starlingx/meta-starlingx
Code Issues Proposed changes

openldap port from stx to yocto

Browse Source 
Not complete yet. Missing ltb-project-openldap-ppolicy
This commit is contained in:
babak sarashki 2019-11-05 18:58:33 -08:00
parent cf25d967b7
commit 6fe3bd37d9
31 changed files with 1977 additions and 846 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
issues/openldap.patches Normal file
View File

@ -0,0 +1,95 @@
Patch50: openldap-openssl-its7506-fix-DH-params-1.patch << openldap commit: 6f120920d359d3b880c5c56bde4c1b91c3bedb01
Patch51: openldap-openssl-its7506-fix-DH-params-2.patch << openldap commit: cfeb28412c28ce9feeea6e6c055286f201bd0a34
Patch52: openldap-openssl-ITS7595-Add-EC-support-1.patch
Patch53: openldap-openssl-ITS7595-Add-EC-support-2.patch
CentOS openldap commit level: d690e90fec0ecba6e9eb47bfc7ef8e311dce9eac tag: OPENLDAP_REL_ENG_2_4_44
Poky openldap commit level: 1c9416493bd219b08d839cd9e93fc64daa89b752 tag: OPENLDAP_REL_ENG_2_4_46
Whatchanged OPENLDAP_REL_ENG_2_4_44 OPENLDAP_REL_ENG_2_4_46:
commit eebf662409f646646fe2364c26f095d7c242ed2e
commit e2c6bec025ef6e38bb95e4b173d4c896de74152e
commit d8ccf649bcb17cb97541154f27a5673c13254d11
commit 9db93a138932ddbe68f2a4215d136383d4f3dc46
commit 556a832c4a7ed54d94d0ec204baba5865a36732a
commit 8144463186ddc6c7b1b2509244c0a2e4eba50539
commit ebf74c7bb1c079a640074a8685583a7ee0cb5d39
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
commit 47f8b3c425c5e1fe4097f0685bbe9aefe56ba911
commit 691dab11a0d6334c401bac59f476a382303c7a24
commit 38d0a8bbdebdf1af212c36008f7d7c2de2a28af4
commit 051f14f6d6809ff6074fd22e461bed71e160da92
commit d8c9c414ac6992f38378a95fbb510bfde93c1c0d
commit eacd5798a5d83e6658a823c01bcb0f600e3b9898 << openldap-openssl-its7506-fix-DH-params-2.patch
commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8 << openldap-openssl-its7506-fix-DH-params-1.patch
commit 9b5972dc9e14e1f7a7bef755bfd0dc61bcf1ffb3
commit b60820ee696c09bad18fd04fdd982df7af15c6c3
commit 35e549b49b1f58ec494bc05cc2718f82d20c30c6
commit 3370868748d330f896645965145ad77720c3aba6
commit 9cdb7b18a929d546a7681d3ac0f830821069c5a5
commit b46547ada17b4585cc5c40150933be325bb1e9ac
commit 1f723195873454ac2d46592deb5d2f7c6885993a
commit 42c1ff8a28d35482e9c34d063b4bd5d441bb364a
commit 769083f84816a380a4ae9bb48ab55631ff596751
commit 7761c923bab53870802c287611b17bb906ce3a0b
commit 6d0f6f414f90c67db850751915a6640668d6cd44
commit 1adee08e8912c1f47c7b170fe62bebdd9797921f
commit 158a47cbe467a6c50c6a6e85247959f20e51c1d4
commit 6c9b08ce2679fccb224dd02afd9221ed28623f9b
commit 77caf6040f1f5770460ddb56c2a304a0d0b8cbe8
commit 3a2e98e91c3a8f93e5b37cb7e5a76708194cff77
commit 49f2e6a5f703f874852fe60a1c5faaf362df4bdc
commit 1cee5dcd12701a972feb1dd974f3f393a97c6dca
commit 39ddec3a9cfa04f7f466a7ebbd8569e498a63a64
commit 988f1bbdc7590fc01c149a36eeb88a0cffd4c4bc
commit 2147c854efe9fac300ab7095df8dfc6c943d3b15
commit 4b7eb173e7953d9e5ecce80fc08709bcdd67d179
Cherry picked into CentOS: Adds Elliptic Curve support for Openssl and 2 dont use EC if openssl lacks it
commit e631ce808ed56119e61321463d06db7999ba5a08 << openldap-openssl-ITS7595-Add-EC-support-1.patch
commit 721e46fe6695077d63a3df6ea2e397920a72308d << openldap-openssl-ITS7595-Add-EC-support-2.patch
Poky:
commit eebf662409f646646fe2364c26f095d7c242ed2e << openldap repo: Cleanup
commit e2c6bec025ef6e38bb95e4b173d4c896de74152e << openldap repo: Cleanup
commit d8ccf649bcb17cb97541154f27a5673c13254d11 << openldap repo: ITS#8791 OpenSSL 1.1.1 BIOP_method
commit 9db93a138932ddbe68f2a4215d136383d4f3dc46 << openldap repo: ITS#8687 EGD is disabled by default in openssl 1.1. TODO validate on poky
commit 556a832c4a7ed54d94d0ec204baba5865a36732a << openldap repo: ITS#8353/ITS#8533 Cleanup
commit 8144463186ddc6c7b1b2509244c0a2e4eba50539 << openldap repo: ITS#8353/ITS#8533 libldap_r build error
commit ebf74c7bb1c079a640074a8685583a7ee0cb5d39 << openldap repo: ITS#8353/ITS#8533 / Dont use deprecated API with OpenSSL 1.1 or later
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8 << openldap repo: ITS#8529
commit 47f8b3c425c5e1fe4097f0685bbe9aefe56ba911 << openldap repo: ITS#8353/ITS#8533 OpenSSL 1.1.0c compat
commit 691dab11a0d6334c401bac59f476a382303c7a24 << openldap repo: Copyright update
commit 38d0a8bbdebdf1af212c36008f7d7c2de2a28af4 << openldap repo: ITS#8353
commit 051f14f6d6809ff6074fd22e461bed71e160da92 << openldap repo: ITS#8353
commit eacd5798a5d83e6658a823c01bcb0f600e3b9898 << openldap-openssl-its7506-fix-DH-params-2.patch
commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8 << openldap-openssl-its7506-fix-DH-params-1.patch
Patches:
0001-Various-manual-pages-changes.patch: ....................... Commit 9321119bac67aeb1a3d61fda9d1a60f32785468b /
0002-Correct-log-levels-in-ppolicy-overlay.patch: .............. Use Log3 instead of Debug
0003-Removes-unnecessary-linking-of-SQL-Libs-into-slad.patch:... Is this patch needed? Removes sql linking
0004-openlap-reentrant-gethostby.patch: ........................ Is this patch needed? use reentrant versions -- fix should be elsewhere -- test case?
0005-openldap-smbk5pwd-overlay.patch: .......................... Redo NOTE A.
0006-openldap-ldaprc-currentdir.patch:.......................... Disable openning of ldaprc file/ Keep this patch
0007-openldap-userconfig-setgid.patch: ......................... Adds same behavior as geteuid != getuid to getegid != getgid
0008-openldap-allop-overlay.patch: ............................. Redo NOTE A.
0009-openldap-syncrepl-unset-tls-options.patch: ................ Keep
0010-openldap-ai-addrconfig.patch: ............................. Keep Commit ebf0ef5cb11fc3f92715e644d95c1bf38cc33ebb.
0011-openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL.patch: Keep
0012-openldap-ldapi-sasl.patch: ................................ Keep 6c5a79be983fafa435454e9cce34a4658e31de79
0013-openldap-missing-unlock-in-accesslog-overlay.patch: ....... Keep but is this really needed
0014-openldap-module-passwd-sha2.patch: ........................ Redo NOTE A.
0015-openldap-man-tls-reqcert.patch: ........................... Keep
0016-openldap-man-ldap-conf.patch: ............................. Keep
0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch: ..... Keep for now. Removed in upstream ec2cb12e68923f7b3db60fe20935ca01d4a3932c
0018-openldap-tlsmc.patch: ..................................... Keep But is this needed. We are linking with openssl
0019-openldap-fedora-systemd.patch: ............................ Remove The fix needs to go into systemd ENV file
NOTE A:
These patches need cleanup.

2
recipes-support/openldap/files/0001-Various-manual-pages-changes.patch
View File

@ -1,7 +1,7 @@
From 462675a5b797afb411de4506425f12ac6ebdf56a Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:28:29 -0800
Subject: [PATCH 01/19] Various manual pages changes:
Subject: [PATCH 01/20] Various manual pages changes:
remove LIBEXECDIR from slapd.8
remove references to non-existing manpages (bz 624616)

2
recipes-support/openldap/files/0002-Correct-log-levels-in-ppolicy-overlay.patch
View File

@ -1,7 +1,7 @@
From 35907952c646b971ba5b14002db2aac8d2324f21 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:30:27 -0800
Subject: [PATCH 02/19] Correct log levels in ppolicy overlay
Subject: [PATCH 02/20] Correct log levels in ppolicy overlay
From STX 1901 openldap-ppolicy-loglevels.patch
---

2
recipes-support/openldap/files/0003-Removes-unnecessary-linking-of-SQL-Libs-into-slad.patch
View File

@ -1,7 +1,7 @@
From 15b7c5ebcbb607cd2edc2119dfefd16b41cddc21 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:32:09 -0800
Subject: [PATCH 03/19] Removes unnecessary linking of SQL Libs into slad.
Subject: [PATCH 03/20] Removes unnecessary linking of SQL Libs into slad.
This makes openldap-servers package independent of libodbc (SQL
backend is packaged separately in openldap-servers-sql.)

2
recipes-support/openldap/files/0004-openlap-reentrant-gethostby.patch
View File

@ -1,7 +1,7 @@
From df22708bcbe727570daada3fbf8065a447444716 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:34:19 -0800
Subject: [PATCH 04/19] openlap reentrant gethostby
Subject: [PATCH 04/20] openlap reentrant gethostby
The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
example if libldap needs to be initialized from within gethostbyXXXX() (which

2
recipes-support/openldap/files/0005-openldap-smbk5pwd-overlay.patch
View File

@ -1,7 +1,7 @@
From 75e89e30c2ef819169b5f77b0ac8d450271f516b Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:35:23 -0800
Subject: [PATCH 05/19] openldap smbk5pwd overlay
Subject: [PATCH 05/20] openldap smbk5pwd overlay
Compile smbk5pwd together with other overlays.

