguo@suse.com
+Tue Dec  8 11:36:16 UTC 2015 - michael@stroeder.com
 - Upgrade to upstream 2.4.43 release with accumulated bug fixes.
 - Still build on SLES12
 - Loadable backend and overlay modules are now installed
  into arch-specific path %{_libdir}/openldap
 - All backends and overlays as modules for smaller memory footprint
  on memory constrained systems
 - Added extra package for back-sock
 - Consequent use of %{_rundir} everywhere
 - Rely on upstream ./configure script instead of any other
  macro foo
 - Dropped linking with libwrap
 - Dropped 0004-libldap-use-gethostbyname_r.dif because this
  work-around for nss_ldap is obsolete
 - New sub-package openldap2-contrib with selected contrib/ overlays
 - Replaced addonschema.tar.gz with separate schema sources
 - Updated ldapns.schema from recent slapo-nssov source tree
 - Added symbolic link to slapd executable in /usr/sbin/
 - Added more complex example configuration file
  /etc/openldap/slapd.conf.example
 - Set OPENLDAP_START_LDAPI="yes" in /etc/sysconfig/openldap
 - Set OPENLDAP_REGISTER_SLP="no" in /etc/sysconfig/openldap
 - Added patch for OpenLDAP ITS#7796 to avoid excessive
  "not index" logging
 - Replaced openldap-rc.tgz with single source files
 - Added soft dependency (Recommends) to cyrus-sasl
 - Added soft dependency (Recommends) to cyrus-sasl-devel
  to openldap2-devel
 - Added patch for OpenLDAP ITS#8336 (assert in liblmdb)
 -------------------------------------------------------------------
 Wed Dec  2 12:50:47 UTC 2015 - hguo@suse.com
 - Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
  to fix CVE-2015-6908. (bsc#945582)
@ -36,7 +68,7 @@ Fri Oct  9 09:19:35 UTC 2015 - hguo@suse.com
    check-build.sh
 -------------------------------------------------------------------
-Thu Oct  1 11:08:59 UTC 2015 - hguo@suse.com
+Thu Oct  1 11:08:41 UTC 2015 - hguo@suse.com
 - Upgrade to upstream 2.4.42 release with accumulated bug fixes.
--- a/openldap2-client.spec
+++ b/openldap2-client.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openldap2-client
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,52 +17,58 @@
 %define run_test_suite 0
-%define version_main 2.4.42
+%define version_main 2.4.43
-%if ! %{defined _rundir}
+%if %{suse_version} >= 1310 && %{suse_version} != 1315
-%define _rundir %{_localstatedir}/run
+%define  _rundir /run/slapd
 %else
 %define  _rundir /var/run/slapd
 %endif
 Name:           openldap2-client
 Summary:        The OpenLDAP commandline client tools
 License:        OLDAP-2.8
 Group:          Productivity/Networking/LDAP/Clients
-Version:        2.4.42
+Version:        %{version_main}
 Release:        0
 Url:            http://www.openldap.org
 Source:         openldap-%{version_main}.tgz
 Source1:        openldap-rc.tgz
 Source2:        addonschema.tar.gz
 Source3:        DB_CONFIG
 Source4:        sasl-slapd.conf
-Source5:        README.dynamic-overlays
+Source5:        README.module-loading
 Source6:        schema2ldif
 Source7:        baselibs.conf
-Patch1:         0001-build-adjustments.dif
+Source9:        ldapns.schema
 Source10:       rfc2307bis.schema
 Source11:       yast.schema
 Source12:       slapd.conf.example
 Source13:       start
 Source14:       slapd.service
 Source15:       SuSEfirewall2.openldap
 Source16:       sysconfig.openldap
 Patch2:         0002-slapd.conf.dif
 Patch3:         0003-LDAPI-socket-location.dif
-Patch4:         0004-libldap-use-gethostbyname_r.dif
+#Patch4:         0004-libldap-use-gethostbyname_r.dif
 Patch5:         0005-pie-compile.dif
 Patch6:         0006-No-Build-date-and-time-in-binaries.dif
 Patch7:         0007-Recover-on-DB-version-change.dif
 Patch8:         0008-In-monitor-backend-do-not-return-Connection0-entries.patch
 Patch9:         0009-Fix-ldap-host-lookup-ipv6.patch
-Patch10:        0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
+Patch10:        openldap-re24-its7796.patch
 Patch11:        0011-Enforce-minimum-DH-size-of-1024.patch
 Patch12:        openldap-re24-its8336.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
 BuildRequires:  libopenssl-devel
 BuildRequires:  libtool
 Requires:       libldap-2_4-2 = %{version_main}
 Recommends:     cyrus-sasl
 %if "%{name}" == "openldap2"
 BuildRequires:  db-devel
 BuildRequires:  openslp-devel
 BuildRequires:  tcpd-devel
 BuildRequires:  unixODBC-devel
 Conflicts:      openldap
 Requires:       libldap-2_4-2 = %{version_main}
 PreReq:         %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
-%if 0%{?suse_version} >= 1140
+%if %{suse_version} >= 1310 && %{suse_version} != 1315
 # avoid cycle with krb5
 BuildRequires:  krb5-mini
 BuildRequires:  pkgconfig(systemd)
@ -70,7 +76,6 @@ BuildRequires:  pkgconfig(systemd)
 %endif
 %else
 Conflicts:      openldap-client
 Requires:       libldap-2_4-2 = %{version_main}
 %endif
 # For /usr/bin/strings
 Requires(pre):  binutils
@ -78,10 +83,10 @@ Requires(pre):  binutils
 %if "%{name}" == "openldap2"
 %description
-The Lightweight Directory Access Protocol (LDAP) is used to access
+OpenLDAP is a client and server reference implementation of the
-online directory services. It runs directly over TCP and can be used to
+Lightweight Directory Access Protocol v3 (LDAPv3).
-access a stand-alone LDAP directory service or to access a directory
+
-service that has an X.500 back-end.
+The server provides several database backends and overlays.
 %package      -n openldap2-back-perl
 Summary:        OpenLDAP Perl Back-End
@ -93,6 +98,16 @@ Requires:       perl = %{perl_version}
 The OpenLDAP Perl back-end allows you to execute Perl code specific to
 different LDAP operations.
 %package      -n openldap2-back-sock
 Summary:        OpenLDAP Socket Back-End
 Group:          Productivity/Networking/LDAP/Servers
 Requires:       openldap2 = %{version_main}
 Provides:       openldap2:/usr/share/man/man5/slapd-sock.5.gz
 %description -n openldap2-back-sock
 The OpenLDAP socket back-end allows you to handle LDAP requests and
 results with an external process listening on a Unix domain socket.
 %package      -n openldap2-back-meta
 Summary:        OpenLDAP Meta Back-End
 Group:          Productivity/Networking/LDAP/Servers
@ -115,6 +130,25 @@ The primary purpose of this OpenLDAP backend is to present information
 stored in a Relational (SQL) Database as an LDAP subtree without the need
 to do any programming.
 %package      -n openldap2-contrib
 Summary:        OpenLDAP Contrib Modules
 Group:          Productivity/Networking/LDAP/Servers
 Requires:       openldap2 = %{version_main}
 %description -n openldap2-contrib
 Various overlays found in contrib/:
 allop         
 allowed       Generates attributes indicating access rights
 autogroup     
 cloak         
 denyop        
 lastbind      writes last bind timestamp to entry
 noopsrch      handles no-op search control
 nops 
 pw-sha2       generates/validates SHA-2 password hashes
 pw-pbkdf2     generates/validates PBKDF2 password hashes
 smbk5pwd      generates Samba3 password hashes (heimdal krb disabled)
 %package      -n openldap2-doc
 Summary:        OpenLDAP Documentation
 Group:          Documentation/Other
@ -126,6 +160,7 @@ BuildArch:      noarch
 %description -n openldap2-doc
 The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
@ -145,6 +180,7 @@ Obsoletes:      openldap2-devel-64bit
 #
 Conflicts:      openldap-devel
 Requires:       libldap-2_4-2 = %{version_main}
 Recommends:     cyrus-sasl-devel
 %description -n openldap2-devel
 This package provides the OpenLDAP libraries, header files, and
@ -171,60 +207,75 @@ This package contains the OpenLDAP client libraries.
 %endif
 %prep
-%setup -q -n openldap-%{version_main} -a1 -a2
+%setup -q -n openldap-%{version_main}
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
+#%patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 cp %{SOURCE5} .
