diff --git a/issues/openldap.patches b/issues/openldap.patches new file mode 100644 index 0000000..bf71686 --- /dev/null +++ b/issues/openldap.patches @@ -0,0 +1,95 @@ + +Patch50: openldap-openssl-its7506-fix-DH-params-1.patch << openldap commit: 6f120920d359d3b880c5c56bde4c1b91c3bedb01 +Patch51: openldap-openssl-its7506-fix-DH-params-2.patch << openldap commit: cfeb28412c28ce9feeea6e6c055286f201bd0a34 +Patch52: openldap-openssl-ITS7595-Add-EC-support-1.patch +Patch53: openldap-openssl-ITS7595-Add-EC-support-2.patch + +CentOS openldap commit level: d690e90fec0ecba6e9eb47bfc7ef8e311dce9eac tag: OPENLDAP_REL_ENG_2_4_44 +Poky openldap commit level: 1c9416493bd219b08d839cd9e93fc64daa89b752 tag: OPENLDAP_REL_ENG_2_4_46 + +Whatchanged OPENLDAP_REL_ENG_2_4_44 OPENLDAP_REL_ENG_2_4_46: +commit eebf662409f646646fe2364c26f095d7c242ed2e +commit e2c6bec025ef6e38bb95e4b173d4c896de74152e +commit d8ccf649bcb17cb97541154f27a5673c13254d11 +commit 9db93a138932ddbe68f2a4215d136383d4f3dc46 +commit 556a832c4a7ed54d94d0ec204baba5865a36732a +commit 8144463186ddc6c7b1b2509244c0a2e4eba50539 +commit ebf74c7bb1c079a640074a8685583a7ee0cb5d39 +commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8 +commit 47f8b3c425c5e1fe4097f0685bbe9aefe56ba911 +commit 691dab11a0d6334c401bac59f476a382303c7a24 +commit 38d0a8bbdebdf1af212c36008f7d7c2de2a28af4 +commit 051f14f6d6809ff6074fd22e461bed71e160da92 +commit d8c9c414ac6992f38378a95fbb510bfde93c1c0d +commit eacd5798a5d83e6658a823c01bcb0f600e3b9898 << openldap-openssl-its7506-fix-DH-params-2.patch +commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8 << openldap-openssl-its7506-fix-DH-params-1.patch +commit 9b5972dc9e14e1f7a7bef755bfd0dc61bcf1ffb3 +commit b60820ee696c09bad18fd04fdd982df7af15c6c3 +commit 35e549b49b1f58ec494bc05cc2718f82d20c30c6 +commit 3370868748d330f896645965145ad77720c3aba6 +commit 9cdb7b18a929d546a7681d3ac0f830821069c5a5 +commit b46547ada17b4585cc5c40150933be325bb1e9ac +commit 1f723195873454ac2d46592deb5d2f7c6885993a +commit 42c1ff8a28d35482e9c34d063b4bd5d441bb364a +commit 769083f84816a380a4ae9bb48ab55631ff596751 +commit 7761c923bab53870802c287611b17bb906ce3a0b +commit 6d0f6f414f90c67db850751915a6640668d6cd44 +commit 1adee08e8912c1f47c7b170fe62bebdd9797921f +commit 158a47cbe467a6c50c6a6e85247959f20e51c1d4 +commit 6c9b08ce2679fccb224dd02afd9221ed28623f9b +commit 77caf6040f1f5770460ddb56c2a304a0d0b8cbe8 +commit 3a2e98e91c3a8f93e5b37cb7e5a76708194cff77 +commit 49f2e6a5f703f874852fe60a1c5faaf362df4bdc +commit 1cee5dcd12701a972feb1dd974f3f393a97c6dca +commit 39ddec3a9cfa04f7f466a7ebbd8569e498a63a64 +commit 988f1bbdc7590fc01c149a36eeb88a0cffd4c4bc +commit 2147c854efe9fac300ab7095df8dfc6c943d3b15 +commit 4b7eb173e7953d9e5ecce80fc08709bcdd67d179 + +Cherry picked into CentOS: Adds Elliptic Curve support for Openssl and 2 dont use EC if openssl lacks it +commit e631ce808ed56119e61321463d06db7999ba5a08 << openldap-openssl-ITS7595-Add-EC-support-1.patch +commit 721e46fe6695077d63a3df6ea2e397920a72308d << openldap-openssl-ITS7595-Add-EC-support-2.patch + +Poky: + +commit eebf662409f646646fe2364c26f095d7c242ed2e << openldap repo: Cleanup +commit e2c6bec025ef6e38bb95e4b173d4c896de74152e << openldap repo: Cleanup +commit d8ccf649bcb17cb97541154f27a5673c13254d11 << openldap repo: ITS#8791 OpenSSL 1.1.1 BIOP_method +commit 9db93a138932ddbe68f2a4215d136383d4f3dc46 << openldap repo: ITS#8687 EGD is disabled by default in openssl 1.1. TODO validate on poky +commit 556a832c4a7ed54d94d0ec204baba5865a36732a << openldap repo: ITS#8353/ITS#8533 Cleanup +commit 8144463186ddc6c7b1b2509244c0a2e4eba50539 << openldap repo: ITS#8353/ITS#8533 libldap_r build error +commit ebf74c7bb1c079a640074a8685583a7ee0cb5d39 << openldap repo: ITS#8353/ITS#8533 / Dont use deprecated API with OpenSSL 1.1 or later +commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8 << openldap repo: ITS#8529 +commit 47f8b3c425c5e1fe4097f0685bbe9aefe56ba911 << openldap repo: ITS#8353/ITS#8533 OpenSSL 1.1.0c compat +commit 691dab11a0d6334c401bac59f476a382303c7a24 << openldap repo: Copyright update +commit 38d0a8bbdebdf1af212c36008f7d7c2de2a28af4 << openldap repo: ITS#8353 +commit 051f14f6d6809ff6074fd22e461bed71e160da92 << openldap repo: ITS#8353 +commit eacd5798a5d83e6658a823c01bcb0f600e3b9898 << openldap-openssl-its7506-fix-DH-params-2.patch +commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8 << openldap-openssl-its7506-fix-DH-params-1.patch + + +Patches: + +0001-Various-manual-pages-changes.patch: ....................... Commit 9321119bac67aeb1a3d61fda9d1a60f32785468b / +0002-Correct-log-levels-in-ppolicy-overlay.patch: .............. Use Log3 instead of Debug +0003-Removes-unnecessary-linking-of-SQL-Libs-into-slad.patch:... Is this patch needed? Removes sql linking +0004-openlap-reentrant-gethostby.patch: ........................ Is this patch needed? use reentrant versions -- fix should be elsewhere -- test case? +0005-openldap-smbk5pwd-overlay.patch: .......................... Redo NOTE A. +0006-openldap-ldaprc-currentdir.patch:.......................... Disable openning of ldaprc file/ Keep this patch +0007-openldap-userconfig-setgid.patch: ......................... Adds same behavior as geteuid != getuid to getegid != getgid +0008-openldap-allop-overlay.patch: ............................. Redo NOTE A. +0009-openldap-syncrepl-unset-tls-options.patch: ................ Keep +0010-openldap-ai-addrconfig.patch: ............................. Keep Commit ebf0ef5cb11fc3f92715e644d95c1bf38cc33ebb. +0011-openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL.patch: Keep +0012-openldap-ldapi-sasl.patch: ................................ Keep 6c5a79be983fafa435454e9cce34a4658e31de79 +0013-openldap-missing-unlock-in-accesslog-overlay.patch: ....... Keep but is this really needed +0014-openldap-module-passwd-sha2.patch: ........................ Redo NOTE A. +0015-openldap-man-tls-reqcert.patch: ........................... Keep +0016-openldap-man-ldap-conf.patch: ............................. Keep +0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch: ..... Keep for now. Removed in upstream ec2cb12e68923f7b3db60fe20935ca01d4a3932c +0018-openldap-tlsmc.patch: ..................................... Keep But is this needed. We are linking with openssl +0019-openldap-fedora-systemd.patch: ............................ Remove The fix needs to go into systemd ENV file + + +NOTE A: +These patches need cleanup. diff --git a/recipes-support/openldap/files/0001-Various-manual-pages-changes.patch b/recipes-support/openldap/files/0001-Various-manual-pages-changes.patch index b6cc071..325aaae 100644 --- a/recipes-support/openldap/files/0001-Various-manual-pages-changes.patch +++ b/recipes-support/openldap/files/0001-Various-manual-pages-changes.patch @@ -1,7 +1,7 @@ From 462675a5b797afb411de4506425f12ac6ebdf56a Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:28:29 -0800 -Subject: [PATCH 01/19] Various manual pages changes: +Subject: [PATCH 01/20] Various manual pages changes: remove LIBEXECDIR from slapd.8 remove references to non-existing manpages (bz 624616) diff --git a/recipes-support/openldap/files/0002-Correct-log-levels-in-ppolicy-overlay.patch b/recipes-support/openldap/files/0002-Correct-log-levels-in-ppolicy-overlay.patch index 8a85152..1d63588 100644 --- a/recipes-support/openldap/files/0002-Correct-log-levels-in-ppolicy-overlay.patch +++ b/recipes-support/openldap/files/0002-Correct-log-levels-in-ppolicy-overlay.patch @@ -1,7 +1,7 @@ From 35907952c646b971ba5b14002db2aac8d2324f21 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:30:27 -0800 -Subject: [PATCH 02/19] Correct log levels in ppolicy overlay +Subject: [PATCH 02/20] Correct log levels in ppolicy overlay From STX 1901 openldap-ppolicy-loglevels.patch --- diff --git a/recipes-support/openldap/files/0003-Removes-unnecessary-linking-of-SQL-Libs-into-slad.patch b/recipes-support/openldap/files/0003-Removes-unnecessary-linking-of-SQL-Libs-into-slad.patch index d29d527..f613a59 100644 --- a/recipes-support/openldap/files/0003-Removes-unnecessary-linking-of-SQL-Libs-into-slad.patch +++ b/recipes-support/openldap/files/0003-Removes-unnecessary-linking-of-SQL-Libs-into-slad.patch @@ -1,7 +1,7 @@ From 15b7c5ebcbb607cd2edc2119dfefd16b41cddc21 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:32:09 -0800 -Subject: [PATCH 03/19] Removes unnecessary linking of SQL Libs into slad. +Subject: [PATCH 03/20] Removes unnecessary linking of SQL Libs into slad. This makes openldap-servers package independent of libodbc (SQL backend is packaged separately in openldap-servers-sql.) diff --git a/recipes-support/openldap/files/0004-openlap-reentrant-gethostby.patch b/recipes-support/openldap/files/0004-openlap-reentrant-gethostby.patch index 7f1fecd..6f127b8 100644 --- a/recipes-support/openldap/files/0004-openlap-reentrant-gethostby.patch +++ b/recipes-support/openldap/files/0004-openlap-reentrant-gethostby.patch @@ -1,7 +1,7 @@ From df22708bcbe727570daada3fbf8065a447444716 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:34:19 -0800 -Subject: [PATCH 04/19] openlap reentrant gethostby +Subject: [PATCH 04/20] openlap reentrant gethostby The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for example if libldap needs to be initialized from within gethostbyXXXX() (which diff --git a/recipes-support/openldap/files/0005-openldap-smbk5pwd-overlay.patch b/recipes-support/openldap/files/0005-openldap-smbk5pwd-overlay.patch index 10bcf60..4c6b6f5 100644 --- a/recipes-support/openldap/files/0005-openldap-smbk5pwd-overlay.patch +++ b/recipes-support/openldap/files/0005-openldap-smbk5pwd-overlay.patch @@ -1,7 +1,7 @@ From 75e89e30c2ef819169b5f77b0ac8d450271f516b Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:35:23 -0800 -Subject: [PATCH 05/19] openldap smbk5pwd overlay +Subject: [PATCH 05/20] openldap smbk5pwd overlay Compile smbk5pwd together with other overlays. diff --git a/recipes-support/openldap/files/0006-openldap-ldaprc-currentdir.patch b/recipes-support/openldap/files/0006-openldap-ldaprc-currentdir.patch index dff14c5..fddfd8c 100644 --- a/recipes-support/openldap/files/0006-openldap-ldaprc-currentdir.patch +++ b/recipes-support/openldap/files/0006-openldap-ldaprc-currentdir.patch @@ -1,7 +1,7 @@ From b7f7a583e8a63b1787c3a98f4c43ccbb6c3e39df Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:36:48 -0800 -Subject: [PATCH 06/19] openldap ldaprc currentdir +Subject: [PATCH 06/20] openldap ldaprc currentdir From Stx 1901: openldap-ldaprc-currentdir.patch diff --git a/recipes-support/openldap/files/0007-openldap-userconfig-setgid.patch b/recipes-support/openldap/files/0007-openldap-userconfig-setgid.patch index 8789c4f..4249400 100644 --- a/recipes-support/openldap/files/0007-openldap-userconfig-setgid.patch +++ b/recipes-support/openldap/files/0007-openldap-userconfig-setgid.patch @@ -1,7 +1,7 @@ From c4906ff521df3f1c9fc4a302300fc135447ee40a Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:38:21 -0800 -Subject: [PATCH 07/19] openldap userconfig setgid +Subject: [PATCH 07/20] openldap userconfig setgid From Stx 1901: openldap-userconfig-setgid.patch diff --git a/recipes-support/openldap/files/0008-openldap-allop-overlay.patch b/recipes-support/openldap/files/0008-openldap-allop-overlay.patch index 8dd74ce..4d21fa0 100644 --- a/recipes-support/openldap/files/0008-openldap-allop-overlay.patch +++ b/recipes-support/openldap/files/0008-openldap-allop-overlay.patch @@ -1,7 +1,7 @@ From