2
recipes-support/openldap/files/0006-openldap-ldaprc-currentdir.patch
View File

@ -1,7 +1,7 @@
From b7f7a583e8a63b1787c3a98f4c43ccbb6c3e39df Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:36:48 -0800
Subject: [PATCH 06/19] openldap ldaprc currentdir
Subject: [PATCH 06/20] openldap ldaprc currentdir
From Stx 1901: openldap-ldaprc-currentdir.patch

2
recipes-support/openldap/files/0007-openldap-userconfig-setgid.patch
View File

@ -1,7 +1,7 @@
From c4906ff521df3f1c9fc4a302300fc135447ee40a Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:38:21 -0800
Subject: [PATCH 07/19] openldap userconfig setgid
Subject: [PATCH 07/20] openldap userconfig setgid
From Stx 1901: openldap-userconfig-setgid.patch

2
recipes-support/openldap/files/0008-openldap-allop-overlay.patch
View File

@ -1,7 +1,7 @@
From ac607279df96d4f29f0778ad2657b1f962b496bb Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:40:33 -0800
Subject: [PATCH 08/19] openldap allop overlay
Subject: [PATCH 08/20] openldap allop overlay
From Stx 1901: openldap-allop-overlay.patch

2
recipes-support/openldap/files/0009-openldap-syncrepl-unset-tls-options.patch
View File

@ -1,7 +1,7 @@
From d87f33bf42e3ee1ce47ea61fde809fe693eede87 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:42:04 -0800
Subject: [PATCH 09/19] openldap syncrepl unset tls options
Subject: [PATCH 09/20] openldap syncrepl unset tls options
From Stx 1901: openldap-syncrepl-unset-tls-options.patch

2
recipes-support/openldap/files/0010-openldap-ai-addrconfig.patch
View File

@ -1,7 +1,7 @@
From 6fcc222021258cf00cef05bdc487c614c33ab371 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:44:05 -0800
Subject: [PATCH 10/19] openldap ai addrconfig
Subject: [PATCH 10/20] openldap ai addrconfig
From stx 1901: openldap-ai-addrconfig.patch
use AI_ADDRCONFIG if defined in the environment

2
recipes-support/openldap/files/0011-openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL.patch
View File

@ -1,7 +1,7 @@
From b0b00385bf7564fa39f711f958b90512559f7f70 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:45:27 -0800
Subject: [PATCH 11/19] openldap switch to t_dlopenadvise to get RTLD_GLOBAL
Subject: [PATCH 11/20] openldap switch to t_dlopenadvise to get RTLD_GLOBAL
set
From-stx-1901: openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL-set.patch

2
recipes-support/openldap/files/0012-openldap-ldapi-sasl.patch
View File

@ -1,7 +1,7 @@
From 4533a8029bdb309eaa63ebb68d71243fa1f9835a Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:47:27 -0800
Subject: [PATCH 12/19] openldap ldapi sasl
Subject: [PATCH 12/20] openldap ldapi sasl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

2
recipes-support/openldap/files/0013-openldap-missing-unlock-in-accesslog-overlay.patch
View File

@ -1,7 +1,7 @@
From 7cc8c2c22dc6a5999554e64b25f162b3673cd922 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:48:29 -0800
Subject: [PATCH 13/19] openldap missing unlock in accesslog overlay
Subject: [PATCH 13/20] openldap missing unlock in accesslog overlay
From stx 1901: openldap-missing-unlock-in-accesslog-overlay.patch
A mutex lock might not get unlocked when plausible

2
recipes-support/openldap/files/0014-openldap-module-passwd-sha2.patch
View File

@ -1,7 +1,7 @@
From 1281efe5b451e0fd030406bc68be9d1f9356adc5 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 14:55:58 -0800
Subject: [PATCH 14/19] openldap module passwd sha2
Subject: [PATCH 14/20] openldap module passwd sha2
From Stx 1901: openldap-module-passwd-sha2.patch
Include sha2 module

2
recipes-support/openldap/files/0015-openldap-man-tls-reqcert.patch
View File

@ -1,7 +1,7 @@
From 5b8f3344a00d1623d54d1e1de9e7207895067473 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 15:13:00 -0800
Subject: [PATCH 15/19] openldap man tls reqcert
Subject: [PATCH 15/20] openldap man tls reqcert
From Stx 1901: openldap-man-tls-reqcert.patch
From f7027b3118ea90d616d0ddeeb348f15ba91cd08b Mon Sep 17 00:00:00 2001

2
recipes-support/openldap/files/0016-openldap-man-ldap-conf.patch
View File

@ -1,7 +1,7 @@
From 8196f53139c4d7e6c1cb8508d1a421299f7eaa61 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 15:14:39 -0800
Subject: [PATCH 16/19] openldap man ldap conf
Subject: [PATCH 16/20] openldap man ldap conf
From Stx 1901: openldap-man-ldap-conf.patch

2
recipes-support/openldap/files/0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch
View File

@ -1,7 +1,7 @@
From 4e495a37939a605577c72ed43e1f5a3ab3780611 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 15:16:35 -0800
Subject: [PATCH 17/19] openldap bdb_idl_fetch_key correct key pointer
Subject: [PATCH 17/20] openldap bdb_idl_fetch_key correct key pointer
From Stx 1901: openldap-bdb_idl_fetch_key-correct-key-pointer.patch

2
recipes-support/openldap/files/0018-openldap-tlsmc.patch
View File

@ -1,7 +1,7 @@
From 35b08487213749c6da625a446f605b6e7f74d07f Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 15:24:11 -0800
Subject: [PATCH 18/19] openldap tlsmc
Subject: [PATCH 18/20] openldap tlsmc
From Stx 1901: openldap-tlsmc.patch
---

35
recipes-support/openldap/files/0019-openldap-fedora-systemd.patch
View File

@ -1,35 +0,0 @@
From 4cec0c0cc03d8e9e942be6126676853603487575 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Sun, 3 Nov 2019 15:25:21 -0800
Subject: [PATCH 19/19] openldap fedora systemd
From stx 1901: openldap-fedora-systemd.patch
Skip any empty parameters when parsing command line options.
This is required because systemd does not expand variables the same way as shell does,
we need it because of an empty SLAPD_OPTIONS in environment file.
Fedora specific patch.
Author: Jan Vcelak <jvcelak@redhat.com>
---
servers/slapd/main.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index c212209..23f7656 100644
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -685,6 +685,10 @@ unhandled_option:;
}
}
+ /* skip empty parameters */
+ while ( optind < argc && *argv[optind] == '\0' )
+ optind += 1;
+
if ( optind != argc )
goto unhandled_option;
--
2.17.1

54
recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-ITS7595-Add-EC-support-1.patch → recipes-support/openldap/files/0019-openldap-openssl-ITS7596-Add-EC-support.patch
View File

@ -1,15 +1,26 @@
ITS#7595 Add Elliptic Curve support for OpenSSL
From dc82cdf9c6c25c69c7eee203d1c4f4c91f969ba9 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Tue, 5 Nov 2019 09:30:49 -0800
Subject: [PATCH 19/20] openldap openssl ITS7596 Add EC support
Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
Author: Howard Chu <hyc@openldap.org>
Date: Sat Sep 7 09:47:19 2013 -0700
From e631ce808ed56119e61321463d06db7999ba5a08
From stx 1901 openldap-openssl-ITS7595-Add-EC-support-1.patch
---
doc/man/man5/slapd-config.5 | 7 +++++++
doc/man/man5/slapd.conf.5 | 7 +++++++
include/ldap.h | 1 +
libraries/libldap/ldap-int.h | 2 ++
libraries/libldap/tls2.c | 17 +++++++++++++++++
libraries/libldap/tls_o.c | 33 ++++++++++++++++++++++++++++++---
servers/slapd/bconfig.c | 12 +++++++++++-
7 files changed, 75 insertions(+), 4 deletions(-)
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 49a3959ae..9cd0a4dd1 100644
index 42032d4..733ff1e 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -918,6 +918,13 @@ from the default, otherwise no certificate exchanges or verification will
be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
@@ -922,6 +922,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B olcTLSECName: <name>
@ -23,12 +34,12 @@ index 49a3959ae..9cd0a4dd1 100644
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index e2344547e..4eb238162 100644
index 2d4431f..ffe74ff 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1149,6 +1149,13 @@ from the default, otherwise no certificate exchanges or verification will
be done. When using GnuTLS these parameters are always generated randomly so
this directive is ignored. This directive is ignored when using Mozilla NSS.
@@ -1153,6 +1153,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B TLSECName <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
@ -41,7 +52,7 @@ index e2344547e..4eb238162 100644
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/include/ldap.h b/include/ldap.h
index d4d10fa79..9922c9fa8 100644
index 7bc0644..bb22cb8 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
@ -53,7 +64,7 @@ index d4d10fa79..9922c9fa8 100644
#define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 1a26b3cb0..5fff785d8 100644
index 15092c1..f504f44 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -165,6 +165,7 @@ struct ldaptls {
@ -73,7 +84,7 @@ index 1a26b3cb0..5fff785d8 100644
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index a616133da..f39546450 100644
index 198d0b1..ba4b9c5 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -121,6 +121,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
@ -106,7 +117,7 @@ index a616133da..f39546450 100644
#endif
return rc;
}
@@ -674,6 +683,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
@@ -686,6 +695,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
*(char **)arg = lo->ldo_tls_dhfile ?
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
break;
@ -117,7 +128,7 @@ index a616133da..f39546450 100644
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
*(char **)arg = lo->ldo_tls_crlfile ?
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
@@ -796,6 +809,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
@@ -808,6 +821,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
@ -129,10 +140,10 @@ index a616133da..f39546450 100644
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index a2d9cd31f..1a81bc625 100644
index 92c708b..45afc11 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -296,10 +296,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
@@ -371,10 +371,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
@ -145,7 +156,7 @@ index a2d9cd31f..1a81bc625 100644
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
Debug( LDAP_DEBUG_ANY,
@@ -318,7 +317,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
@@ -393,7 +392,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
BIO_free( bio );
SSL_CTX_set_tmp_dh( ctx, dh );
@ -182,7 +193,7 @@ index a2d9cd31f..1a81bc625 100644
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 8ade0c3f2..5a3c67a72 100644
index 250f141..8b1e4e5 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -194,6 +194,7 @@ enum {
@ -225,3 +236,6 @@ index 8ade0c3f2..5a3c67a72 100644
#ifdef HAVE_GNUTLS
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
#endif
--
2.17.1

22
recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-ITS7595-Add-EC-support-2.patch → recipes-support/openldap/files/0020-openldap-openssl-ITS7596-Add-EC-support-patch-2.patch
View File

@ -1,14 +1,19 @@
ITS#7595 don't try to use EC if OpenSSL lacks it
From 14058818a2d2aa42427a0e9433957c90a1264ec5 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Tue, 5 Nov 2019 09:50:55 -0800
Subject: [PATCH 20/20] openldap openssl ITS7596 Add EC support patch 2
Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
Author: Howard Chu <hyc@openldap.org>
Date: Sun Sep 8 06:32:23 2013 -0700
From 721e46fe6695077d63a3df6ea2e397920a72308d
From stx 1901 openldap-openssl-ITS7595-Add-EC-support-2.patch
---
libraries/libldap/tls_o.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 1a81bc625..71c2b055c 100644
index 45afc11..0a70156 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
@@ -396,8 +396,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
DH_free( dh );
}
@ -22,7 +27,7 @@ index 1a81bc625..71c2b055c 100644
EC_KEY *ecdh;
int nid = OBJ_sn2nid( lt->lt_ecname );
@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
@@ -419,8 +423,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
SSL_CTX_set_tmp_ecdh( ctx, ecdh );
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
EC_KEY_free( ecdh );
@ -32,3 +37,6 @@ index 1a81bc625..71c2b055c 100644
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
--
2.17.1

997
recipes-support/openldap/files/0021-openldap-and-stx-source-and-config-files.patch Normal file
View File