 %build
-%{?suse_update_config:%{suse_update_config -f build}}
+# %{?suse_update_config:%{suse_update_config -f build}}
-libtoolize --force
+#libtoolize --force
-autoreconf
+#autoreconf
-export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE"
+# export CFLAGS="${RPM_OPT_FLAGS} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES"
 export CFLAGS="-Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES"
 export STRIP=""
-%configure \
+./configure \
-        --localstatedir=%{_rundir}/slapd \
+        --prefix=/usr \
-        --libexecdir=/usr/lib/openldap \
+        --sysconfdir=%{_sysconfdir} \
-        --enable-wrappers \
+        --libdir=%{_libdir} \
        --libexecdir=%{_libdir} \
        --localstatedir=%{_rundir} \
        --enable-wrappers=no \
        --enable-spasswd \
        --enable-modules \
        --enable-shared \
        --enable-dynamic \
-        --with-tls \
+        --with-tls=openssl \
        --with-cyrus-sasl \
        --enable-crypt \
        --enable-ipv6=yes \
 %if "%{name}" == "openldap2"
        --enable-aci \
-        --enable-bdb \
+        --enable-bdb=mod \
-        --enable-hdb \
+        --enable-hdb=mod \
        --enable-rewrite \
-        --enable-ldap=yes \
+        --enable-ldap=mod \
        --enable-meta=mod \
-        --enable-monitor=yes \
+        --enable-monitor=mod \
        --enable-perl=mod \
        --enable-sock=mod \
        --enable-sql=mod \
-        --enable-mdb=yes \
+        --enable-mdb=mod \
        --enable-relay=mod \
        --enable-slp \
        --enable-overlays=mod \
-        --enable-syncprov=yes \
+        --enable-syncprov=mod \
-        --enable-ppolicy=yes \
+        --enable-ppolicy=mod \
 %else
        --disable-slapd \
 %endif
        --enable-lmpasswd \
-        --with-yielding-select
+        --with-yielding-select \
  || cat config.log
 make depend
 make %{?_smp_mflags}
 %if "%{name}" == "openldap2"
 # Build selected contrib overlays
 for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
 do
  make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
 done
 # One more level up needed because of passwd/sha2
 # slapo-smbk5pwd only for Samba password hashes
 make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
 %endif
 %check
 %if %run_test_suite
@ -252,50 +303,67 @@ make SLAPD_DEBUG=0 test
 %endif
 %install
-mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/
+mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap
-mkdir -p $RPM_BUILD_ROOT/usr/sbin
+mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap
-mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
+mkdir -p ${RPM_BUILD_ROOT}/usr/sbin
-make STRIP="" DESTDIR=$RPM_BUILD_ROOT install
+mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir}
-install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start
+make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
-install -m 644 slapd.service $RPM_BUILD_ROOT/%{_unitdir}
+# Additional symbolic link to slapd executable in /usr/sbin/
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d
+%if "%{name}" == "openldap2"
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2
+ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
-install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf
+%endif
-install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap
+%if "%{name}" == "openldap2"
-chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so*
+# Install selected contrib overlays
-chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so*
+for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
-chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so*
+do
-install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/usr/sbin/schema2ldif
+  make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
 done
 # slapo-smbk5pwd only for Samba password hashes
 make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
 %endif
 install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start
 install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir}
 mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d
 mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2
 install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf
 install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap
 chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so*
 chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so*
 chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap.so*
 install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif
 %if "%{name}" == "openldap2"
 %define DOCDIR %{_defaultdocdir}/%{name}
-mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
+mkdir -p ${RPM_BUILD_ROOT}/var/adm/fillup-templates
-install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap
+install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.openldap
-install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema
+install -m 644 %{SOURCE9} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
-install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG
+install -m 644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
-install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example
+install -m 644 %{SOURCE11} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
-install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/
+install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
-install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap
+install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG
 install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example
 install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
 install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
 rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a !  -type d`
 rm -rf doc/guide/release
-install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \
+install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \
-           $RPM_BUILD_ROOT/%{DOCDIR}/images \
+           ${RPM_BUILD_ROOT}/%{DOCDIR}/images \
-           $RPM_BUILD_ROOT/%{DOCDIR}/drafts
+           ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
-install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide
+install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide
-install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images
+install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images
-install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts
+install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
 install -m 644 ANNOUNCEMENT \
               COPYRIGHT \
               LICENSE \
               README \
               CHANGES \
               %{SOURCE5} \
-               $RPM_BUILD_ROOT/%{DOCDIR}
+               ${RPM_BUILD_ROOT}/%{DOCDIR}
 install -m 644 servers/slapd/slapd.ldif \
-               $RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default
+               ${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default
-rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example
+rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example
-rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README
+rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README
-rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif*
+rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif*
-rm -f $RPM_BUILD_ROOT%{_rundir}/slapd/openldap-data/DB_CONFIG.example
+rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example
 mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
 # Provide SUSE policy symlink /usr/sbin/rcFOO -> /etc/init.d/FOO
 # /usr/sbin/service exists only since openSUSE 12.3:
@ -305,16 +373,15 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
 ln -s /sbin/service %{buildroot}%{_sbindir}/rcslapd
 %endif
 %endif
-rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a
+rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5
 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5
 # Remove *.la files, libtool does not handle this correct
-rm -f  $RPM_BUILD_ROOT%{_libdir}/lib*.la
+rm -f  ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
 #put filelists into files
 cat >openldap2.filelist <<EOF
@ -328,36 +395,45 @@ cat >openldap2.filelist <<EOF
 %dir /etc/openldap/schema
 %config /etc/openldap/schema/*.schema
 %config /etc/openldap/schema/*.ldif
-%config(noreplace) %attr(640, root, ldap) /etc/openldap/slapd.conf
+%config(noreplace) %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf
 %config(noreplace) %attr(640, ldap, ldap) /var/lib/ldap/DB_CONFIG
 %config /var/lib/ldap/DB_CONFIG.example
-%attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default
+%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default
 %config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.example
 %config(noreplace) /etc/sasl2/slapd.conf
 %dir /usr/lib/openldap
-%dir /usr/lib/openldap/modules
+%dir /%{_libdir}/openldap
-/usr/lib/openldap/modules/accesslog*
+%{_libdir}/openldap/back_bdb*
-/usr/lib/openldap/modules/auditlog*
+%{_libdir}/openldap/back_hdb*
-/usr/lib/openldap/modules/collect*
+%{_libdir}/openldap/back_ldap*
-/usr/lib/openldap/modules/constraint*
+%{_libdir}/openldap/back_mdb*
-/usr/lib/openldap/modules/dds*
+%{_libdir}/openldap/back_monitor*
-/usr/lib/openldap/modules/deref*
+%{_libdir}/openldap/back_relay*
-/usr/lib/openldap/modules/dyngroup*
+%{_libdir}/openldap/accesslog*
-/usr/lib/openldap/modules/dynlist*
+%{_libdir}/openldap/auditlog*
-/usr/lib/openldap/modules/memberof*
+%{_libdir}/openldap/collect*
-/usr/lib/openldap/modules/pcache*
+%{_libdir}/openldap/constraint*
-/usr/lib/openldap/modules/refint*
+%{_libdir}/openldap/dds*
-/usr/lib/openldap/modules/retcode*
+%{_libdir}/openldap/deref*
-/usr/lib/openldap/modules/rwm*
+%{_libdir}/openldap/dyngroup*
-/usr/lib/openldap/modules/seqmod*
+%{_libdir}/openldap/dynlist*
-/usr/lib/openldap/modules/sssvlv*
+%{_libdir}/openldap/memberof*
-/usr/lib/openldap/modules/translucent*
+%{_libdir}/openldap/pcache*
-/usr/lib/openldap/modules/unique*
+%{_libdir}/openldap/ppolicy*
-/usr/lib/openldap/modules/valsort*
+%{_libdir}/openldap/refint*
-/usr/lib/openldap/slapd
+%{_libdir}/openldap/retcode*
 %{_libdir}/openldap/rwm*
 %{_libdir}/openldap/seqmod*
 %{_libdir}/openldap/sssvlv*
 %{_libdir}/openldap/syncprov*
 %{_libdir}/openldap/translucent*
 %{_libdir}/openldap/unique*
 %{_libdir}/openldap/valsort*
 %{_libdir}/slapd
 /usr/lib/openldap/start
-/usr/lib/systemd/system/slapd.service
+%{_unitdir}/slapd.service
-%dir %attr(0700, ldap, ldap) /var/lib/ldap
+%dir %attr(0750, ldap, ldap) /var/lib/ldap
-%dir %attr(0755, ldap, ldap) %ghost %{_rundir}/slapd
+%ghost %attr(0750, ldap, ldap) %{_rundir}
 %doc %{_mandir}/man8/sl*
 %doc %{_mandir}/man5/slapd.*
 %doc %{_mandir}/man5/slapd-bdb.*
@ -417,20 +493,37 @@ cat > openldap2-devel-static.filelist <<-EOF
 	%_libdir/libldap*.a
 EOF
 cat > openldap2-back-perl.filelist <<EOF
-/usr/lib/openldap/modules/back_perl*
+%{_libdir}/openldap/back_perl*
 %doc %{_mandir}/man5/slapd-perl.*
 EOF
 cat > openldap2-back-sock.filelist <<EOF
 %{_libdir}/openldap/back_sock*
 %doc %{_mandir}/man5/slapd-sock.*
 EOF
 cat > openldap2-back-meta.filelist <<EOF
-/usr/lib/openldap/modules/back_meta*
+%{_libdir}/openldap/back_meta*
 %doc %{_mandir}/man5/slapd-meta.*
 EOF
 cat > openldap2-back-sql.filelist <<EOF
-/usr/lib/openldap/modules/back_sql*
+%{_libdir}/openldap/back_sql*
 %doc %{_mandir}/man5/slapd-sql.*
 %doc servers/slapd/back-sql/examples
 %doc servers/slapd/back-sql/docs/bugs
 %doc servers/slapd/back-sql/docs/install
 EOF
 cat > openldap2-contrib.filelist <<EOF
 %{_libdir}/openldap/allowed.*
 %{_libdir}/openldap/allop.*
 %{_libdir}/openldap/autogroup.*
 %{_libdir}/openldap/lastbind.*
 %{_libdir}/openldap/noopsrch.*
 %{_libdir}/openldap/nops.*
 %{_libdir}/openldap/pw-sha2.*
 %{_libdir}/openldap/pw-pbkdf2.*
 %{_libdir}/openldap/denyop.*
 %{_libdir}/openldap/cloak.*
 %{_libdir}/openldap/smbk5pwd.*
 EOF
 cat >openldap2-doc.filelist <<EOF
 %dir %{DOCDIR}
 %doc %{DOCDIR}/drafts
@ -442,20 +535,20 @@ EOF
 cat openldap2-client.filelist libldap.filelist openldap2-devel.filelist \
 	openldap2-devel-static.filelist |
 %else
-cat openldap2.filelist openldap2-back-perl.filelist \
+cat openldap2.filelist openldap2-back-perl.filelist openldap2-back-sock.filelist \
    openldap2-back-meta.filelist openldap2-back-sql.filelist \
-    openldap2-doc.filelist compat-libldap.filelist |
+    openldap2-doc.filelist openldap2-contrib.filelist |
 %endif
  grep -v "%dir " |sed -e "s|^.* ||" |grep "^/" |while read name ; do
-    rm -rf $RPM_BUILD_ROOT$name
+    rm -rf ${RPM_BUILD_ROOT}${name}
  done
 %if "%{name}" == "openldap2"
 %pre
 /usr/sbin/groupadd -g 70 -o -r ldap || :
-/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/bash -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
+/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
 if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then
-    touch /var/run/enable_slapd_service
+    touch %{_rundir}/enable_slapd_service
 fi
 %service_add_pre slapd.service
@ -467,7 +560,7 @@ fi
 %{fillup_only -n openldap ldap}
 %{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER}
 %service_add_post slapd.service
-if [ -f /var/run/enable_slapd_service ]; then
+if [ -f %{_rundir}/enable_slapd_service ]; then
    /usr/bin/systemctl --quiet enable slapd
 fi
@ -483,6 +576,9 @@ fi
 %files -n openldap2-back-perl -f openldap2-back-perl.filelist
 %defattr(-,root,root)
 %files -n openldap2-back-sock -f openldap2-back-sock.filelist
 %defattr(-,root,root)
 %files -n openldap2-back-meta -f openldap2-back-meta.filelist
 %defattr(-,root,root)
@ -492,6 +588,9 @@ fi
 %files -n openldap2-doc -f openldap2-doc.filelist
 %defattr(-,root,root)
 %files -n openldap2-contrib -f openldap2-contrib.filelist
 %defattr(-,root,root)
 %else
 %post -n libldap-2_4-2 -p /sbin/ldconfig
--- a/openldap2.changes
+++ b/openldap2.changes
@ -1,3 +1,35 @@
 -------------------------------------------------------------------
 Tue Dec  8 11:36:16 UTC 2015 - michael@stroeder.com
 - Upgrade to upstream 2.4.43 release with accumulated bug fixes.