ac607279df96d4f29f0778ad2657b1f962b496bb Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:40:33 -0800 -Subject: [PATCH 08/19] openldap allop overlay +Subject: [PATCH 08/20] openldap allop overlay From Stx 1901: openldap-allop-overlay.patch diff --git a/recipes-support/openldap/files/0009-openldap-syncrepl-unset-tls-options.patch b/recipes-support/openldap/files/0009-openldap-syncrepl-unset-tls-options.patch index 577cb72..6525ba4 100644 --- a/recipes-support/openldap/files/0009-openldap-syncrepl-unset-tls-options.patch +++ b/recipes-support/openldap/files/0009-openldap-syncrepl-unset-tls-options.patch @@ -1,7 +1,7 @@ From d87f33bf42e3ee1ce47ea61fde809fe693eede87 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:42:04 -0800 -Subject: [PATCH 09/19] openldap syncrepl unset tls options +Subject: [PATCH 09/20] openldap syncrepl unset tls options From Stx 1901: openldap-syncrepl-unset-tls-options.patch diff --git a/recipes-support/openldap/files/0010-openldap-ai-addrconfig.patch b/recipes-support/openldap/files/0010-openldap-ai-addrconfig.patch index dae83bc..86cda4d 100644 --- a/recipes-support/openldap/files/0010-openldap-ai-addrconfig.patch +++ b/recipes-support/openldap/files/0010-openldap-ai-addrconfig.patch @@ -1,7 +1,7 @@ From 6fcc222021258cf00cef05bdc487c614c33ab371 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:44:05 -0800 -Subject: [PATCH 10/19] openldap ai addrconfig +Subject: [PATCH 10/20] openldap ai addrconfig From stx 1901: openldap-ai-addrconfig.patch use AI_ADDRCONFIG if defined in the environment diff --git a/recipes-support/openldap/files/0011-openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL.patch b/recipes-support/openldap/files/0011-openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL.patch index e4a3213..20a9be1 100644 --- a/recipes-support/openldap/files/0011-openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL.patch +++ b/recipes-support/openldap/files/0011-openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL.patch @@ -1,7 +1,7 @@ From b0b00385bf7564fa39f711f958b90512559f7f70 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:45:27 -0800 -Subject: [PATCH 11/19] openldap switch to t_dlopenadvise to get RTLD_GLOBAL +Subject: [PATCH 11/20] openldap switch to t_dlopenadvise to get RTLD_GLOBAL set From-stx-1901: openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL-set.patch diff --git a/recipes-support/openldap/files/0012-openldap-ldapi-sasl.patch b/recipes-support/openldap/files/0012-openldap-ldapi-sasl.patch index f6c8ab7..898e15f 100644 --- a/recipes-support/openldap/files/0012-openldap-ldapi-sasl.patch +++ b/recipes-support/openldap/files/0012-openldap-ldapi-sasl.patch @@ -1,7 +1,7 @@ From 4533a8029bdb309eaa63ebb68d71243fa1f9835a Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:47:27 -0800 -Subject: [PATCH 12/19] openldap ldapi sasl +Subject: [PATCH 12/20] openldap ldapi sasl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/recipes-support/openldap/files/0013-openldap-missing-unlock-in-accesslog-overlay.patch b/recipes-support/openldap/files/0013-openldap-missing-unlock-in-accesslog-overlay.patch index 5db8060..e2b401f 100644 --- a/recipes-support/openldap/files/0013-openldap-missing-unlock-in-accesslog-overlay.patch +++ b/recipes-support/openldap/files/0013-openldap-missing-unlock-in-accesslog-overlay.patch @@ -1,7 +1,7 @@ From 7cc8c2c22dc6a5999554e64b25f162b3673cd922 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:48:29 -0800 -Subject: [PATCH 13/19] openldap missing unlock in accesslog overlay +Subject: [PATCH 13/20] openldap missing unlock in accesslog overlay From stx 1901: openldap-missing-unlock-in-accesslog-overlay.patch A mutex lock might not get unlocked when plausible diff --git a/recipes-support/openldap/files/0014-openldap-module-passwd-sha2.patch