@ -0,0 +1,997 @@
From 2adc9fa71e3a47542793e61c7794629fa9255a57 Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Tue, 5 Nov 2019 14:49:06 -0800
Subject: [PATCH] openldap and stx source and config files
From stx 1901 openldap-2.4.44-21.el7_6.src.rpm
---
stx-sources/ldap.conf | 18 +++
stx-sources/libexec-check-config.sh | 91 ++++++++++++
stx-sources/libexec-convert-config.sh | 79 ++++++++++
stx-sources/libexec-create-certdb.sh | 70 +++++++++
stx-sources/libexec-functions | 136 +++++++++++++++++
stx-sources/libexec-generate-server-cert.sh | 118 +++++++++++++++
stx-sources/libexec-update-ppolicy-schema.sh | 142 ++++++++++++++++++
stx-sources/libexec-upgrade-db.sh | 40 +++++
stx-sources/openldap.tmpfiles | 3 +
stx-sources/slapd.ldif | 148 +++++++++++++++++++
stx-sources/slapd.service | 19 +++
stx-sources/slapd.sysconfig | 15 ++
stx-sources/slapd.tmpfiles | 2 +
13 files changed, 881 insertions(+)
create mode 100644 stx-sources/ldap.conf
create mode 100755 stx-sources/libexec-check-config.sh
create mode 100755 stx-sources/libexec-convert-config.sh
create mode 100755 stx-sources/libexec-create-certdb.sh
create mode 100644 stx-sources/libexec-functions
create mode 100755 stx-sources/libexec-generate-server-cert.sh
create mode 100755 stx-sources/libexec-update-ppolicy-schema.sh
create mode 100755 stx-sources/libexec-upgrade-db.sh
create mode 100644 stx-sources/openldap.tmpfiles
create mode 100644 stx-sources/slapd.ldif
create mode 100644 stx-sources/slapd.service
create mode 100644 stx-sources/slapd.sysconfig
create mode 100644 stx-sources/slapd.tmpfiles
diff --git a/stx-sources/ldap.conf b/stx-sources/ldap.conf
new file mode 100644
index 0000000..aa6f8fd
--- /dev/null
+++ b/stx-sources/ldap.conf
@@ -0,0 +1,18 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE dc=example,dc=com
+#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT 12
+#TIMELIMIT 15
+#DEREF never
+
+TLS_CACERTDIR /etc/openldap/certs
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON on
diff --git a/stx-sources/libexec-check-config.sh b/stx-sources/libexec-check-config.sh
new file mode 100755
index 0000000..87e377f
--- /dev/null
+++ b/stx-sources/libexec-check-config.sh
@@ -0,0 +1,91 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function check_config_syntax()
+{
+ retcode=0
+ tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
+ run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
+ if [ $? -ne 0 ]; then
+ error "Checking configuration file failed:"
+ cat $tmp_slaptest >&2
+ retcode=1
+ fi
+ rm $tmp_slaptest
+ return $retcode
+}
+
+function check_certs_perms()
+{
+ retcode=0
+ for cert in `certificates`; do
+ run_as_ldap "/usr/bin/test -e \"$cert\""
+ if [ $? -ne 0 ]; then
+ error "TLS certificate/key/DB '%s' was not found." "$cert"
+ retcoder=1
+ continue
+ fi
+ run_as_ldap "/usr/bin/test -r \"$cert\""
+ if [ $? -ne 0 ]; then
+ error "TLS certificate/key/DB '%s' is not readable." "$cert"
+ retcode=1
+ fi
+ done
+ return $retcode
+}
+
+function check_db_perms()
+{
+ retcode=0
+ for dbdir in `databases`; do
+ [ -d "$dbdir" ] || continue
+ for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
+ run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
+ if [ $? -ne 0 ]; then
+ error "Read/write permissions for DB file '%s' are required." "$dbfile"
+ retcode=1
+ fi
+ done
+ done
+ return $retcode
+}
+
+function check_everything()
+{
+ retcode=0
+ check_config_syntax || retcode=1
+ # TODO: need support for Mozilla NSS, disabling temporarily
+ #check_certs_perms || retcode=1
+ check_db_perms || retcode=1
+ return $retcode
+}
+
+if [ `id -u` -ne 0 ]; then
+ error "You have to be root to run this script."
+ exit 4
+fi
+
+load_sysconfig
+
+if [ -n "$SLAPD_CONFIG_DIR" ]; then
+ if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
+ error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
+ else
+ check_everything
+ exit $?
+ fi
+fi
+
+if [ -n "$SLAPD_CONFIG_FILE" ]; then
+ if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+ error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
+ else
+ error "Warning: Usage of a configuration file is obsolete!"
+ check_everything
+ exit $?
+ fi
+fi
+
+exit 1
diff --git a/stx-sources/libexec-convert-config.sh b/stx-sources/libexec-convert-config.sh
new file mode 100755
index 0000000..824c3b1
--- /dev/null
+++ b/stx-sources/libexec-convert-config.sh
@@ -0,0 +1,79 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function help()
+{
+ error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`"
+ exit 2
+}
+
+load_sysconfig
+
+while getopts :f:F: opt; do
+ case "$opt" in
+ f)
+ SLAPD_CONFIG_FILE="$OPTARG"
+ ;;
+ F)
+ SLAPD_CONFIG_DIR="$OPTARG"
+ ;;
+ *)
+ help
+ ;;
+ esac
+done
+shift $((OPTIND-1))
+[ -n "$1" ] && help
+
+# check source, target
+
+if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+ error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE"
+ exit 1
+fi
+
+if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then
+ SLAPD_CONFIG_FILE_FORMAT=ldif
+else
+ SLAPD_CONFIG_FILE_FORMAT=conf
+fi
+
+if [ -d "$SLAPD_CONFIG_DIR" ]; then
+ if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then
+ error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR"
+ exit 1
+ fi
+fi
+
+# perform the conversion
+
+tmp_convert=`mktemp --tmpdir=/var/run/openldap`
+
+if [ `id -u` -eq 0 ]; then
+ install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
+ run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert
+ else
+ run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert
+ fi
+ retcode=$?
+else
+ error "You are not root! Permission will not be set."
+ install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
+ /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert
+ else
+ /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+ fi
+ retcode=$?
+fi
+
+if [ $retcode -ne 0 ]; then
+ error "Configuration conversion failed:"
+ cat $tmp_convert >&2
+fi
+
+rm $tmp_convert
+exit $retcode
diff --git a/stx-sources/libexec-create-certdb.sh b/stx-sources/libexec-create-certdb.sh
new file mode 100755
index 0000000..2377fdd
--- /dev/null
+++ b/stx-sources/libexec-create-certdb.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+set -e
+
+# default options
+
+CERTDB_DIR=/etc/openldap/certs
+
+# internals
+
+MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
+RANDOM_SOURCE=/dev/urandom
+PASSWORD_BYTES=32
+
+# parse arguments
+
+usage() {
+ printf "usage: create-certdb.sh [-d certdb]\n" >&2
+ exit 1
+}
+
+while getopts "d:" opt; do
+ case "$opt" in
+ d)
+ CERTDB_DIR="$OPTARG"
+ ;;
+ \?)
+ usage
+ ;;
+ esac
+done
+
+[ "$OPTIND" -le "$#" ] && usage
+
+# verify target location
+
+if [ ! -d "$CERTDB_DIR" ]; then
+ printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
+ exit 1
+fi
+
+if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
+ printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
+ exit 1
+fi
+
+# create the database
+
+printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
+
+PASSWORD_FILE="$CERTDB_DIR/password"
+OLD_UMASK="$(umask)"
+umask 0377
+dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
+umask "$OLD_UMASK"
+
+certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
+
+# load module with builtin CA certificates
+
+echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
+
+# tune permissions
+
+for dbfile in "$CERTDB_DIR"/*.db; do
+ chmod 0644 "$dbfile"
+done
+
+exit 0
diff --git a/stx-sources/libexec-functions b/stx-sources/libexec-functions
new file mode 100644
index 0000000..98c8631
--- /dev/null
+++ b/stx-sources/libexec-functions
@@ -0,0 +1,136 @@
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+SLAPD_USER=
+SLAPD_CONFIG_FILE=
+SLAPD_CONFIG_DIR=
+SLAPD_CONFIG_CUSTOM=
+SLAPD_GLOBAL_OPTIONS=
+SLAPD_SYSCONFIG_FILE=
+
+function default_config()
+{
+ SLAPD_USER=ldap
+ SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
+ SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
+ SLAPD_CONFIG_CUSTOM=
+ SLAPD_GLOBAL_OPTIONS=
+ SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
+}
+
+function parse_config_options()
+{
+ user=
+ config_file=
+ config_dir=
+ while getopts :u:f:F: opt; do
+ case "$opt" in
+ u)
+ user="$OPTARG"
+ ;;
+ f)
+ config_file="$OPTARG"
+ ;;
+ F)
+ config_dir="$OPTARG"
+ ;;
+ esac
+ done
+
+ unset OPTIND
+
+ if [ -n "$user" ]; then
+ SLAPD_USER="$user"
+ fi
+
+ if [ -n "$config_dir" ]; then
+ SLAPD_CONFIG_DIR="$config_dir"
+ SLAPD_CONFIG_FILE=
+ SLAPD_CONFIG_CUSTOM=1
+ SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
+ elif [ -n "$config_file" ]; then
+ SLAPD_CONFIG_DIR=
+ SLAPD_CONFIG_FILE="$config_file"
+ SLAPD_CONFIG_CUSTOM=1
+ SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
+ fi
+}
+
+function uses_new_config()
+{
+ [ -n "$SLAPD_CONFIG_DIR" ]
+ return $?
+}
+
+function run_as_ldap()
+{
+ /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
+ return $?
+}
+
+function ldif_unbreak()
+{
+ sed ':a;N;s/\n //;ta;P;D'
+}
+
+function ldif_value()
+{
+ sed 's/^[^:]*: //'
+}
+
+function databases_new()
+{
+ slapcat $SLAPD_GLOBAL_OPTIONS -c \
+ -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
+ ldif_unbreak | \
+ grep '^olcDbDirectory: ' | \
+ ldif_value
+}
+
+function databases_old()
+{
+ awk 'begin { database="" }
+ $1 == "database" { database=$2 }
+ $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
+ "$SLAPD_CONFIG_FILE"
+}
+
+function certificates_new()
+{
+ slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
+ ldif_unbreak | \
+ grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
+ ldif_value
+}
+
+function certificates_old()
+{
+ awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
+ "$SLAPD_CONFIG_FILE"
+}
+
+function certificates()
+{
+ uses_new_config && certificates_new || certificates_old
+}
+
+function databases()
+{
+ uses_new_config && databases_new || databases_old
+}
+
+
+function error()
+{
+ format="$1\n"; shift
+ printf "$format" $@ >&2
+}
+
+function load_sysconfig()
+{
+ [ -r "$SLAPD_SYSCONFIG_FILE" ] || return
+
+ . "$SLAPD_SYSCONFIG_FILE"
+ [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
+}
+
+default_config
diff --git a/stx-sources/libexec-generate-server-cert.sh b/stx-sources/libexec-generate-server-cert.sh
new file mode 100755
index 0000000..e2f4974
--- /dev/null
+++ b/stx-sources/libexec-generate-server-cert.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+set -e
+
+# default options
+
+CERTDB_DIR=/etc/openldap/certs
+CERT_NAME="OpenLDAP Server"
+PASSWORD_FILE=
+HOSTNAME_FQDN="$(hostname --fqdn)"
+ALT_NAMES=
+ONCE=0
+
+# internals
+
+RANDOM_SOURCE=/dev/urandom
+CERT_RANDOM_BYTES=256
+CERT_KEY_TYPE=rsa
+CERT_KEY_SIZE=1024
+CERT_VALID_MONTHS=12
+
+# parse arguments
+
+usage() {
+ printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
+ printf " [-p password-file] [-h hostnames]\n" >&2
+ printf " [-a dns-alt-names] [-o]\n" >&2
+ exit 1
+}
+
+while getopts "d:n:p:h:a:o" opt; do
+ case "$opt" in
+ d)
+ CERTDB_DIR="$OPTARG"
+ ;;
+ n)
+ CERT_NAME="$OPTARG"
+ ;;
+ p)
+ PASSWORD_FILE="$OPTARG"
+ ;;
+ h)
+ HOSTNAME_FQDN="$OPTARG"
+ ;;
+ a)
+ ALT_NAMES="$OPTARG"
+ ;;
+ o)
+ ONCE=1
+ ;;
+ \?)
+ usage
+ ;;
+ esac
+done
+
+[ "$OPTIND" -le "$#" ] && usage
+
+# generated options
+
+ONCE_FILE="$CERTDB_DIR/.slapd-leave"
+PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
+ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
+
+# verify target location
+
+if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
+ printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
+ exit 0
+fi
+
+if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
+ printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
+ exit 1
+fi
+
+printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
+
+if [ ! -r "$PASSWORD_FILE" ]; then
+ printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
+ exit 1
+fi
+
+if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
+ printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
+ exit 1
+fi
+
+# generate server certificate (self signed)
+
+
+CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
+dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
+
+certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
+ -S -x -n "$CERT_NAME" \
+ -s "CN=$HOSTNAME_FQDN" \
+ -t TC,, \
+ -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
+ -v $CERT_VALID_MONTHS \
+ -8 "$ALT_NAMES" \
+ &>/dev/null
+
+rm -f $CERT_RANDOM
+
+# tune permissions
+
+if [ "$(id -u)" -eq 0 ]; then
+ chgrp ldap "$PASSWORD_FILE"
+ chmod g+r "$PASSWORD_FILE"
+else
+ printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
+ printf " load it's private key from the certificate database.\n" >&2
+fi
+
+touch "$ONCE_FILE"
+exit 0
diff --git a/stx-sources/libexec-update-ppolicy-schema.sh b/stx-sources/libexec-update-ppolicy-schema.sh
new file mode 100755
index 0000000..a853b27
--- /dev/null
+++ b/stx-sources/libexec-update-ppolicy-schema.sh
@@ -0,0 +1,142 @@
+#!/bin/bash
+# This script serves one purpose, to add a possibly missing attribute
+# to a ppolicy schema in a dynamic configuration of OpenLDAP. This
+# attribute was introduced in openldap-2.4.43 and slapd will not
+# start without it later on.
+#
+# The script tries to update in a directory given as first parameter,
+# or in /etc/openldap/slapd.d implicitly.
+#
+# Author: Matus Honek <mhonek@redhat.com>
+# Bugzilla: #1487857
+
+function log {
+ echo "Update dynamic configuration: " $@
+ true
+}
+
+function iferr {
+ if [ $? -ne 0 ]; then
+ log "ERROR: " $@
+ true
+ else
+ false
+ fi
+}
+
+function update {
+ set -u
+ shopt -s extglob
+
+ ORIGINAL="${1:-/etc/openldap/slapd.d}"
+ ORIGINAL="${ORIGINAL%*(/)}"
+
+ ### check if necessary
+ grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null
+ [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0
+
+ ### prep
+ log "Prepare environment."
+
+ TEMPDIR=$(mktemp -d)
+ iferr "Could not create a temporary directory. Quitting." && return 1
+ DBDIR="${TEMPDIR}/db"
+ SUBDBDIR="${DBDIR}/cn=temporary"
+
+ mkdir "${DBDIR}"
+ iferr "Could not create temporary configuration directory. Quitting." && return 1
+ cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}"
+ iferr "Could not copy configuration. Quitting." && return 1
+
+ pushd "$TEMPDIR" >/dev/null
+
+ cat > temp.conf <<EOF
+database ldif
+suffix cn=temporary
+directory db
+access to * by * manage
+EOF
+
+ SOCKET="$(pwd)/socket"
+ LISTENER="ldapi://${SOCKET//\//%2F}"
+ CONN_PARAMS=("-Y" "EXTERNAL" "-H" "${LISTENER}")
+
+ slapd -f temp.conf -h "$LISTENER" -d 0 >/dev/null 2>&1 &
+ SLAPDPID="$!"
+ sleep 2
+
+ ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
+dn: cn=temporary
+objectClass: olcGlobal
+cn: temporary
+EOF
+ iferr "Could not populate the temporary database. Quitting." && return 1
+
+ ### update
+ log "Update with new pwdMaxRecordedFailure attribute."
+ FILTER="(&"
+ FILTER+="(olcObjectClasses=*'pwdPolicy'*)"
+ FILTER+="(!(olcObjectClasses=*'pwdPolicy'*'pwdMaxRecordedFailure'*))"
+ FILTER+="(!(olcAttributeTypes=*'pwdMaxRecordedFailure'*))"
+ FILTER+=")"
+ RES=$(ldapsearch ${CONN_PARAMS[@]} \
+ -b cn=schema,cn=config,cn=temporary \
+ -LLL \
+ -o ldif-wrap=no \
+ "$FILTER" \
+ dn olcObjectClasses \
+ 2>/dev/null \
+ | sed '/^$/d')
+ DN=$(printf "$RES" | grep '^dn:')
+ OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'")
+ NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }"
+
+ test $(echo "$DN" | wc -l) = 1
+ iferr "Received more than one DN. Cannot continue. Quitting." && return 1
+ test "$NEWOC" != "$OC"
+ iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1
+
+ ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
+$DN
+changetype: modify
+add: olcAttributeTypes
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
+ e' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.
+ 1466.115.121.1.27 SINGLE-VALUE )
+-
+delete: olcObjectClasses
+$OC
+-
+add: olcObjectClasses
+$NEWOC
+EOF
+ iferr "Updating with new attribute failed. Quitting." && return 1
+
+ popd >/dev/null
+
+ ### apply
+ log "Apply changes."
+ cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup"
+ iferr "Backing up old configuration failed. Quitting." && return 1
+ cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL"
+ iferr "Applying new configuration failed. Quitting." && return 1
+
+ ### clean up
+ log "Clean up."
+ kill "$SLAPDPID"
+ SLAPDPID=
+ rm -rf "$TEMPDIR"
+ TEMPDIR=
+}
+
+SLAPDPID=
+TEMPDIR=
+update "$1"
+if [ $? -ne 0 ]; then
+ log "Clean up."
+ echo "$SLAPDPID"
+ echo "$TEMPDIR"
+ kill "$SLAPDPID"
+ rm -rf "$TEMPDIR"
+fi
+log "Finished."
diff --git a/stx-sources/libexec-upgrade-db.sh b/stx-sources/libexec-upgrade-db.sh
new file mode 100755
index 0000000..1543c80
--- /dev/null
+++ b/stx-sources/libexec-upgrade-db.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+if [ `id -u` -ne 0 ]; then
+ error "You have to be root to run this command."
+ exit 4
+fi
+
+load_sysconfig
+retcode=0
+
+for dbdir in `databases`; do
+ upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
+ bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
+
+ # skip uninitialized database
+ [ -z "$bdb_files"] || continue
+
+ printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
+
+ # perform the update
+ for command in \
+ "/usr/bin/db_recover -v -h \"$dbdir\"" \
+ "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
+ "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
+ ; do
+ printf "Executing: %s\n" "$command" &>>$upgrade_log
+ run_as_ldap "$command" &>>$upgrade_log
+ result=$?
+ printf "Exit code: %d\n" $result >>"$upgrade_log"
+ if [ $result -ne 0 ]; then
+ printf "Upgrade failed: %d\n" $result
+ retcode=1
+ fi
+ done
+done
+
+exit $retcode
diff --git a/stx-sources/openldap.tmpfiles b/stx-sources/openldap.tmpfiles
new file mode 100644
index 0000000..aa0e805
--- /dev/null
+++ b/stx-sources/openldap.tmpfiles
@@ -0,0 +1,3 @@
+# OpenLDAP TLSMC runtime directories
+x /tmp/openldap-tlsmc-*
+X /tmp/openldap-tlsmc-*
diff --git a/stx-sources/slapd.ldif b/stx-sources/slapd.ldif
new file mode 100644
index 0000000..7b7f328
--- /dev/null
+++ b/stx-sources/slapd.ldif
@@ -0,0 +1,148 @@
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: /var/run/openldap/slapd.args
+olcPidFile: /var/run/openldap/slapd.pid
+#
+# TLS settings
+#
+olcTLSCACertificatePath: /etc/openldap/certs
+olcTLSCertificateFile: "OpenLDAP Server"
+olcTLSCertificateKeyFile: /etc/openldap/certs/password
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+# Require integrity protection (prevent hijacking)
+# Require 112-bit (3DES or better) encryption for updates
+# Require 64-bit encryption for simple bind
+#
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+# - modulepath is architecture dependent value (32/64-bit system)
+# - back_sql.la backend requires openldap-servers-sql package
+# - dyngroup.la and dynlist.la cannot be used at the same time
+#
+
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath: /usr/lib/openldap
+#olcModulepath: /usr/lib64/openldap
+#olcModuleload: accesslog.la
+#olcModuleload: auditlog.la
+#olcModuleload: back_dnssrv.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_mdb.la
+#olcModuleload: back_meta.la
+#olcModuleload: back_null.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_relay.la
+#olcModuleload: back_shell.la
+#olcModuleload: back_sock.la
+#olcModuleload: collect.la
+#olcModuleload: constraint.la
+#olcModuleload: dds.la
+#olcModuleload: deref.la
+#olcModuleload: dyngroup.la
+#olcModuleload: dynlist.la
+#olcModuleload: memberof.la
+#olcModuleload: pcache.la
+#olcModuleload: ppolicy.la
+#olcModuleload: refint.la
+#olcModuleload: retcode.la
+#olcModuleload: rwm.la
+#olcModuleload: seqmod.la
+#olcModuleload: smbk5pwd.la
+#olcModuleload: sssvlv.la
+#olcModuleload: syncprov.la
+#olcModuleload: translucent.la
+#olcModuleload: unique.la
+#olcModuleload: valsort.la
+
+
+#
+# Schema settings
+#
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+
+#
+# Frontend settings
+#
+
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+# Root DSE: allow anyone to read it
+# Subschema (sub)entry DSE: allow anyone to read it
+# Other DSEs:
+# Allow self write access
+# Allow authenticated users read access
+# Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+# by self write
+# by users read
+# by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn. (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+#
+# Configuration database
+#
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+
+#
+# Server status monitoring
+#
+
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
+
+#
+# Backend database definitions
+#
+
+dn: olcDatabase=hdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcHdbConfig
+olcDatabase: hdb
+olcSuffix: dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+olcDbDirectory: /var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
diff --git a/stx-sources/slapd.service b/stx-sources/slapd.service
new file mode 100644
index 0000000..8a3a722
--- /dev/null
+++ b/stx-sources/slapd.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=OpenLDAP Server Daemon
+After=syslog.target network-online.target
+Documentation=man:slapd
+Documentation=man:slapd-config
+Documentation=man:slapd-hdb
+Documentation=man:slapd-mdb
+Documentation=file:///usr/share/doc/openldap-servers/guide.html
+
+[Service]
+Type=forking
+PIDFile=/var/run/openldap/slapd.pid
+Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
+EnvironmentFile=/etc/sysconfig/slapd
+ExecStartPre=/usr/libexec/openldap/check-config.sh
+ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
+
+[Install]
+WantedBy=multi-user.target
diff --git a/stx-sources/slapd.sysconfig b/stx-sources/slapd.sysconfig
new file mode 100644
index 0000000..68091a5
--- /dev/null
+++ b/stx-sources/slapd.sysconfig
@@ -0,0 +1,15 @@
+# OpenLDAP server configuration
+# see 'man slapd' for additional information
+
+# Where the server will run (-h option)
+# - ldapi:/// is required for on-the-fly configuration using client tools
+# (use SASL with EXTERNAL mechanism for authentication)
+# - default: ldapi:/// ldap:///
+# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
+SLAPD_URLS="ldapi:/// ldap:///"
+
+# Any custom options
+#SLAPD_OPTIONS=""
+
+# Keytab location for GSSAPI Kerberos authentication
+#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
diff --git a/stx-sources/slapd.tmpfiles b/stx-sources/slapd.tmpfiles
new file mode 100644
index 0000000..56aa32e
--- /dev/null
+++ b/stx-sources/slapd.tmpfiles
@@ -0,0 +1,2 @@
+# openldap runtime directory for slapd.arg and slapd.pid
+d /var/run/openldap 0755 ldap ldap -
--
2.17.1