 - Still build on SLES12
 - Loadable backend and overlay modules are now installed
  into arch-specific path %{_libdir}/openldap
 - All backends and overlays as modules for smaller memory footprint
  on memory constrained systems
 - Added extra package for back-sock
 - Consequent use of %{_rundir} everywhere
 - Rely on upstream ./configure script instead of any other
  macro foo
 - Dropped linking with libwrap
 - Dropped 0004-libldap-use-gethostbyname_r.dif because this
  work-around for nss_ldap is obsolete
 - New sub-package openldap2-contrib with selected contrib/ overlays
 - Replaced addonschema.tar.gz with separate schema sources
 - Updated ldapns.schema from recent slapo-nssov source tree
 - Added symbolic link to slapd executable in /usr/sbin/
 - Added more complex example configuration file
  /etc/openldap/slapd.conf.example
 - Set OPENLDAP_START_LDAPI="yes" in /etc/sysconfig/openldap
 - Set OPENLDAP_REGISTER_SLP="no" in /etc/sysconfig/openldap
 - Added patch for OpenLDAP ITS#7796 to avoid excessive
  "not index" logging
 - Replaced openldap-rc.tgz with single source files
 - Added soft dependency (Recommends) to cyrus-sasl
 - Added soft dependency (Recommends) to cyrus-sasl-devel
  to openldap2-devel
 - Added patch for OpenLDAP ITS#8336 (assert in liblmdb)
 -------------------------------------------------------------------
 Wed Dec  2 12:50:47 UTC 2015 - hguo@suse.com
--- a/openldap2.spec
+++ b/openldap2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openldap2
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,52 +17,58 @@
 %define run_test_suite 0
-%define version_main 2.4.42
+%define version_main 2.4.43
-%if ! %{defined _rundir}
+%if %{suse_version} >= 1310 && %{suse_version} != 1315
-%define _rundir %{_localstatedir}/run
+%define  _rundir /run/slapd
 %else
 %define  _rundir /var/run/slapd
 %endif
 Name:           openldap2
 Summary:        The OpenLDAP Server
 License:        OLDAP-2.8
 Group:          Productivity/Networking/LDAP/Clients
-Version:        2.4.42
+Version:        %{version_main}
 Release:        0
 Url:            http://www.openldap.org
 Source:         openldap-%{version_main}.tgz
 Source1:        openldap-rc.tgz
 Source2:        addonschema.tar.gz
 Source3:        DB_CONFIG
 Source4:        sasl-slapd.conf
-Source5:        README.dynamic-overlays
+Source5:        README.module-loading
 Source6:        schema2ldif
 Source7:        baselibs.conf
-Patch1:         0001-build-adjustments.dif
+Source9:        ldapns.schema
 Source10:       rfc2307bis.schema
 Source11:       yast.schema
 Source12:       slapd.conf.example
 Source13:       start
 Source14:       slapd.service
 Source15:       SuSEfirewall2.openldap
 Source16:       sysconfig.openldap
 Patch2:         0002-slapd.conf.dif
 Patch3:         0003-LDAPI-socket-location.dif
-Patch4:         0004-libldap-use-gethostbyname_r.dif
+#Patch4:         0004-libldap-use-gethostbyname_r.dif
 Patch5:         0005-pie-compile.dif
 Patch6:         0006-No-Build-date-and-time-in-binaries.dif
 Patch7:         0007-Recover-on-DB-version-change.dif
 Patch8:         0008-In-monitor-backend-do-not-return-Connection0-entries.patch
 Patch9:         0009-Fix-ldap-host-lookup-ipv6.patch
-Patch10:        0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
+Patch10:        openldap-re24-its7796.patch
 Patch11:        0011-Enforce-minimum-DH-size-of-1024.patch
 Patch12:        openldap-re24-its8336.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
 BuildRequires:  libopenssl-devel
 BuildRequires:  libtool
 Requires:       libldap-2_4-2 = %{version_main}
 Recommends:     cyrus-sasl
 %if "%{name}" == "openldap2"
 BuildRequires:  db-devel
 BuildRequires:  openslp-devel
 BuildRequires:  tcpd-devel
 BuildRequires:  unixODBC-devel
 Conflicts:      openldap
 Requires:       libldap-2_4-2 = %{version_main}
 PreReq:         %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
-%if 0%{?suse_version} >= 1140
+%if %{suse_version} >= 1310 && %{suse_version} != 1315
 # avoid cycle with krb5
 BuildRequires:  krb5-mini
 BuildRequires:  pkgconfig(systemd)
@ -70,7 +76,6 @@ BuildRequires:  pkgconfig(systemd)
 %endif
 %else
 Conflicts:      openldap-client
 Requires:       libldap-2_4-2 = %{version_main}
 %endif
 # For /usr/bin/strings
 Requires(pre):  binutils
@ -78,10 +83,10 @@ Requires(pre):  binutils
 %if "%{name}" == "openldap2"
 %description
-The Lightweight Directory Access Protocol (LDAP) is used to access
+OpenLDAP is a client and server reference implementation of the
-online directory services. It runs directly over TCP and can be used to
+Lightweight Directory Access Protocol v3 (LDAPv3).
-access a stand-alone LDAP directory service or to access a directory
+
-service that has an X.500 back-end.
+The server provides several database backends and overlays.
 %package      -n openldap2-back-perl
 Summary:        OpenLDAP Perl Back-End
@ -93,6 +98,16 @@ Requires:       perl = %{perl_version}
 The OpenLDAP Perl back-end allows you to execute Perl code specific to
 different LDAP operations.
 %package      -n openldap2-back-sock
 Summary:        OpenLDAP Socket Back-End
 Group:          Productivity/Networking/LDAP/Servers
 Requires:       openldap2 = %{version_main}
 Provides:       openldap2:/usr/share/man/man5/slapd-sock.5.gz
 %description -n openldap2-back-sock
 The OpenLDAP socket back-end allows you to handle LDAP requests and
 results with an external process listening on a Unix domain socket.
 %package      -n openldap2-back-meta
 Summary:        OpenLDAP Meta Back-End
 Group:          Productivity/Networking/LDAP/Servers
@ -115,6 +130,25 @@ The primary purpose of this OpenLDAP backend is to present information
 stored in a Relational (SQL) Database as an LDAP subtree without the need
 to do any programming.
 %package      -n openldap2-contrib
 Summary:        OpenLDAP Contrib Modules
 Group:          Productivity/Networking/LDAP/Servers
 Requires:       openldap2 = %{version_main}
 %description -n openldap2-contrib
 Various overlays found in contrib/:
 allop         
 allowed       Generates attributes indicating access rights
 autogroup     
 cloak         
 denyop        
 lastbind      writes last bind timestamp to entry
 noopsrch      handles no-op search control
 nops 
 pw-sha2       generates/validates SHA-2 password hashes
 pw-pbkdf2     generates/validates PBKDF2 password hashes
 smbk5pwd      generates Samba3 password hashes (heimdal krb disabled)
 %package      -n openldap2-doc
 Summary:        OpenLDAP Documentation
 Group:          Documentation/Other
@ -126,6 +160,7 @@ BuildArch:      noarch
 %description -n openldap2-doc
 The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
@ -145,6 +180,7 @@ Obsoletes:      openldap2-devel-64bit
 #
 Conflicts:      openldap-devel
 Requires:       libldap-2_4-2 = %{version_main}
 Recommends:     cyrus-sasl-devel
 %description -n openldap2-devel
 This package provides the OpenLDAP libraries, header files, and
@ -171,61 +207,74 @@ This package contains the OpenLDAP client libraries.