775
recipes-support/openldap/files/0022-ltb-project-openldap-ppolicy-check-password-1.1.patch Normal file
View File

@ -0,0 +1,775 @@
From 26002bd1d02d871e3c0526f3a0b7b99e25f3564c Mon Sep 17 00:00:00 2001
From: babak sarashki <babak.sarashki@windriver.com>
Date: Tue, 5 Nov 2019 18:02:38 -0800
Subject: [PATCH] ltb project openldap ppolicy check password 1.1
From stx 1901 openldap src RPM 2.4.44
Upstream at https://github.com/ltb-project/openldap-ppolicy-check-password.git
---
.../INSTALL | 31 ++
.../LICENSE | 50 ++
.../Makefile | 48 ++
.../README | 146 ++++++
.../check_password.c | 447 ++++++++++++++++++
5 files changed, 722 insertions(+)
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/INSTALL
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/LICENSE
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/Makefile
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/README
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/check_password.c
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL b/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL
new file mode 100644
index 0000000..eb2dab4
--- /dev/null
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL
@@ -0,0 +1,31 @@
+INSTALLATION
+============
+
+Build dependencies
+------------------
+cracklib header files (link with -lcrack). The Makefile does not look for
+cracklib; you may need to provide the paths manually.
+
+Build
+-----
+Use the provided Makefile to build the module.
+
+Copy the resulting check_password.so into the OpenLDAP modulepath.
+
+Or, change the installation path to match with the OpenLDAP module path in the
+Makefile and use 'make install'.
+
+
+USAGE
+=====
+Add objectClass 'pwdPolicyChecker' with an attribute
+
+ pwdCheckModule: check_password.so
+
+to a password policy entry.
+
+The module depends on a working cracklib installation including wordlist files.
+If the wordlist files are not readable, the cracklib check will be skipped
+silently.
+
+But you can use this module without cracklib, just checks for syntatic checks.
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE b/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE
new file mode 100644
index 0000000..03f692b
--- /dev/null
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE
@@ -0,0 +1,50 @@
+OpenLDAP Public License
+
+The OpenLDAP Public License
+ Version 2.8.1, 25 November 2003
+
+Redistribution and use of this software and associated documentation
+("Software"), with or without modification, are permitted provided
+that the following conditions are met:
+
+1. Redistributions in source form must retain copyright statements
+ and notices,
+
+2. Redistributions in binary form must reproduce applicable copyright
+ statements and notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution, and
+
+3. Redistributions must contain a verbatim copy of this document.
+
+The OpenLDAP Foundation may revise this license from time to time.
+Each revision is distinguished by a version number. You may use
+this Software under terms of this license revision or under the
+terms of any subsequent revision of the license.
+
+THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
+CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
+OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+The names of the authors and copyright holders must not be used in
+advertising or otherwise to promote the sale, use or other dealing
+in this Software without specific, written prior permission. Title
+to copyright in this Software shall at all times remain with copyright
+holders.
+
+OpenLDAP is a registered trademark of the OpenLDAP Foundation.
+
+Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
+California, USA. All rights reserved. Permission to copy and
+distribute verbatim copies of this document is granted.
+
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/Makefile b/ltb-project-openldap-ppolicy-check-password-1.1/Makefile
new file mode 100644
index 0000000..91de40b
--- /dev/null
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/Makefile
@@ -0,0 +1,48 @@
+# contrib/slapd-modules/check_password/Makefile
+# Copyright 2007 Michael Steinmann, Calivia. All Rights Reserved.
+# Updated by Pierre-Yves Bonnetain, B&A Consultants, 2008
+#
+
+CC=gcc
+
+# Where to look for the CrackLib dictionaries
+#
+CRACKLIB=/usr/share/cracklib/pw_dict
+
+# Path to the configuration file
+#
+CONFIG=/etc/openldap/check_password.conf
+
+CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
+ -DDEBUG
+
+LDAP_LIB=-lldap_r -llber
+
+# Comment out this line if you do NOT want to use the cracklib.
+# You may have to add an -Ldirectory if the libcrak is not in a standard
+# location
+#
+CRACKLIB_LIB=-lcrack
+
+LIBS=$(LDAP_LIB) $(CRACKLIB_LIB)
+
+LIBDIR=/usr/lib/openldap/
+
+
+all: check_password
+
+check_password.o:
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
+
+check_password: clean check_password.o
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+
+install: check_password
+ cp -f check_password.so ../../../usr/lib/openldap/modules/
+
+clean:
+ $(RM) check_password.o check_password.so check_password.lo
+ $(RM) -r .libs
+
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/README b/ltb-project-openldap-ppolicy-check-password-1.1/README
new file mode 100644
index 0000000..10191c2
--- /dev/null
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/README
@@ -0,0 +1,146 @@
+
+check_password.c - OpenLDAP pwdChecker library
+
+2007-06-06 Michael Steinmann <msl@calivia.com>
+2008-01-30 Pierre-Yves Bonnetain <py.bonnetain@ba-cst.com>
+2009 Clement Oudot <clem.oudot@gmail.com> - LTB-project
+2009 Jerome HUET - LTB-project
+
+check_password.c is an OpenLDAP pwdPolicyChecker module used to check the
+strength and quality of user-provided passwords.
+
+This module is used as an extension of the OpenLDAP password policy controls,
+see slapo-ppolicy(5) section pwdCheckModule.
+
+check_password.c will run a number of checks on the passwords to ensure minimum
+strength and quality requirements are met. Passwords that do not meet these
+requirements are rejected.
+
+
+Password checks
+---------------
+ - passwords shorter than 6 characters are rejected if cracklib is used (because
+ cracklib WILL reject them).
+
+ - syntactic checks controls how many different character classes are used
+ (lower, upper, digit and punctuation characters). The minimum number of
+ classes is defined in a configuration file. You can set the minimum for each
+ class.
+
+ - passwords are checked against cracklib if cracklib is enabled at compile
+ time. It can be disabled in configuration file.
+
+INSTALLATION
+------------
+Use the provided Makefile to build the module.
+
+Compilation constants :
+
+CONFIG_FILE : Path to the configuration file.
+ Defaults to /etc/openldap/check_password.conf
+
+DEBUG : If defined, check_password will syslog() its actions.
+
+Build dependencies
+cracklib header files (link with -lcrack). The Makefile does not look for
+cracklib; you may need to provide the paths manually.
+
+Install into the slapd server module path. Change the installation
+path to match with the OpenLDAP module path in the Makefile.
+
+The module may be defined with slapd.conf parameter "modulepath".
+
+USAGE
+-----
+To use this module you need to add objectClass pwdPolicyChecker with an
+attribute 'pwdCheckModule: check_password.so' to a password policy entry.
+
+The module depends on a working cracklib installation including wordlist files.
+If the wordlist files are not readable, the cracklib check will be skipped
+silently.
+
+Note: pwdPolicyChecker modules are loaded on *every* password change operation.
+
+Configuration
+-------------
+The configuration file (/etc/openldap/check_password.conf by default) contains
+parameters for the module. If the file is not found, parameters are given their
+default value.
+
+The syntax of the file is :
+
+parameter value
+
+with spaces being delimiters. Parameter names ARE case sensitive (this may
+change in the future).
+
+Current parameters :
+
+- useCracklib: integer. Default value: 1. Set it to 0 to disable cracklib verification.
+ It has no effect if cracklib is not included at compile time.
+
+- minPoints: integer. Default value: 3. Minimum number of quality points a new
+ password must have to be accepted. One quality point is awarded for each character
+ class used in the password.
+
+- minUpper: integer. Defaut value: 0. Minimum upper characters expected.
+
+- minLower: integer. Defaut value: 0. Minimum lower characters expected.
+
+- minDigit: integer. Defaut value: 0. Minimum digit characters expected.
+
+- minPunct: integer. Defaut value: 0. Minimum punctuation characters expected.
+
+Logs
+----
+If a user password is rejected by an OpenLDAP pwdChecker module, the user will
+*not* get a detailed error message, this is by design.
+
+Typical user message from ldappasswd(5):
+ Result: Constraint violation (19)
+ Additional info: Password fails quality checking policy
+
+A more detailed message is written to the server log.
+
+Server log:
+ check_password_quality: module error: (check_password.so)
+ Password for dn=".." does not pass required number of strength checks (2 of 3)
+
+
+Caveats
+-------
+Runtime errors with this module (such as cracklib configuration problems) may
+bring down the slapd process.
+
+Use at your own risk.
+
+
+TODO
+----
+* use proper malloc function, see ITS#4998
+
+
+HISTORY
+-------
+* 2009-10-30 Clement OUDOT - LTB-project
+ Version 1.1
+ - Apply patch from Jerome HUET for minUpper/minLower/minDigit/minPunct
+
+* 2009-02-05 Clement Oudot <clem.oudot@gmail.com> - LINAGORA Group
+ Version 1.0.3
+ - Add useCracklib parameter in config file (with help of Pascal Pejac)
+ - Prefix log messages with "check_password: "
+ - Log what character type is found for quality checking
+
+* 2008-01-31 Pierre-Yves Bonnetain <py.bonnetain@ba-cst.com>
+ Version 1.0.2
+ - Several bug fixes.
+ - Add external config file
+
+* 2007-06-06 Michael Steinmann <msl@calivia.com>
+ Version 1.0.1
+ - add dn to error messages
+
+* 2007-06-02 Michael Steinmann <msl@calivia.com>
+ Version 1.0
+
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c b/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c
new file mode 100644
index 0000000..f4dd1cb
--- /dev/null
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c
@@ -0,0 +1,447 @@
+/*
+ * check_password.c for OpenLDAP
+ *
+ * See LICENSE, README and INSTALL files
+ */
+
+#include <string.h>
+#include <ctype.h>
+#include <portable.h>
+#include <slap.h>
+
+#ifdef HAVE_CRACKLIB
+#include <crack.h>
+#endif
+
+#if defined(DEBUG)
+#include <syslog.h>
+#endif
+
+#ifndef CRACKLIB_DICTPATH
+#define CRACKLIB_DICTPATH "/usr/share/cracklib/pw_dict"
+#endif
+
+#ifndef CONFIG_FILE
+#define CONFIG_FILE "/etc/openldap/check_password.conf"
+#endif
+
+#define DEFAULT_QUALITY 3
+#define DEFAULT_CRACKLIB 1
+#define MEMORY_MARGIN 50
+#define MEM_INIT_SZ 64
+#define FILENAME_MAXLEN 512
+
+#define PASSWORD_TOO_SHORT_SZ \
+ "Password for dn=\"%s\" is too short (%d/6)"
+#define PASSWORD_QUALITY_SZ \
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
+#define BAD_PASSWORD_SZ \
+ "Bad password for dn=\"%s\" because %s"
+#define UNKNOWN_ERROR_SZ \
+ "An unknown error occurred, please see your systems administrator"
+
+typedef int (*validator) (char*);
+static int read_config_file ();
+static validator valid_word (char *);
+static int set_quality (char *);
+static int set_cracklib (char *);
+
+int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+
+struct config_entry {
+ char* key;
+ char* value;
+ char* def_value;
+} config_entries[] = { { "minPoints", NULL, "3"},
+ { "useCracklib", NULL, "1"},
+ { "minUpper", NULL, "0"},
+ { "minLower", NULL, "0"},
+ { "minDigit", NULL, "0"},
+ { "minPunct", NULL, "0"},
+ { NULL, NULL, NULL }};
+
+int get_config_entry_int(char* entry) {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ char* key = centry[i].key;
+ while (key != NULL) {
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
+ if ( centry[i].value == NULL ) {
+ return atoi(centry[i].def_value);
+ }
+ else {
+ return atoi(centry[i].value);
+ }
+ }
+ i++;
+ key = centry[i].key;
+ }
+
+ return -1;
+}
+
+void dealloc_config_entries() {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ while (centry[i].key != NULL) {
+ if ( centry[i].value != NULL ) {
+ ber_memfree(centry[i].value);
+ }
+ i++;
+ }
+}
+
+char* chomp(char *s)
+{
+ char* t = ber_memalloc(strlen(s)+1);
+ strncpy (t,s,strlen(s)+1);
+
+ if ( t[strlen(t)-1] == '\n' ) {
+ t[strlen(t)-1] = '\0';
+ }
+
+ return t;
+}
+
+static int set_quality (char *value)
+{
+#if defined(DEBUG)
+ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value);
+#endif
+
+ /* No need to require more quality than we can check for. */
+ if (!isdigit(*value) || (int) (value[0] - '0') > 4) return DEFAULT_QUALITY;
+ return (int) (value[0] - '0');
+
+}
+
+static int set_cracklib (char *value)
+{
+#if defined(DEBUG)
+ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value);
+#endif
+
+
+ return (int) (value[0] - '0');
+
+}
+
+static int set_digit (char *value)
+{
+#if defined(DEBUG)
+ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value);
+#endif
+ if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0;
+ return (int) (value[0] - '0');
+}
+
+static validator valid_word (char *word)
+{
+ struct {
+ char * parameter;
+ validator dealer;
+ } list[] = { { "minPoints", set_quality },
+ { "useCracklib", set_cracklib },
+ { "minUpper", set_digit },
+ { "minLower", set_digit },
+ { "minDigit", set_digit },
+ { "minPunct", set_digit },
+ { NULL, NULL } };
+ int index = 0;
+
+#if defined(DEBUG)
+ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word);
+#endif
+
+ while (list[index].parameter != NULL) {
+ if (strlen(word) == strlen(list[index].parameter) &&
+ strcmp(list[index].parameter, word) == 0) {
+#if defined(DEBUG)
+ syslog(LOG_DEBUG, "check_password: Parameter accepted.");
+#endif
+ return list[index].dealer;
+ }
+ index++;
+ }
+
+#if defined(DEBUG)
+ syslog(LOG_DEBUG, "check_password: Parameter rejected.");
+#endif
+
+ return NULL;
+}
+
+static int read_config_file ()
+{
+ FILE * config;
+ char * line;
+ int returnValue = -1;
+
+ line = ber_memcalloc(260, sizeof(char));
+
+ if ( line == NULL ) {
+ return returnValue;
+ }
+
+ if ( (config = fopen(CONFIG_FILE, "r")) == NULL) {
+#if defined(DEBUG)
+ syslog(LOG_ERR, "check_password: Opening file %s failed", CONFIG_FILE);
+#endif
+
+ ber_memfree(line);
+ return returnValue;
+ }
+
+ returnValue = 0;
+
+ while (fgets(line, 256, config) != NULL) {
+ char *start = line;
+ char *word, *value;
+ validator dealer;
+
+#if defined(DEBUG)
+ /* Debug traces to syslog. */
+ syslog(LOG_DEBUG, "check_password: Got line |%s|", line);
+#endif
+
+ while (isspace(*start) && isascii(*start)) start++;
+
+ /* If we've got punctuation, just skip the line. */
+ if ( ispunct(*start)) {
+#if defined(DEBUG)
+ /* Debug traces to syslog. */
+ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line);
+#endif
+ continue;
+ }
+
+ if( isascii(*start)) {
+
+ struct config_entry* centry = config_entries;
+ int i = 0;
+ char* keyWord = centry[i].key;
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
+ while ( keyWord != NULL ) {
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
+
+#if defined(DEBUG)
+ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value);
+#endif
+
+ centry[i].value = chomp(value);
+ break;
+ }
+ i++;
+ keyWord = centry[i].key;
+ }
+ }
+ }
+ }
+ fclose(config);
+ ber_memfree(line);
+
+ return returnValue;
+}
+
+static int realloc_error_message (char ** target, int curlen, int nextlen)
+{
+ if (curlen < nextlen + MEMORY_MARGIN) {
+#if defined(DEBUG)
+ syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
+ curlen, nextlen + MEMORY_MARGIN);
+#endif
+ ber_memfree(*target);
+ curlen = nextlen + MEMORY_MARGIN;
+ *target = (char *) ber_memalloc(curlen);
+ }
+
+ return curlen;
+}
+
+int
+check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+{
+
+ char *szErrStr = (char *) ber_memalloc(MEM_INIT_SZ);
+ int mem_len = MEM_INIT_SZ;
+
+ int nLen;
+ int nLower = 0;
+ int nUpper = 0;
+ int nDigit = 0;
+ int nPunct = 0;
+ int minLower = 0;
+ int minUpper = 0;
+ int minDigit = 0;
+ int minPunct = 0;
+ int nQuality = 0;
+ int i;
+
+ /* Set a sensible default to keep original behaviour. */
+ int minQuality = DEFAULT_QUALITY;
+ int useCracklib = DEFAULT_CRACKLIB;
+
+ /** bail out early as cracklib will reject passwords shorter
+ * than 6 characters
+ */
+
+ nLen = strlen (pPasswd);
+ if ( nLen < 6) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+ strlen(PASSWORD_TOO_SHORT_SZ) +
+ strlen(pEntry->e_name.bv_val) + 1);
+ sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
+ goto fail;
+ }
+
+ if (read_config_file() == -1) {
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
+ }
+
+ minQuality = get_config_entry_int("minPoints");
+ useCracklib = get_config_entry_int("useCracklib");
+ minUpper = get_config_entry_int("minUpper");
+ minLower = get_config_entry_int("minLower");
+ minDigit = get_config_entry_int("minDigit");
+ minPunct = get_config_entry_int("minPunct");
+
+ /** The password must have at least minQuality strength points with one
+ * point for the first occurrance of a lower, upper, digit and
+ * punctuation character
+ */
+
+ for ( i = 0; i < nLen; i++ ) {
+
+ if ( islower (pPasswd[i]) ) {
+ minLower--;
+ if ( !nLower && (minLower < 1)) {
+ nLower = 1; nQuality++;
+#if defined(DEBUG)
+ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality);
+#endif
+ }
+ continue;
+ }
+
+ if ( isupper (pPasswd[i]) ) {
+ minUpper--;
+ if ( !nUpper && (minUpper < 1)) {
+ nUpper = 1; nQuality++;
+#if defined(DEBUG)
+ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality);
+#endif
+ }
+ continue;
+ }
+
+ if ( isdigit (pPasswd[i]) ) {
+ minDigit--;
+ if ( !nDigit && (minDigit < 1)) {
+ nDigit = 1; nQuality++;
+#if defined(DEBUG)
+ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality);
+#endif
+ }
+ continue;
+ }
+
+ if ( ispunct (pPasswd[i]) ) {
+ minPunct--;
+ if ( !nPunct && (minPunct < 1)) {
+ nPunct = 1; nQuality++;
+#if defined(DEBUG)
+ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality);
+#endif
+ }
+ continue;
+ }
+ }
+
+ /*
+ * If you have a required field, then it should be required in the strength
+ * checks.
+ */
+
+ if (
+ (minLower > 0 ) ||
+ (minUpper > 0 ) ||
+ (minDigit > 0 ) ||
+ (minPunct > 0 ) ||
+ (nQuality < minQuality)
+ ) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+ strlen(PASSWORD_QUALITY_SZ) +
+ strlen(pEntry->e_name.bv_val) + 2);
+ sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
+ nQuality, minQuality);
+ goto fail;
+ }
+
+#ifdef HAVE_CRACKLIB
+
+ /** Check password with cracklib */
+
+ if ( useCracklib > 0 ) {
+ int j = 0;
+ FILE* fp;
+ char filename[FILENAME_MAXLEN];
+ char const* ext[] = { "hwm", "pwd", "pwi" };
+ int nErr = 0;
+
+ /**
+ * Silently fail when cracklib wordlist is not found
+ */
+
+ for ( j = 0; j < 3; j++ ) {
+
+ snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
+ CRACKLIB_DICTPATH, ext[j]);
+
+ if (( fp = fopen ( filename, "r")) == NULL ) {
+
+ nErr = 1;
+ break;
+
+ } else {
+
+ fclose (fp);
+
+ }
+ }
+
+ char *r;
+ if ( nErr == 0) {
+
+ r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
+ if ( r != NULL ) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+ strlen(BAD_PASSWORD_SZ) +
+ strlen(pEntry->e_name.bv_val) +
+ strlen(r));
+ sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
+ goto fail;
+ }
+ }
+ }
+
+ else {
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Cracklib verification disabled by configuration");
+#endif
+ }
+
+#endif
+ dealloc_config_entries();
+ *ppErrStr = strdup ("");
+ ber_memfree(szErrStr);
+ return (LDAP_SUCCESS);
+
+fail:
+ dealloc_config_entries();
+ *ppErrStr = strdup (szErrStr);
+ ber_memfree(szErrStr);
+ return (EXIT_FAILURE);
+
+}
--
2.17.1