 %endif
 %prep
-%setup -q -n openldap-%{version_main} -a1 -a2
+%setup -q -n openldap-%{version_main}
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
+#%patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 cp %{SOURCE5} .
 %build
-%{?suse_update_config:%{suse_update_config -f build}}
+# %{?suse_update_config:%{suse_update_config -f build}}
-libtoolize --force
+#libtoolize --force
-autoreconf
+#autoreconf
-export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE"
+# export CFLAGS="${RPM_OPT_FLAGS} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES"
 export CFLAGS="-Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES"
 export STRIP=""
-%configure \
+./configure \
-        --localstatedir=%{_rundir}/slapd \
+        --prefix=/usr \
-        --libexecdir=/usr/lib/openldap \
+        --sysconfdir=%{_sysconfdir} \
-        --enable-wrappers \
+        --libdir=%{_libdir} \
        --libexecdir=%{_libdir} \
        --localstatedir=%{_rundir} \
        --enable-wrappers=no \
        --enable-spasswd \
        --enable-modules \
        --enable-shared \
        --enable-dynamic \
-        --with-tls \
+        --with-tls=openssl \
        --with-cyrus-sasl \
        --enable-crypt \
        --enable-ipv6=yes \
 %if "%{name}" == "openldap2"
        --enable-aci \
-        --enable-bdb \
+        --enable-bdb=mod \
-        --enable-hdb \
+        --enable-hdb=mod \
        --enable-rewrite \
-        --enable-ldap=yes \
+        --enable-ldap=mod \
        --enable-meta=mod \
-        --enable-monitor=yes \
+        --enable-monitor=mod \
        --enable-perl=mod \
        --enable-sock=mod \
        --enable-sql=mod \
-        --enable-mdb=yes \
+        --enable-mdb=mod \
        --enable-relay=mod \
        --enable-slp \
        --enable-overlays=mod \
-        --enable-syncprov=yes \
+        --enable-syncprov=mod \
-        --enable-ppolicy=yes \
+        --enable-ppolicy=mod \
 %else
        --disable-slapd \
 %endif
        --enable-lmpasswd \
-        --with-yielding-select
+        --with-yielding-select \
  || cat config.log
 make depend
 make %{?_smp_mflags}
 %if "%{name}" == "openldap2"
 # Build selected contrib overlays
 for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
 do
  make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
 done
 # One more level up needed because of passwd/sha2
 # slapo-smbk5pwd only for Samba password hashes
 make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
 %endif
 %check
@ -254,50 +303,67 @@ make SLAPD_DEBUG=0 test
 %endif
 %install
-mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/
+mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap
-mkdir -p $RPM_BUILD_ROOT/usr/sbin
+mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap
-mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
+mkdir -p ${RPM_BUILD_ROOT}/usr/sbin
-make STRIP="" DESTDIR=$RPM_BUILD_ROOT install
+mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir}
-install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start
+make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
-install -m 644 slapd.service $RPM_BUILD_ROOT/%{_unitdir}
+# Additional symbolic link to slapd executable in /usr/sbin/
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d
+%if "%{name}" == "openldap2"
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2
+ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
-install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf
+%endif
-install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap
+%if "%{name}" == "openldap2"
-chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so*
+# Install selected contrib overlays
-chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so*
+for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
-chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so*
+do
-install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/usr/sbin/schema2ldif
+  make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
 done
 # slapo-smbk5pwd only for Samba password hashes
 make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
 %endif
 install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start
 install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir}
 mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d
 mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2
 install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf
 install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap
 chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so*
 chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so*
 chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap.so*
 install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif
 %if "%{name}" == "openldap2"
 %define DOCDIR %{_defaultdocdir}/%{name}
-mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
+mkdir -p ${RPM_BUILD_ROOT}/var/adm/fillup-templates
-install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap
+install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.openldap
-install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema
+install -m 644 %{SOURCE9} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
-install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG
+install -m 644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
-install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example
+install -m 644 %{SOURCE11} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
-install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/
+install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
-install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap
+install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG
 install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example
 install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
 install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
 rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a !  -type d`
 rm -rf doc/guide/release
-install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \
+install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \
-           $RPM_BUILD_ROOT/%{DOCDIR}/images \
+           ${RPM_BUILD_ROOT}/%{DOCDIR}/images \
-           $RPM_BUILD_ROOT/%{DOCDIR}/drafts
+           ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
-install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide
+install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide
-install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images
+install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images
-install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts
+install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
 install -m 644 ANNOUNCEMENT \
               COPYRIGHT \
               LICENSE \
               README \
               CHANGES \
               %{SOURCE5} \
-               $RPM_BUILD_ROOT/%{DOCDIR}
+               ${RPM_BUILD_ROOT}/%{DOCDIR}
 install -m 644 servers/slapd/slapd.ldif \
-               $RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default
+               ${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default
-rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example
+rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example
-rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README
+rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README
-rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif*
+rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif*
-rm -f $RPM_BUILD_ROOT%{_rundir}/slapd/openldap-data/DB_CONFIG.example
+rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example
 mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
 # Provide SUSE policy symlink /usr/sbin/rcFOO -> /etc/init.d/FOO
 # /usr/sbin/service exists only since openSUSE 12.3:
@ -307,16 +373,15 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
 ln -s /sbin/service %{buildroot}%{_sbindir}/rcslapd
 %endif
 %endif
-rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a
+rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5
-rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5
+rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5
 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5
 # Remove *.la files, libtool does not handle this correct
-rm -f  $RPM_BUILD_ROOT%{_libdir}/lib*.la
+rm -f  ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
 #put filelists into files
 cat >openldap2.filelist <<EOF
@ -330,36 +395,45 @@ cat >openldap2.filelist <<EOF
 %dir /etc/openldap/schema
 %config /etc/openldap/schema/*.schema
 %config /etc/openldap/schema/*.ldif
-%config(noreplace) %attr(640, root, ldap) /etc/openldap/slapd.conf
+%config(noreplace) %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf
 %config(noreplace) %attr(640, ldap, ldap) /var/lib/ldap/DB_CONFIG
 %config /var/lib/ldap/DB_CONFIG.example
-%attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default
+%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default
 %config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.example
 %config(noreplace) /etc/sasl2/slapd.conf
 %dir /usr/lib/openldap
-%dir /usr/lib/openldap/modules
+%dir /%{_libdir}/openldap
-/usr/lib/openldap/modules/accesslog*
+%{_libdir}/openldap/back_bdb*
-/usr/lib/openldap/modules/auditlog*
+%{_libdir}/openldap/back_hdb*
-/usr/lib/openldap/modules/collect*
+%{_libdir}/openldap/back_ldap*
-/usr/lib/openldap/modules/constraint*
+%{_libdir}/openldap/back_mdb*
-/usr/lib/openldap/modules/dds*
+%{_libdir}/openldap/back_monitor*
-/usr/lib/openldap/modules/deref*
+%{_libdir}/openldap/back_relay*
-/usr/lib/openldap/modules/dyngroup*
+%{_libdir}/openldap/accesslog*
-/usr/lib/openldap/modules/dynlist*
+%{_libdir}/openldap/auditlog*
-/usr/lib/openldap/modules/memberof*
+%{_libdir}/openldap/collect*
-/usr/lib/openldap/modules/pcache*
+%{_libdir}/openldap/constraint*
-/usr/lib/openldap/modules/refint*
+%{_libdir}/openldap/dds*
-/usr/lib/openldap/modules/retcode*
+%{_libdir}/openldap/deref*
-/usr/lib/openldap/modules/rwm*
+%{_libdir}/openldap/dyngroup*
-/usr/lib/openldap/modules/seqmod*
+%{_libdir}/openldap/dynlist*
-/usr/lib/openldap/modules/sssvlv*
+%{_libdir}/openldap/memberof*
-/usr/lib/openldap/modules/translucent*
+%{_libdir}/openldap/pcache*
-/usr/lib/openldap/modules/unique*
+%{_libdir}/openldap/ppolicy*
-/usr/lib/openldap/modules/valsort*
+%{_libdir}/openldap/refint*
-/usr/lib/openldap/slapd
+%{_libdir}/openldap/retcode*
 %{_libdir}/openldap/rwm*
 %{_libdir}/openldap/seqmod*
 %{_libdir}/openldap/sssvlv*
 %{_libdir}/openldap/syncprov*
 %{_libdir}/openldap/translucent*
 %{_libdir}/openldap/unique*
 %{_libdir}/openldap/valsort*
 %{_libdir}/slapd
 /usr/lib/openldap/start
-/usr/lib/systemd/system/slapd.service
+%{_unitdir}/slapd.service
-%dir %attr(0700, ldap, ldap) /var/lib/ldap
+%dir %attr(0750, ldap, ldap) /var/lib/ldap
-%dir %attr(0755, ldap, ldap) %ghost %{_rundir}/slapd
+%ghost %attr(0750, ldap, ldap) %{_rundir}
 %doc %{_mandir}/man8/sl*
 %doc %{_mandir}/man5/slapd.*
 %doc %{_mandir}/man5/slapd-bdb.*
@ -380,11 +454,6 @@ cat >openldap2.filelist <<EOF
 %doc %{DOCDIR}/CHANGES
 %doc %{DOCDIR}/slapd.ldif.default
 EOF
 %if %suse_version < 1130
 cat >>openldap2.filelist <<EOF
 /usr/sbin/openldap-2.3-slapcat
 EOF
 %endif
 #
 #
 cat > openldap2-client.filelist <<EOF
@ -424,20 +493,37 @@ cat > openldap2-devel-static.filelist <<-EOF
 	%_libdir/libldap*.a
 EOF
 cat > openldap2-back-perl.filelist <<EOF
-/usr/lib/openldap/modules/back_perl*
+%{_libdir}/openldap/back_perl*
 %doc %{_mandir}/man5/slapd-perl.*
 EOF
 cat > openldap2-back-sock.filelist <<EOF
 %{_libdir}/openldap/back_sock*
 %doc %{_mandir}/man5/slapd-sock.*
 EOF
 cat > openldap2-back-meta.filelist <<EOF
-/usr/lib/openldap/modules/back_meta*
+%{_libdir}/openldap/back_meta*
 %doc %{_mandir}/man5/slapd-meta.*
 EOF
 cat > openldap2-back-sql.filelist <<EOF
-/usr/lib/openldap/modules/back_sql*
+%{_libdir}/openldap/back_sql*
 %doc %{_mandir}/man5/slapd-sql.*
 %doc servers/slapd/back-sql/examples
 %doc servers/slapd/back-sql/docs/bugs
 %doc servers/slapd/back-sql/docs/install
 EOF
 cat > openldap2-contrib.filelist <<EOF
 %{_libdir}/openldap/allowed.*
 %{_libdir}/openldap/allop.*
 %{_libdir}/openldap/autogroup.*
 %{_libdir}/openldap/lastbind.*
 %{_libdir}/openldap/noopsrch.*
 %{_libdir}/openldap/nops.*
 %{_libdir}/openldap/pw-sha2.*
 %{_libdir}/openldap/pw-pbkdf2.*
 %{_libdir}/openldap/denyop.*
 %{_libdir}/openldap/cloak.*
 %{_libdir}/openldap/smbk5pwd.*
 EOF
 cat >openldap2-doc.filelist <<EOF
 %dir %{DOCDIR}
 %doc %{DOCDIR}/drafts
@ -449,32 +535,20 @@ EOF
 cat openldap2-client.filelist libldap.filelist openldap2-devel.filelist \
 	openldap2-devel-static.filelist |
 %else
-cat openldap2.filelist openldap2-back-perl.filelist \
+cat openldap2.filelist openldap2-back-perl.filelist openldap2-back-sock.filelist \
    openldap2-back-meta.filelist openldap2-back-sql.filelist \
-    openldap2-doc.filelist
+    openldap2-doc.filelist openldap2-contrib.filelist |
 %endif
  grep -v "%dir " |sed -e "s|^.* ||" |grep "^/" |while read name ; do
-    rm -rf $RPM_BUILD_ROOT$name
+    rm -rf ${RPM_BUILD_ROOT}${name}
  done
 %if "%{name}" == "openldap2"
 %pre
 /usr/sbin/groupadd -g 70 -o -r ldap || :
-/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/bash -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
+/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
 # try to figure out if a db update is needed
 if [ ${1:-0} -gt 1 ] && [ -f /usr/lib/openldap/slapd ] &&
    /usr/bin/strings /usr/lib/openldap/slapd | \
        grep "slapd 2.3" 2>&1 > /dev/null;
 then
    # create a backup of the schema shipped with 2.3
    # at least core.schema changed between 2.3 and 2.4
    TEMPDIR=`mktemp -d /etc/openldap/schema.backup.XXXXXX`
    echo "Schema backup created in $TEMPDIR"
    cp -p --remove-destination /etc/openldap/schema/* $TEMPDIR
    echo $TEMPDIR > /etc/openldap/UPDATE_NEEDED ;
 fi
 if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then
-    touch /var/run/enable_slapd_service
+    touch %{_rundir}/enable_slapd_service
 fi
 %service_add_pre slapd.service
@ -486,7 +560,7 @@ fi
 %{fillup_only -n openldap ldap}
 %{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER}
 %service_add_post slapd.service
-if [ -f /var/run/enable_slapd_service ]; then
+if [ -f %{_rundir}/enable_slapd_service ]; then
    /usr/bin/systemctl --quiet enable slapd
 fi
@ -502,6 +576,9 @@ fi
 %files -n openldap2-back-perl -f openldap2-back-perl.filelist
 %defattr(-,root,root)
 %files -n openldap2-back-sock -f openldap2-back-sock.filelist
 %defattr(-,root,root)
 %files -n openldap2-back-meta -f openldap2-back-meta.filelist
 %defattr(-,root,root)
@ -511,6 +588,9 @@ fi
 %files -n openldap2-doc -f openldap2-doc.filelist
 %defattr(-,root,root)
 %files -n openldap2-contrib -f openldap2-contrib.filelist
 %defattr(-,root,root)
 %else
 %post -n libldap-2_4-2 -p /sbin/ldconfig
--- a/rfc2307bis.schema
+++ b/rfc2307bis.schema
@ -0,0 +1,288 @@
 # builtin
 #
 #attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
 #  DESC 'An integer uniquely identifying a user in an administrative domain'
 #  EQUALITY integerMatch
 #  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 #  SINGLE-VALUE )
 # builtin
 #
 #attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
 #  DESC 'An integer uniquely identifying a group in an
 #        administrative domain'
 #  EQUALITY integerMatch
 #  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 #  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos'
  DESC 'The GECOS field; the common name'
  EQUALITY caseIgnoreIA5Match
  SUBSTR caseIgnoreIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
  DESC 'The absolute path to the home directory'
  EQUALITY caseExactIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
  DESC 'The path to the login shell'
  EQUALITY caseExactIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
  EQUALITY caseExactIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
  DESC 'Netgroup triple'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
  DESC 'Service port number'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
  DESC 'Service protocol name'
  SUP name )
 attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
  DESC 'IP protocol number'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
  DESC 'ONC RPC number'
  EQUALITY integerMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
  DESC 'IPv4 addresses as a dotted decimal omitting leading
        zeros or IPv6 addresses as defined in RFC2373'
  SUP name )
 attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
  DESC 'IP network as a dotted decimal, eg. 192.168,
        omitting leading zeros'
  SUP name
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
  DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
        omitting leading zeros'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
  DESC 'MAC address in maximal, colon separated hex
        notation, eg. 00:00:92:90:ee:e2'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
  DESC 'rpc.bootparamd parameter'
  EQUALITY caseExactIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
  DESC 'Boot image name'
  EQUALITY caseExactIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
  DESC 'Name of a A generic NIS map'
  SUP name )
 attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
  DESC 'A generic NIS entry'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
  DESC 'NIS public key'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
  DESC 'NIS secret key'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
  DESC 'NIS domain'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
  DESC 'automount Map Name'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
  DESC 'Automount Key value'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
  DESC 'Automount information'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
  DESC 'Abstraction of an account with POSIX attributes'
  MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
  MAY ( userPassword $ loginShell $ gecos $
        description ) )
 objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
  DESC 'Additional attributes for shadow passwords'
  MUST uid
  MAY ( userPassword $ description $
        shadowLastChange $ shadowMin $ shadowMax $
        shadowWarning $ shadowInactive $
        shadowExpire $ shadowFlag ) )
 objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
  DESC 'Abstraction of a group of accounts'
  MUST gidNumber
  MAY ( userPassword $ memberUid $
        description ) )
 objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
  DESC 'Abstraction an Internet Protocol service.
        Maps an IP port and protocol (such as tcp or udp)
        to one or more names; the distinguished value of
        the cn attribute denotes the services canonical
        name'
  MUST ( cn $ ipServicePort $ ipServiceProtocol )
  MAY description )
 objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
  DESC 'Abstraction of an IP protocol. Maps a protocol number
        to one or more names. The distinguished value of the cn
        attribute denotes the protocols canonical name'
  MUST ( cn $ ipProtocolNumber )
  MAY description )
 objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
  DESC 'Abstraction of an Open Network Computing (ONC)
       [RFC1057] Remote Procedure Call (RPC) binding.
       This class maps an ONC RPC number to a name.
       The distinguished value of the cn attribute denotes
       the RPC services canonical name'
  MUST ( cn $ oncRpcNumber )
  MAY description )
 objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
  DESC 'Abstraction of a host, an IP device. The distinguished
        value of the cn attribute denotes the hosts canonical
        name. Device SHOULD be used as a structural class'
  MUST ( cn $ ipHostNumber )
  MAY ( userPassword $ l $ description $ manager ) )
 objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
  DESC 'Abstraction of a network. The distinguished value of
        the cn attribute denotes the networks canonical name'
  MUST ipNetworkNumber
  MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
 objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
  DESC 'Abstraction of a netgroup. May refer to other netgroups'
  MUST cn
  MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
 objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
  DESC 'A generic abstraction of a NIS map'
  MUST nisMapName
  MAY description )
 objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
  DESC 'An entry in a NIS map'
  MUST ( cn $ nisMapEntry $ nisMapName )
  MAY description )
 objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
  DESC 'A device with a MAC address; device SHOULD be
        used as a structural class'
  MAY macAddress )
 objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
  DESC 'A device with boot parameters; device SHOULD be
        used as a structural class'
  MAY ( bootFile $ bootParameter ) )
 objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
  DESC 'An object with a public and secret key'
  MUST ( cn $ nisPublicKey $ nisSecretKey )
  MAY ( uidNumber $ description ) )
 objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
  DESC 'Associates a NIS domain with a naming context'
  MUST nisDomain )
 objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
  MUST ( automountMapName )
  MAY description )
 objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
  DESC 'Automount information'
  MUST ( automountKey $ automountInformation )
  MAY description )
 ## namedObject is needed for groups without members
 objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top
       STRUCTURAL MAY cn )