124
recipes-support/openldap/files/centos_patches_notported_yet/check-password-loglevels.patch
View File

@ -1,124 +0,0 @@
Correct log levels in check_password module.
Author: Matus Honek <mhonek@redhat.com>
Resolves: #1356158
diff --git a/check_password.c b/check_password.c
--- a/check_password.c
+++ b/check_password.c
@@ -108,7 +108,7 @@ char* chomp(char *s)
static int set_quality (char *value)
{
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value);
+ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value);
#endif
/* No need to require more quality than we can check for. */
@@ -120,7 +120,7 @@ static int set_quality (char *value)
static int set_cracklib (char *value)
{
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", value);
+ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value);
#endif
@@ -131,7 +131,7 @@ static int set_cracklib (char *value)
static int set_digit (char *value)
{
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value);
+ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value);
#endif
if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0;
return (int) (value[0] - '0');
@@ -152,14 +152,14 @@ static validator valid_word (char *word)
int index = 0;
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word);
+ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word);
#endif
while (list[index].parameter != NULL) {
if (strlen(word) == strlen(list[index].parameter) &&
strcmp(list[index].parameter, word) == 0) {
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Parameter accepted.");
+ syslog(LOG_DEBUG, "check_password: Parameter accepted.");
#endif
return list[index].dealer;
}
@@ -167,7 +167,7 @@ static validator valid_word (char *word)
}
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Parameter rejected.");
+ syslog(LOG_DEBUG, "check_password: Parameter rejected.");
#endif
return NULL;
@@ -203,7 +203,7 @@ static int read_config_file ()
#if defined(DEBUG)
/* Debug traces to syslog. */
- syslog(LOG_NOTICE, "check_password: Got line |%s|", line);
+ syslog(LOG_DEBUG, "check_password: Got line |%s|", line);
#endif
while (isspace(*start) && isascii(*start)) start++;
@@ -212,7 +212,7 @@ static int read_config_file ()
if ( ispunct(*start)) {
#if defined(DEBUG)
/* Debug traces to syslog. */
- syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
+ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line);
#endif
continue;
}
@@ -227,7 +227,7 @@ static int read_config_file ()
if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value);
#endif
centry[i].value = chomp(value);
@@ -319,7 +319,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
if ( !nLower && (minLower < 1)) {
nLower = 1; nQuality++;
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality);
+ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality);
#endif
}
continue;
@@ -330,7 +330,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
if ( !nUpper && (minUpper < 1)) {
nUpper = 1; nQuality++;
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality);
+ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality);
#endif
}
continue;
@@ -341,7 +341,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
if ( !nDigit && (minDigit < 1)) {
nDigit = 1; nQuality++;
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality);
+ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality);
#endif
}
continue;
@@ -352,7 +352,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
if ( !nPunct && (minPunct < 1)) {
nPunct = 1; nQuality++;
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality);
+ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality);
#endif
}
continue;

41
recipes-support/openldap/files/centos_patches_notported_yet/check-password-makefile.patch
View File

@ -1,41 +0,0 @@
--- a/Makefile 2009-10-31 18:59:06.000000000 +0100
+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100
@@ -13,22 +13,11 @@
#
CONFIG=/etc/openldap/check_password.conf
-OPT=-g -O2 -Wall -fpic \
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
- -DCONFIG_FILE="\"$(CONFIG)\"" \
+CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
-DDEBUG
-# Where to find the OpenLDAP headers.
-#
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
-
-# Where to find the CrackLib headers.
-#
-CRACK_INC=
-
-INCS=$(LDAP_INC) $(CRACK_INC)
-
LDAP_LIB=-lldap_r -llber
# Comment out this line if you do NOT want to use the cracklib.
@@ -45,10 +34,10 @@
all: check_password
check_password.o:
- $(CC) $(OPT) -c $(INCS) check_password.c
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
check_password: clean check_password.o
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
install: check_password
cp -f check_password.so ../../../usr/lib/openldap/modules/

321
recipes-support/openldap/files/centos_patches_notported_yet/check-password.patch
View File

@ -1,321 +0,0 @@
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
@@ -10,7 +10,7 @@
#include <slap.h>
#ifdef HAVE_CRACKLIB
-#include "crack.h"
+#include <crack.h>
#endif
#if defined(DEBUG)
@@ -34,18 +34,77 @@
#define PASSWORD_TOO_SHORT_SZ \
"Password for dn=\"%s\" is too short (%d/6)"
#define PASSWORD_QUALITY_SZ \
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
#define BAD_PASSWORD_SZ \
"Bad password for dn=\"%s\" because %s"
+#define UNKNOWN_ERROR_SZ \
+ "An unknown error occurred, please see your systems administrator"
typedef int (*validator) (char*);
-static int read_config_file (char *);
+static int read_config_file ();
static validator valid_word (char *);
static int set_quality (char *);
static int set_cracklib (char *);
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+struct config_entry {
+ char* key;
+ char* value;
+ char* def_value;
+} config_entries[] = { { "minPoints", NULL, "3"},
+ { "useCracklib", NULL, "1"},
+ { "minUpper", NULL, "0"},
+ { "minLower", NULL, "0"},
+ { "minDigit", NULL, "0"},
+ { "minPunct", NULL, "0"},
+ { NULL, NULL, NULL }};
+
+int get_config_entry_int(char* entry) {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ char* key = centry[i].key;
+ while (key != NULL) {
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
+ if ( centry[i].value == NULL ) {
+ return atoi(centry[i].def_value);
+ }
+ else {
+ return atoi(centry[i].value);
+ }
+ }
+ i++;
+ key = centry[i].key;
+ }
+
+ return -1;
+}
+
+void dealloc_config_entries() {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ while (centry[i].key != NULL) {
+ if ( centry[i].value != NULL ) {
+ ber_memfree(centry[i].value);
+ }
+ i++;
+ }
+}
+
+char* chomp(char *s)
+{
+ char* t = ber_memalloc(strlen(s)+1);
+ strncpy (t,s,strlen(s)+1);
+
+ if ( t[strlen(t)-1] == '\n' ) {
+ t[strlen(t)-1] = '\0';
+ }
+
+ return t;
+}
+
static int set_quality (char *value)
{
#if defined(DEBUG)
@@ -84,12 +143,12 @@
char * parameter;
validator dealer;
} list[] = { { "minPoints", set_quality },
- { "useCracklib", set_cracklib },
- { "minUpper", set_digit },
- { "minLower", set_digit },
- { "minDigit", set_digit },
- { "minPunct", set_digit },
- { NULL, NULL } };
+ { "useCracklib", set_cracklib },
+ { "minUpper", set_digit },
+ { "minLower", set_digit },
+ { "minDigit", set_digit },
+ { "minPunct", set_digit },
+ { NULL, NULL } };
int index = 0;
#if defined(DEBUG)
@@ -98,7 +157,7 @@
while (list[index].parameter != NULL) {
if (strlen(word) == strlen(list[index].parameter) &&
- strcmp(list[index].parameter, word) == 0) {
+ strcmp(list[index].parameter, word) == 0) {
#if defined(DEBUG)
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
#endif
@@ -114,13 +173,15 @@
return NULL;
}
-static int read_config_file (char *keyWord)
+static int read_config_file ()
{
FILE * config;
char * line;
int returnValue = -1;
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
+ line = ber_memcalloc(260, sizeof(char));
+
+ if ( line == NULL ) {
return returnValue;
}
@@ -133,6 +194,8 @@
return returnValue;
}
+ returnValue = 0;
+
while (fgets(line, 256, config) != NULL) {
char *start = line;
char *word, *value;
@@ -145,23 +208,40 @@
while (isspace(*start) && isascii(*start)) start++;
- if (! isascii(*start))
+ /* If we've got punctuation, just skip the line. */
+ if ( ispunct(*start)) {
+#if defined(DEBUG)
+ /* Debug traces to syslog. */
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
+#endif
continue;
+ }
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
- if ((value = strtok(NULL, " \t")) == NULL)
- continue;
+ if( isascii(*start)) {
+
+ struct config_entry* centry = config_entries;
+ int i = 0;
+ char* keyWord = centry[i].key;
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
+ while ( keyWord != NULL ) {
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
#endif
- returnValue = (*dealer)(value);
+ centry[i].value = chomp(value);
+ break;
+ }
+ i++;
+ keyWord = centry[i].key;
+ }
+ }
}
}
-
fclose(config);
ber_memfree(line);
+
return returnValue;
}
@@ -170,7 +250,7 @@
if (curlen < nextlen + MEMORY_MARGIN) {
#if defined(DEBUG)
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
- curlen, nextlen + MEMORY_MARGIN);
+ curlen, nextlen + MEMORY_MARGIN);
#endif
ber_memfree(*target);
curlen = nextlen + MEMORY_MARGIN;
@@ -180,7 +260,7 @@
return curlen;
}
- int
+int
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
{
@@ -210,20 +290,22 @@
nLen = strlen (pPasswd);
if ( nLen < 6) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1);
+ strlen(PASSWORD_TOO_SHORT_SZ) +
+ strlen(pEntry->e_name.bv_val) + 1);
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
goto fail;
}
- /* Read config file */
- minQuality = read_config_file("minPoints");
+ if (read_config_file() == -1) {
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
+ }
- useCracklib = read_config_file("useCracklib");
- minUpper = read_config_file("minUpper");
- minLower = read_config_file("minLower");
- minDigit = read_config_file("minDigit");
- minPunct = read_config_file("minPunct");
+ minQuality = get_config_entry_int("minPoints");
+ useCracklib = get_config_entry_int("useCracklib");
+ minUpper = get_config_entry_int("minUpper");
+ minLower = get_config_entry_int("minLower");
+ minDigit = get_config_entry_int("minDigit");
+ minPunct = get_config_entry_int("minPunct");
/** The password must have at least minQuality strength points with one
* point for the first occurrance of a lower, upper, digit and
@@ -232,8 +314,6 @@
for ( i = 0; i < nLen; i++ ) {
- if ( nQuality >= minQuality ) break;
-
if ( islower (pPasswd[i]) ) {
minLower--;
if ( !nLower && (minLower < 1)) {
@@ -279,12 +359,23 @@
}
}
- if ( nQuality < minQuality ) {
+ /*
+ * If you have a required field, then it should be required in the strength
+ * checks.
+ */
+
+ if (
+ (minLower > 0 ) ||
+ (minUpper > 0 ) ||
+ (minDigit > 0 ) ||
+ (minPunct > 0 ) ||
+ (nQuality < minQuality)
+ ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_QUALITY_SZ) +
- strlen(pEntry->e_name.bv_val) + 2);
+ strlen(PASSWORD_QUALITY_SZ) +
+ strlen(pEntry->e_name.bv_val) + 2);
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
- nQuality, minQuality);
+ nQuality, minQuality);
goto fail;
}
@@ -306,7 +397,7 @@
for ( j = 0; j < 3; j++ ) {
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
- CRACKLIB_DICTPATH, ext[j]);
+ CRACKLIB_DICTPATH, ext[j]);
if (( fp = fopen ( filename, "r")) == NULL ) {
@@ -326,9 +417,9 @@
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
if ( r != NULL ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(BAD_PASSWORD_SZ) +
- strlen(pEntry->e_name.bv_val) +
- strlen(r));
+ strlen(BAD_PASSWORD_SZ) +
+ strlen(pEntry->e_name.bv_val) +
+ strlen(r));
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
goto fail;
}
@@ -342,15 +433,15 @@
}
#endif
-
+ dealloc_config_entries();
*ppErrStr = strdup ("");
ber_memfree(szErrStr);
return (LDAP_SUCCESS);
fail:
+ dealloc_config_entries();
*ppErrStr = strdup (szErrStr);
ber_memfree(szErrStr);
return (EXIT_FAILURE);
}
-