--- a/slapd.conf.example
+++ b/slapd.conf.example
@ -0,0 +1,354 @@
 ############################################################################
 # See slapd.conf(5) for details on configuration options.
 # This file SHOULD NOT be world readable.
 #
 # Important note:
 # You surely have to adjust some settings to meet your (security)
 # requirements.
 # At least you should replace suffix "dc=example,dc=com" by
 # something meaningful for your setup.
 # If you plan to use OpenLDAP server as backend for Samba and/or Kerberos 
 # KDC then you MUST add decent ACLs for protecting user credentials!
 #
 # Read the man pages before changing something!
 #
 # You can debug the config by running (as root while slapd stopped):
 # /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
 ############################################################################
 #---------------------------------------------------------------------------
 # slapd global parameters
 #---------------------------------------------------------------------------
 # serverID must be unique across all provider replicas
 # for using multi-master replication (MMR)
 serverID 99
 # only alter this when you know what you're doing
 #threads 4
 # Run-time files
 pidfile /var/run/slapd/slapd.pid
 argsfile /var/run/slapd/slapd.args
 # for more debugging set:
 #loglevel config stats stats2
 loglevel stats
 #---------------------------------------------------------------------------
 # Load runtime loadable modules
 #---------------------------------------------------------------------------
 # Load additional backend modules installed by package 'openldap2'
 # The following backends are statically built-in and therefore don't have
 # to be loaded here:
 # config, ldif, monitor, bdb, hdb, ldap, mdb, relay
 #moduleload back_
 #moduleload back_
 #moduleload back_mdb
 #moduleload back_meta
 #moduleload back_sock
 # Load additional overlay modules installed by package 'openldap2'
 # The following overlay are statically built-in and therefore don't have
 # to be loaded here:
 # ppolicy, syncprov
 #moduleload accesslog
 #moduleload constraint
 #moduleload dds
 #moduleload deref
 #moduleload dynlist
 #moduleload memberof
 moduleload refint
 #moduleload sssvlv
 #moduleload translucent
 moduleload unique
 #moduleload valsort
 # Load additional overlay modules installed by package 'openldap2-contrib'
 #moduleload allowed
 #moduleload lastbind
 #moduleload noopsrch
 #moduleload pw-pbkdf2
 #moduleload pw-sha2
 #moduleload smbk5pwd
 #---------------------------------------------------------------------------
 # Include schema files
 #---------------------------------------------------------------------------
 # Schema files installed by package 'openldap2'
 include /etc/openldap/schema/core.schema
 include /etc/openldap/schema/cosine.schema
 include /etc/openldap/schema/inetorgperson.schema
 include /etc/openldap/schema/rfc2307bis.schema
 include /etc/openldap/schema/ppolicy.schema
 #include /etc/openldap/schema/yast.schema
 # Schema file installed by package 'dhcp-server'
 #include /etc/openldap/schema/dhcp.schema
 # Schema file installed by package 'samba'
 #include /etc/openldap/schema/samba3.schema
 # Schema file installed by package 'krb5-plugin-kdb-ldap'
 #include /usr/share/doc/packages/krb5/kerberos.schema
 #---------------------------------------------------------------------------
 # Transport Layer Security (TLS) configuration
 #---------------------------------------------------------------------------
 # require at least TLS 1.0 and highly secure ciphers
 #TLSProtocolMin 3.1
 #TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
 # TLS certificate and key files
 #TLSCACertificateFile /etc/ssl/ca-bundle.pem
 #TLSCertificateFile /etc/openldap/ssl.crt/server.crt
 #TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
 # For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
 #TLSDHParamFile /etc/openldap/ssl.key/dhparam
 #---------------------------------------------------------------------------
 # Password hashing
 #---------------------------------------------------------------------------
 #password-hash {CRYPT}
 # Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
 #password-crypt-salt-format "$6$%.12s"
 #---------------------------------------------------------------------------
 # Security requirements
 #---------------------------------------------------------------------------
 #disallow bind_anon
 #require bind LDAPv3 strong
 # SSF value for ldapi://
 localSSF 256
 # minimum required SSF value (security strength factor)
 # Sample security restrictions
 #       Require integrity protection (prevent hijacking)
 #       Require 112-bit (3DES or better) encryption for updates
 #       Require 63-bit encryption for simple bind
 # security ssf=1 update_ssf=112 simple_bind=64
 #security ssf=128 update_ssf=256 simple_bind=128
 security ssf=0
 #---------------------------------------------------------------------------
 # Global access control (ACLs)
 #---------------------------------------------------------------------------
 # Root DSE: allow anyone to read it
 access to
  dn.base=""
    by * read
 # Sub schema sub entry: allow anyone to read it
 access to
  dn.base="cn=Subschema"
    by * read
 #---------------------------------------------------------------------------
 # Authz-DN mappings
 #---------------------------------------------------------------------------
 # If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
 # System user root is mapped to the rootdn in database dc=example,dc=com
 # which has also read access on config and monitor databases
 authz-regexp
  "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
    "cn=root,dc=example,dc=com"
 # Map local system user to LDAP entry
 # if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
 authz-regexp
  "gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
  "ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
 # this maps the attribute uid to a LDAP entry
 # if one of the typical password-based SASL mechs was used
 authz-regexp
  "uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
  "ldap:///dc=example,dc=com??sub?(uid=$1)"
 # this maps the attribute uid to a LDAP entry
 # if one of the Kerberos based SASL mechs was used
 #authz-regexp
 #  "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
 #  "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
 # Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
 #authz-regexp
 #  "(.+)"
 #  "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
 #===========================================================================
 # Database specific configuration sections below
 # Required order of databases:
 # config (first), ...others..., monitor (last)
 #===========================================================================
 #---------------------------------------------------------------------------
 # cn=config // Configuration database (always first!)
 # see slapd-config(5)
 #---------------------------------------------------------------------------
 database config
 # Cleartext passwords, especially for the rootdn, should
 # be avoid!  See slappasswd(8) and slapd.conf(5) for details.
 # Best thing is not to set rootpw at all!
 # For local config access by root use LDAPI with SASL/EXTERNAL instead
 # (see above).
 #rootpw secret
 access to
  dn.subtree="cn=config"
    by dn.exact="cn=root,dc=example,dc=com" manage
    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
    by * none
 #---------------------------------------------------------------------------
 # dc=example,dc=com // Example MDB database to be used by normal clients
 # see slapd-mdb(5)
 #---------------------------------------------------------------------------
 database mdb
 suffix "dc=example,dc=com"
 # rootdn has to be set for overlays' internal operations
 rootdn "cn=root,dc=example,dc=com"
 # Cleartext passwords, especially for the rootdn, should
 # be avoid! See slappasswd(8) and slapd.conf(5) for details.
 # Best thing is not to set rootpw at all!
 rootpw secret
 # The database directory MUST exist prior to running slapd and
 # SHOULD only be accessible by the slapd user 'ldap'.
 # mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
 directory /var/lib/ldap/example-db
 # Permissions of database files created
 mode 0600
 # extra information to be available in cn=monitor for this database
 monitoring on
 # Perform ACL checks on the content of a new entry being added
 add_content_acl on
 # backend-specific database parameters
 checkpoint 1024 5
 # 100 MB (you can raise the limit later)
 maxsize 104857600
 # Indices to maintain
 #
 # Whenever you change indexing configuration you have to re-run slapindex
 # while slapd being stopped!
 # Don't forget to fix ownership/permissions of newly generated index files
 # afterwards!
 # set always!
 index objectClass eq
 # for typical address book use
 index cn,sn,givenName,mail eq,sub
 # for user management
 index uid,uidNumber,gidNumber eq
 # for authz-regexp mapping of Kerberos principal name
 #index krbPrincipalName,krbPrincipalAlias eq
 # for authz-regexp mapping of client cert subject DNs
 #index seeAlso eq
 # for syncrepl
 index entryUUID,entryCSN eq
 # access control lists (ACLs) for dc=example,dc=com
 # see slapd.access(5) for details on access control lists (ACLs)
 # full read access also to 'userPassword' for group of replicas
 # and control is forwarded to subsequent ACLs
 access to
  dn.subtree=dc=example,dc=com
    by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
    by * break
 # write-only access to 'userPassword' for user, auth access else
 access to
  attrs=userPassword
    by self =w
    by * auth
 # 'userPKCS' must only be accessible by self
 access to
  attrs=userPKCS12
    by self write
    by * none
 # No access to history of passwords
 #access to
 #  attrs=pwdHistory
 #    by * none
 # Catch-all ACL for the rest
 access to
  dn.subtree=dc=example,dc=com
    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
    by self read
    by users read
    by * auth
 # see slapo-ppolicy(5)
 overlay ppolicy
 # Default password policy entry
 #ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
 # Hash clear-text userPassword values sent in with add/modify operations
 #ppolicy_hash_cleartext
 # Return AccountLocked error code to client
 #ppolicy_use_lockout
 # see slapo-refint(5)
 overlay refint
 refint_attributes member seeAlso
 refint_nothing cn=dummy
 # Check sub-tree wide uniqueness of certain attributes
 # see slapo-unique(5)
 # you have to add eq-index for efficient uniqueness check!
 # Note that filter part is currently ignored because of OpenLDAP ITS#6825
 overlay unique
 unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
 unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
 #unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
 #unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
 #unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
 #unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
 #overlay syncprov
 #mirrormode on
 #---------------------------------------------------------------------------
 # cn=monitor // Monitoring database (always last!)
 # see slapd-monitor(5)
 #---------------------------------------------------------------------------
 database monitor
 access to
  dn.subtree="cn=monitor"
    by dn.exact="cn=root,dc=example,dc=com" write
    by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
    by users read
--- a/slapd.service
+++ b/slapd.service
@ -0,0 +1,11 @@
 [Unit]
 Description=OpenLDAP Server Daemon
 After=syslog.target network.target
 [Service]
 Type=forking
 ExecStart=/usr/lib/openldap/start
 [Install]
 WantedBy=multi-user.target
--- a/208
+++ b/208
@ -0,0 +1,208 @@
 #! /bin/sh
 # Copyright (c) 1997-2000 SuSE GmbH Nuernberg, Germany.
 # Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany.
 # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # Author: Carsten Hoeger
 #         Ralf Haferkamp
 #
 # /etc/init.d/ldap
 #
 ### BEGIN INIT INFO
 # Provides:       ldap
 # Required-Start: $network $remote_fs
 # Required-Stop: $network $remote_fs
 # Default-Start:  3 5
 # Default-Stop:   0 1 2 6
 # Short-Description: OpenLDAP Server (slapd)
 # Description: Start and Stop the OpenLDAP Server (slapd) to
 #      provide LDAP directory services.
 ### END INIT INFO
 # Determine the base and follow a runlevel link name.
 base=${0##*/}
 link=${base#*[SK][0-9][0-9]}
 test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap
 SLAPD_BIN=/usr/sbin/slapd
 LDAP_URLS=""
 LDAPS_URLS=""
 LDAPI_URLS=""
 SLAPD_CONFIG_ARG="-F /etc/openldap/slapd.d"
 SLAPD_PID_DIR="/var/run/slapd/"
 test -x $SLAPD_BIN || exit 5
 # Shell functions sourced from /etc/rc.status:
 #      rc_check         check and set local and overall rc status
 #      rc_status        check and set local and overall rc status
 #      rc_status -v     ditto but be verbose in local rc status
 #      rc_status -v -r  ditto and clear the local rc status
 #      rc_failed        set local and overall rc status to failed
 #      rc_failed <num>  set local and overall rc status to <num><num>
 #      rc_reset         clear local rc status (overall remains)
 #      rc_exit          exit appropriate to overall rc status
 . /etc/rc.status
 # First reset status of this service
 rc_reset
 function init_ldap_listener_urls(){
    case "$OPENLDAP_START_LDAP" in
        [Yy][Ee][Ss])
            if [ -n "$OPENLDAP_LDAP_INTERFACES" ]
            then
                for iface in $OPENLDAP_LDAP_INTERFACES ;do
                    LDAP_URLS="$LDAP_URLS ldap://$iface"
                done
            else
                LDAP_URLS="ldap:///"
            fi
        ;;
    esac
 }
 function init_ldapi_listener_urls(){
    case "$OPENLDAP_START_LDAPI" in
        [Yy][Ee][Ss])
            if [ -n "$OPENLDAP_LDAPI_INTERFACES" ]
            then
                for iface in $OPENLDAP_LDAPI_INTERFACES ;do
                    esc_iface=`echo "$iface" | sed -e s'/\\//\\%2f/'g`
                    LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface"
                done
            else
                LDAPI_URLS="ldapi:///"
            fi
        ;;
    esac
 }
 function init_ldaps_listener_urls(){
    case "$OPENLDAP_START_LDAPS" in
        [Yy][Ee][Ss])
            if [ -n "$OPENLDAP_LDAPS_INTERFACES" ]
            then
                for iface in $OPENLDAP_LDAPS_INTERFACES ;do
                    LDAPS_URLS="$LDAPS_URLS ldaps://$iface"
                done
            else
                LDAPS_URLS="ldaps:///"
            fi
        ;;
    esac
 }
 function check_connection(){
        SLAPD_TIMEOUT=10
        START=$( date +%s)
        while [ $(( $( date +%s) - ${START} )) -lt ${SLAPD_TIMEOUT} ]; do
                ldapsearch -x -H "$LDAP_URLS $LDAPI_URLS $LDAPS_URLS" -b "" -s base &>/dev/null
                LDAPSEARCH_RC=$?
                if [ ${LDAPSEARCH_RC} -ge 0 ] && [ ${LDAPSEARCH_RC} -le 80 ] ; then break
                else sleep 1
                fi
        done
 }
 depth=0;
 function chown_database_dirs_bconfig() {
        ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}')
        for dir in $ldapdir; do
                [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
                        chown -R $OPENLDAP_USER $dir 2>/dev/null
                [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
                        chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null
        done
 }
 function chown_database_dirs() {
        ldapdir=`grep ^directory $1 | awk '{print $2}'`
        for dir in $ldapdir; do
                [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
                        chown -R $OPENLDAP_USER $dir 2>/dev/null
                [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
                        chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null
        done
        includes=`grep ^include $1 | awk '{print $2}'`
        if [ $depth -le 50 ]; then
                depth=$(( $depth + 1 ));
                for i in $includes; do
                        chown_database_dirs "$i" ;
                done
        fi
 }
 USER_CMD=""
 GROUP_CMD=""
 [ ! "x$OPENLDAP_USER" = "x" ] && USER_CMD="-u $OPENLDAP_USER"
 [ ! "x$OPENLDAP_GROUP" = "x" ] && GROUP_CMD="-g $OPENLDAP_GROUP"
 [ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf"
 if [ -f /etc/openldap/UPDATE_NEEDED ]; then
    rc_failed 6
    echo "  The configuration of your LDAP server needs to be updated."
    echo "  Please see /usr/share/doc/packages/openldap2/README.update"
    echo "  for details."
    echo "  After the update please remove the file:"
    echo "    /etc/openldap/UPDATE_NEEDED"
    rc_status -v
    exit
 fi
 # chown backend directories if OPENLDAP_CHOWN_DIRS ist set
 if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
    if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
        if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then
            chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
            chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
            chown_database_dirs_bconfig "/etc/openldap/slapd.d"
        # assume back-config usage if slapd.conf is not present but slapd.d is
        elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
            chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
            chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
            chown_database_dirs_bconfig "/etc/openldap/slapd.d"
        else
            chown_database_dirs "/etc/openldap/slapd.conf"
            chgrp $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
        fi
        if test -f /etc/sasl2/slapd.conf ; then
        chgrp $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
        chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
        fi
        if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
            keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
            if test -f $keytabfile ; then
                chgrp $OPENLDAP_GROUP $keytabfile 2>/dev/null
                chmod g+r $keytabfile 2>/dev/null
            fi
        fi
    fi
 fi
 if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
    export KRB5_KTNAME=$OPENLDAP_KRB5_KEYTAB
 fi
 case "$OPENLDAP_REGISTER_SLP" in
    [Yy][Ee][Ss])
        SLAPD_SLP_REG="-o slp=on"
        ;;
    *)
        SLAPD_SLP_REG="-o slp=off"
        ;;
 esac
 init_ldap_listener_urls
 init_ldapi_listener_urls
 init_ldaps_listener_urls
 if [ ! -d $SLAPD_PID_DIR ]; then
    mkdir -p $SLAPD_PID_DIR
    chown ldap:ldap $SLAPD_PID_DIR
 fi
 echo -n "Starting ldap-server"
 exec $SLAPD_BIN  -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \
        $SLAPD_CONFIG_ARG $USER_CMD $GROUP_CMD \
        $OPENLDAP_SLAPD_PARAMS $SLAPD_SLP_REG
--- a/sysconfig.openldap
+++ b/sysconfig.openldap
@ -0,0 +1,158 @@
 ## Path:           Network/LDAP
 ## Description:    Basic Configuration of the OpenLDAP Directory Server
 ## Type:           yesno
 ## Default:        yes
 ## ServiceRestart: ldap
 #
 # If set to "no" the LDAP server will not accept any "normal" LDAP connections
 # but just connections over "ldaps" or "ldapi". Setting this to "no" does only
 # make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set 
 # "yes".
 #
 OPENLDAP_START_LDAP="yes"
 ## Type:           yesno
 ## Default:        no
 ## ServiceRestart: ldap
 #
 # If set to "yes" the "ldap over ssl" feature of slapd will be enabled. Don't
 # forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile" options 
 # to the /etc/openldap/slapd.conf (man slapd.conf).
 # Note: Don't confuse this with "START_TLS", the preferred method for 
 #       making encrypted LDAP connections, which is enabled as soon as You
 #       specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your config
 #       file
 #
 OPENLDAP_START_LDAPS="no"
 ## Type:           yesno
 ## Default:        no
 ## ServiceRestart: ldap
 #
 # If set to "yes", "ldap over IPC" feature of slapd will be enabled.
 # The ldap server creates a Unix domain socket as /var/run/slapd/ldapi.
 # Default: no
 #
 OPENLDAP_START_LDAPI="yes"
 ## Type:           string
 ## Default:        ""
 ## ServiceRestart: ldap
 #
 # If not empty, additional parameters for slapd daemon.
 # Default: ""
 #
 OPENLDAP_SLAPD_PARAMS=""
 ## Type:           string
 ## Default:        ldap
 ## ServiceRestart: ldap
 #
 # specifies a user, as which the openldap server should be executed
 # Default: ldap 
 #
 OPENLDAP_USER="ldap"
 ## Type:           string
 ## Default:        ldap
 ## ServiceRestart: ldap
 #
 # specifies a group, as which the openldap server should be executed
 # Default: ldap 
 #
 OPENLDAP_GROUP="ldap"
 ## Type:           yesno
 ## Default:        yes
 ## ServiceRestart: ldap
 #
 # If set to "yes" the init scripts will change the owner/group of the
 # different backend database directories (e.g. /var/lib/ldap) to the
 # user/group specified above
 #
 OPENLDAP_CHOWN_DIRS="yes"
 ## Type:           string
 ## Default:        ""
 ## ServiceRestart: ldap
 #
 # Use this to specify the interfaces that the server such accept
 # LDAP connections from. The values are specified in the format
 # <address>:<port>, where address is an IP address and port is the
 # portnumber, the daemon should listen to (defaulting to 389).  If this
 # parameter is empty the server will attach to all interfaces. This 
 # parameter is only evaluated if "OPENLDAP_START_LDAP" is set to
 # "yes"
 # Default: "" 
 #
 OPENLDAP_LDAP_INTERFACES=""
 ## Type:           string
 ## Default:        ""
 ## ServiceRestart: ldap
 #
 # Use this to specify the interfaces that the server such accept
 # LDAPS connections from. The values are specified in the format
 # <address>:<port>, where address is an IP address and port is the
 # portnumber, the daemon should listen to (defaulting to 636).  If this
 # parameter is empty the server will attach to all interfaces.  This
 # parameter is only evaluated if "OPENLDAP_START_LDAPS" is set to
 # "yes"
 # Default: "" 
 #
 OPENLDAP_LDAPS_INTERFACES=""
 ## Type:           string
 ## Default:        ""
 ## ServiceRestart: ldap
 #
 # Use this to specify the paths of the Unix Domain Sockets that 
 # the server should create an accept incoming LDAPI connections
 # on. This parameter is only evaluated if "OPENLDAP_START_LDAPI"
 # is set to "yes".
 # Default: "" 
 #
 OPENLDAP_LDAPI_INTERFACES=""
 ## Type:           yesno
 ## Default:        "yes"
 ## ServiceRestart: ldap
 #
 # If set to "no" the LDAP server will not try itself at a running SLP
 # daemon.
 # Default: "yes" 
 #
 OPENLDAP_REGISTER_SLP="no"
 ## Type:           string
 ## Default:        ""
 ## ServiceRestart: ldap
 #
 # Set this to the name of the keytab, if you want to use a non-default
 # Kerberos Keytab. If OPENLDAP_CHOWN_DIRS is set to "yes" the permissions of
 # this file will be changed so that the group OPENLDAP_GROUP has read
 # access to the file. 
 # Example: OPENLDAP_KRB5_KEYTAB="FILE:/etc/openldap/krb5.keytab
 # Default: "" 
 #
 OPENLDAP_KRB5_KEYTAB=""
 ## Type:           string
 ## Default:        "files"
 ## ServiceRestart: ldap
 #
 # Here you can configure which of the configuration backends you want to
 # use. Possible values are "files" for slapd.conf(5) styleconfiguration or
 # "ldap" for the slapd-config(5) LDAP based configuration backend.
 #
 OPENLDAP_CONFIG_BACKEND=""
 ## Type:           yesno
 ## Default:        "yes"
 ## ServiceRestart: ldap
 #
 # Here you can configure if the slapd shall start with or without memory limit.
 #
 OPENLDAP_MEMORY_LIMIT="yes"
--- a/yast.schema
+++ b/yast.schema
@ -0,0 +1,202 @@
 ## Some macros
 objectidentifier SUSE 1.3.6.1.4.1.7057
 objectidentifier SUSE.YaST SUSE:10.1
 objectidentifier SUSE.YaST.ModuleConfig SUSE:10.1.2
 objectidentifier SUSE.YaST.ModuleConfig.OC SUSE.YaST.ModuleConfig:1
 objectidentifier SUSE.YaST.ModuleConfig.Attr SUSE.YaST.ModuleConfig:2
 # Attributes
 # deprecated
 #
 #attributetype ( SUSE.YaST.ModuleConfig.Attr:1 NAME ( 'userConfigDn' )
 #	DESC 'Where is the configuration for user management stored'
 #	EQUALITY distinguishedNameMatch
 #	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:2 NAME ( 'suseDefaultBase' )
 	DESC 'Base DN where new Objects should be created by default'
 	EQUALITY distinguishedNameMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:3 NAME ( 'suseNextUniqueId' )
 	DESC 'Next unused unique ID, can be used to generate directory wide uniqe IDs'
 	EQUALITY integerMatch
 	ORDERING integerOrderingMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 	SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:4 NAME ( 'suseMinUniqueId' )
 	DESC 'lower Border for Unique IDs'
 	EQUALITY integerMatch
 	ORDERING integerOrderingMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 	SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:5 NAME ( 'suseMaxUniqueId' )
 	DESC 'upper Border for Unique IDs'
 	EQUALITY integerMatch
 	ORDERING integerOrderingMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 	SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:6 NAME ( 'suseDefaultTemplate' )
 	DESC 'The DN of a template that should be used by default'
 	EQUALITY distinguishedNameMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
        SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:7 NAME ( 'suseSearchFilter' )
 	DESC 'Search filter to localize Objects'
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )
 # deprecated
 #
 #attributetype ( SUSE.YaST.ModuleConfig.Attr:8 NAME ( 'DefaultObjectClass' )
 #	DESC 'ObjectClass that new Objects should use'
 #	EQUALITY caseIgnoreIA5Match
 #	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 #
 #attributetype ( SUSE.YaST.ModuleConfig.Attr:9 NAME ( 'suseRequiredAttribute' )
 #	DESC ''
 #	EQUALITY caseIgnoreIA5Match
 #	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 #
 #attributetype ( SUSE.YaST.ModuleConfig.Attr:10 NAME ( 'allowedAttribute' )
 #	DESC ''
 #	EQUALITY caseIgnoreIA5Match
 #	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:11 NAME ( 'suseDefaultValue' )
 	DESC 'an Attribute-Value-Assertions to define defaults for specific Attributes'
 	EQUALITY caseIgnoreMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:12 NAME ( 'suseNamingAttribute' )
 	DESC 'AttributeType that should be used as the RDN'
 	EQUALITY caseIgnoreIA5Match
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
        SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:15 NAME ( 'suseSecondaryGroup' )
 	DESC 'seconday group DN'
 	EQUALITY distinguishedNameMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:16 NAME ( 'suseMinPasswordLength' )
 	DESC 'minimum Password length for new users'
 	EQUALITY integerMatch
 	ORDERING integerOrderingMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 	SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:17 NAME ( 'suseMaxPasswordLength' )
 	DESC 'maximum Password length for new users'
 	EQUALITY integerMatch
 	ORDERING integerOrderingMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 	SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:18 NAME ( 'susePasswordHash' )
 	DESC 'Hash method to use for new users'
 	EQUALITY caseIgnoreIA5Match
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
        SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:19 NAME ( 'suseSkelDir' )
 	DESC ''
 	EQUALITY caseExactIA5Match
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:20 NAME ( 'susePlugin' )
 	DESC 'plugin to use upon user/ group creation'
 	EQUALITY caseIgnoreMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:21 NAME ( 'suseMapAttribute' )
 	DESC ''
 	EQUALITY caseIgnoreMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:22 NAME ( 'suseImapServer' )
 	DESC ''
 	EQUALITY caseIgnoreMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:23 NAME ( 'suseImapAdmin' )
 	DESC ''
 	EQUALITY caseIgnoreMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:24 NAME ( 'suseImapDefaultQuota' )
 	DESC ''
 	EQUALITY integerMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
        SINGLE-VALUE )
 attributetype ( SUSE.YaST.ModuleConfig.Attr:25 NAME ( 'suseImapUseSsl' )
 	DESC ''
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
        SINGLE-VALUE )
 # ObjectClasses
 objectClass ( SUSE.YaST.ModuleConfig.OC:2 NAME 'suseModuleConfiguration' 
        SUP top STRUCTURAL
 	DESC 'Contains configuration of Management Modules'
 	MUST ( cn )
 	MAY ( suseDefaultBase ))
 objectClass ( SUSE.YaST.ModuleConfig.OC:3 NAME 'suseUserConfiguration' 
        SUP suseModuleConfiguration STRUCTURAL
 	DESC 'Configuration of user management tools'
 	MAY ( suseMinPasswordLength $ suseMaxPasswordLength $ 
              susePasswordHash $ suseSkelDir $ suseNextUniqueId $ suseMinUniqueId $
              suseMaxUniqueId $ suseDefaultTemplate $ suseSearchFilter $ 
              suseMapAttribute ))
 objectClass ( SUSE.YaST.ModuleConfig.OC:4 NAME 'suseObjectTemplate' 
        SUP top STRUCTURAL
 	DESC 'Base Class for Object-Templates'
 	MUST ( cn )
 	MAY ( susePlugin $ suseDefaultValue $ suseNamingAttribute ))
 objectClass ( SUSE.YaST.ModuleConfig.OC:5 NAME 'suseUserTemplate' 
        SUP suseObjectTemplate STRUCTURAL
 	DESC 'User object template'
 	MUST ( cn )
 	MAY ( suseSecondaryGroup ))
 objectClass ( SUSE.YaST.ModuleConfig.OC:6 NAME 'suseGroupTemplate' 
        SUP suseObjectTemplate STRUCTURAL
 	DESC 'Group object template'
 	MUST ( cn ))
 objectClass ( SUSE.YaST.ModuleConfig.OC:7 NAME 'suseGroupConfiguration' 
        SUP suseModuleConfiguration STRUCTURAL
 	DESC 'Configuration of user management tools'
        MAY ( suseNextUniqueId $ suseMinUniqueId $ suseMaxUniqueId $ 
              suseDefaultTemplate $ suseSearchFilter $ suseMapAttribute ))
 objectClass ( SUSE.YaST.ModuleConfig.OC:8 NAME 'suseCaConfiguration'
        SUP suseModuleConfiguration STRUCTURAL
 	DESC 'Configuration of CA management tools')
 objectClass ( SUSE.YaST.ModuleConfig.OC:9 NAME 'suseDnsConfiguration' 
        SUP suseModuleConfiguration STRUCTURAL
 	DESC 'Configuration of mail server management tools')
 objectClass ( SUSE.YaST.ModuleConfig.OC:10 NAME 'suseDhcpConfiguration' 
        SUP suseModuleConfiguration STRUCTURAL
 	DESC 'Configuration of DHCP server management tools')
 objectClass ( SUSE.YaST.ModuleConfig.OC:11 NAME 'suseMailConfiguration' 
        SUP suseModuleConfiguration STRUCTURAL
 	DESC 'Configuration of IMAP user management tools'
        MUST ( suseImapServer $ suseImapAdmin $ suseImapDefaultQuota $
               suseImapUseSsl ))