219
recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-its7506-fix-DH-params-1.patch
View File

@ -1,219 +0,0 @@
commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8
Author: Ben Jencks <ben@bjencks.net>
Date: Sun Jan 27 18:27:03 2013 -0500
ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage.
If a DHParamFile or olcDHParamFile is specified, then it will be used,
otherwise a hardcoded 1024 bit parameter will be used. This allows the use of
larger parameters; previously only 512 or 1024 bit parameters would ever be
used.
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 48ce1ceab..c6a3540c9 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -59,15 +59,13 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
-static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length );
-
-typedef struct dhplist {
- struct dhplist *next;
- int keylength;
- DH *param;
-} dhplist;
-
-static dhplist *tlso_dhparams;
+/* From the OpenSSL 0.9.7 distro */
+static const char tlso_dhpem1024[] =
+"-----BEGIN DH PARAMETERS-----\n\
+MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
+/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
+/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
+-----END DH PARAMETERS-----\n";
static int tlso_seed_PRNG( const char *randfile );
@@ -76,7 +74,6 @@ static int tlso_seed_PRNG( const char *randfile );
* provide mutexes for the OpenSSL library.
*/
static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS];
-static ldap_pvt_thread_mutex_t tlso_dh_mutex;
static void tlso_locking_cb( int mode, int type, const char *file, int line )
{
@@ -107,7 +104,6 @@ static void tlso_thr_init( void )
for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) {
ldap_pvt_thread_mutex_init( &tlso_mutexes[i] );
}
- ldap_pvt_thread_mutex_init( &tlso_dh_mutex );
CRYPTO_set_locking_callback( tlso_locking_cb );
CRYPTO_set_id_callback( tlso_thread_self );
}
@@ -308,28 +304,32 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
- if ( lo->ldo_tls_dhfile ) {
+ if (is_server) {
DH *dh = NULL;
BIO *bio;
- dhplist *p;
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+ if ( lo->ldo_tls_dhfile ) {
- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
+ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use DH parameters file `%s'.\n",
+ lo->ldo_tls_dhfile,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ } else {
+ bio = BIO_new_mem_buf( tlso_dhpem1024, -1 );
+ }
+ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
Debug( LDAP_DEBUG_ANY,
- "TLS: could not use DH parameters file `%s'.\n",
+ "TLS: could not read DH parameters file `%s'.\n",
lo->ldo_tls_dhfile,0,0);
tlso_report_error();
+ BIO_free( bio );
return -1;
}
- while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
- p = LDAP_MALLOC( sizeof(dhplist) );
- if ( p != NULL ) {
- p->keylength = DH_size( dh ) * 8;
- p->param = dh;
- p->next = tlso_dhparams;
- tlso_dhparams = p;
- }
- }
BIO_free( bio );
+ SSL_CTX_set_tmp_dh( ctx, dh );
}
if ( tlso_opt_trace ) {
@@ -349,9 +349,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ?
tlso_verify_ok : tlso_verify_cb );
SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
- if ( lo->ldo_tls_dhfile ) {
- SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb );
- }
#ifdef HAVE_OPENSSL_CRL
if ( lo->ldo_tls_crlcheck ) {
X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
@@ -1160,108 +1157,6 @@ tlso_seed_PRNG( const char *randfile )
return 0;
}
-struct dhinfo {
- int keylength;
- const char *pem;
- size_t size;
-};
-
-
-/* From the OpenSSL 0.9.7 distro */
-static const char tlso_dhpem512[] =
-"-----BEGIN DH PARAMETERS-----\n\
-MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\
-a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\
------END DH PARAMETERS-----\n";
-
-static const char tlso_dhpem1024[] =
-"-----BEGIN DH PARAMETERS-----\n\
-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
------END DH PARAMETERS-----\n";
-
-static const char tlso_dhpem2048[] =
-"-----BEGIN DH PARAMETERS-----\n\
-MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\
-AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\
-z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\
-pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\
-aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\
-Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\
------END DH PARAMETERS-----\n";
-
-static const char tlso_dhpem4096[] =
-"-----BEGIN DH PARAMETERS-----\n\
-MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\
-vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\
-TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\
-bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\
-rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\
-EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\
-bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\
-W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\
-ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\
-NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\
-jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\
------END DH PARAMETERS-----\n";
-
-static const struct dhinfo tlso_dhpem[] = {
- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
- { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
- { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
- { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
- { 0, NULL, 0 }
-};
-
-static DH *
-tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
-{
- struct dhplist *p = NULL;
- BIO *b = NULL;
- DH *dh = NULL;
- int i;
-
- /* Do we have params of this length already? */
- LDAP_MUTEX_LOCK( &tlso_dh_mutex );
- for ( p = tlso_dhparams; p; p=p->next ) {
- if ( p->keylength == key_length ) {
- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
- return p->param;
- }
- }
-
- /* No - check for hardcoded params */
-
- for (i=0; tlso_dhpem[i].keylength; i++) {
- if ( tlso_dhpem[i].keylength == key_length ) {
- b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size );
- break;
- }
- }
-
- if ( b ) {
- dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL );
- BIO_free( b );
- }
-
- /* Generating on the fly is expensive/slow... */
- if ( !dh ) {
- dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL );
- }
- if ( dh ) {
- p = LDAP_MALLOC( sizeof(struct dhplist) );
- if ( p != NULL ) {
- p->keylength = key_length;
- p->param = dh;
- p->next = tlso_dhparams;
- tlso_dhparams = p;
- }
- }
-
- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
- return dh;
-}
tls_impl ldap_int_tls_impl = {
"OpenSSL",

58
recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-its7506-fix-DH-params-2.patch
View File

@ -1,58 +0,0 @@
commit eacd5798a5d83e6658a823c01bcb0f600e3b9898
Author: Howard Chu <hyc@openldap.org>
Date: Sat Sep 7 06:39:53 2013 -0700
ITS#7506 fix prev commit
The patch unconditionally enabled DHparams, which is a significant
change of behavior. Reverting to previous behavior, which only enables
DH use if a DHparam file was configured.
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index c6a3540c9..a2d9cd31f 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -59,14 +59,6 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
-/* From the OpenSSL 0.9.7 distro */
-static const char tlso_dhpem1024[] =
-"-----BEGIN DH PARAMETERS-----\n\
-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
------END DH PARAMETERS-----\n";
-
static int tlso_seed_PRNG( const char *randfile );
#ifdef LDAP_R_COMPILE
@@ -304,21 +296,17 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
- if (is_server) {
+ if ( lo->ldo_tls_dhfile ) {
DH *dh = NULL;
BIO *bio;
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
- if ( lo->ldo_tls_dhfile ) {
- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "TLS: could not use DH parameters file `%s'.\n",
- lo->ldo_tls_dhfile,0,0);
- tlso_report_error();
- return -1;
- }
- } else {
- bio = BIO_new_mem_buf( tlso_dhpem1024, -1 );
+ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use DH parameters file `%s'.\n",
+ lo->ldo_tls_dhfile,0,0);
+ tlso_report_error();
+ return -1;
}
if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
Debug( LDAP_DEBUG_ANY,

BIN
recipes-support/openldap/files/sources/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
View File

Binary file not shown.

46
recipes-support/openldap/openldap_%.bbappend
View File

@ -27,7 +27,10 @@ SRC_URI += " \
file://0016-openldap-man-ldap-conf.patch \
file://0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch \
file://0018-openldap-tlsmc.patch \
file://0019-openldap-fedora-systemd.patch \
file://0019-openldap-openssl-ITS7596-Add-EC-support.patch \
file://0020-openldap-openssl-ITS7596-Add-EC-support-patch-2.patch \
file://0021-openldap-and-stx-source-and-config-files.patch \
file://0022-ltb-project-openldap-ppolicy-check-password-1.1.patch \
"
inherit pkgconfig
@ -41,6 +44,8 @@ DEPENDS += " \
libtirpc \
"
RDEPENDS_${PN}_append = " bash"
# Defaults:
# --enable-bdb=no
@ -94,12 +99,47 @@ do_configure_append () {
ln -f -s ${S}/contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} servers/slapd/overlays
}
# If liblmdb is needed, then patch the Makefile
#do_compile_append () {
# cd ${S}/libraries/liblmdb
# cd ${S}/ltb-project-openldap-ppolicy-check-password-1.1
# oe_runmake
#}
FILES_${PN}_append = " ${libexecdir}/openldap/*"
do_install_append () {
# For this we need to build ltb-project-openldap
#install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/
cd ${S}/stx-sources
install -m 0755 -d ${D}/var/run/openldap
install -m 0755 -d ${D}/${sysconfdir}/tmpfiles.d
install -m 0755 ${S}/stx-sources/slapd.tmpfiles ${D}/${sysconfdir}/tmpfiles.d/slapd.conf
install -m 0755 ${S}/stx-sources/openldap.tmpfiles ${D}/${sysconfdir}/tmpfiles.d/openldap.conf
install -m 0755 ${S}/stx-sources/ldap.conf ${D}/${sysconfdir}/tmpfiles.d/ldap.conf
install -m 0644 libexec-functions ${D}/${libexecdir}/openldap/functions
install -m 0755 libexec-convert-config.sh ${D}/${libexecdir}/openldap/convert-config.sh
install -m 0755 libexec-check-config.sh ${D}/${libexecdir}/openldap/check-config.sh
install -m 0755 libexec-upgrade-db.sh ${D}/${libexecdir}/openldap/upgrade-db.sh
install -m 0755 libexec-create-certdb.sh ${D}/${libexecdir}/openldap/create-certdb.sh
install -m 0755 libexec-generate-server-cert.sh ${D}/${libexecdir}/openldap/generate-server-cert.sh
install -m 0755 libexec-update-ppolicy-schema.sh ${D}/${libexecdir}/openldap/update-ppolicy-schema.sh
install -m 0644 slapd.service ${D}/${systemd_unitdir}/stx-slapd.service
install -m 0755 -d ${D}/${sysconfdir}/sysconfig
install -m 0644 slapd.sysconfig ${D}/${sysconfdir}/sysconfig/slapd.sysconfig
install -m 0755 -d ${D}/${datadir}/openldap-servers
install -m 0644 slapd.ldif ${D}/${datadir}/openldap-servers/slapd.ldif
install -m 0750 -d ${D}/${sysconfdir}/openldap/slapd.d
}
FILES_${PN}_append = " \
${datadir}/openldap-servers/ \
${libexecdir}/openldap/ \
/run/openldap \
${sysconfdir}/sysconfig \
${sysconfdir}/tmpfiles.d \
${systemd_unitdir}/stx-slapd.service \
"