b/recipes-support/openldap/files/0014-openldap-module-passwd-sha2.patch index ea68283..e11c8d8 100644 --- a/recipes-support/openldap/files/0014-openldap-module-passwd-sha2.patch +++ b/recipes-support/openldap/files/0014-openldap-module-passwd-sha2.patch @@ -1,7 +1,7 @@ From 1281efe5b451e0fd030406bc68be9d1f9356adc5 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 14:55:58 -0800 -Subject: [PATCH 14/19] openldap module passwd sha2 +Subject: [PATCH 14/20] openldap module passwd sha2 From Stx 1901: openldap-module-passwd-sha2.patch Include sha2 module diff --git a/recipes-support/openldap/files/0015-openldap-man-tls-reqcert.patch b/recipes-support/openldap/files/0015-openldap-man-tls-reqcert.patch index 4a1b45b..5b1f543 100644 --- a/recipes-support/openldap/files/0015-openldap-man-tls-reqcert.patch +++ b/recipes-support/openldap/files/0015-openldap-man-tls-reqcert.patch @@ -1,7 +1,7 @@ From 5b8f3344a00d1623d54d1e1de9e7207895067473 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 15:13:00 -0800 -Subject: [PATCH 15/19] openldap man tls reqcert +Subject: [PATCH 15/20] openldap man tls reqcert From Stx 1901: openldap-man-tls-reqcert.patch From f7027b3118ea90d616d0ddeeb348f15ba91cd08b Mon Sep 17 00:00:00 2001 diff --git a/recipes-support/openldap/files/0016-openldap-man-ldap-conf.patch b/recipes-support/openldap/files/0016-openldap-man-ldap-conf.patch index f76bec0..a2e8aa7 100644 --- a/recipes-support/openldap/files/0016-openldap-man-ldap-conf.patch +++ b/recipes-support/openldap/files/0016-openldap-man-ldap-conf.patch @@ -1,7 +1,7 @@ From 8196f53139c4d7e6c1cb8508d1a421299f7eaa61 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 15:14:39 -0800 -Subject: [PATCH 16/19] openldap man ldap conf +Subject: [PATCH 16/20] openldap man ldap conf From Stx 1901: openldap-man-ldap-conf.patch diff --git a/recipes-support/openldap/files/0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch b/recipes-support/openldap/files/0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch index 2a28f2f..277816b 100644 --- a/recipes-support/openldap/files/0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch +++ b/recipes-support/openldap/files/0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch @@ -1,7 +1,7 @@ From 4e495a37939a605577c72ed43e1f5a3ab3780611 Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 15:16:35 -0800 -Subject: [PATCH 17/19] openldap bdb_idl_fetch_key correct key pointer +Subject: [PATCH 17/20] openldap bdb_idl_fetch_key correct key pointer From Stx 1901: openldap-bdb_idl_fetch_key-correct-key-pointer.patch diff --git a/recipes-support/openldap/files/0018-openldap-tlsmc.patch b/recipes-support/openldap/files/0018-openldap-tlsmc.patch index 1804a19..683e770 100644 --- a/recipes-support/openldap/files/0018-openldap-tlsmc.patch +++ b/recipes-support/openldap/files/0018-openldap-tlsmc.patch @@ -1,7 +1,7 @@ From 35b08487213749c6da625a446f605b6e7f74d07f Mon Sep 17 00:00:00 2001 From: babak sarashki Date: Sun, 3 Nov 2019 15:24:11 -0800 -Subject: [PATCH 18/19] openldap tlsmc +Subject: [PATCH 18/20] openldap tlsmc From Stx 1901: openldap-tlsmc.patch --- diff --git a/recipes-support/openldap/files/0019-openldap-fedora-systemd.patch b/recipes-support/openldap/files/0019-openldap-fedora-systemd.patch deleted file mode 100644 index 09ec7c9..0000000 --- a/recipes-support/openldap/files/0019-openldap-fedora-systemd.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4cec0c0cc03d8e9e942be6126676853603487575 Mon Sep 17 00:00:00 2001 -From: babak sarashki -Date: Sun, 3 Nov 2019 15:25:21 -0800 -Subject: [PATCH 19/19] openldap fedora systemd - -From stx 1901: openldap-fedora-systemd.patch -Skip any empty parameters when parsing command line options. -This is required because systemd does not expand variables the same way as shell does, -we need it because of an empty SLAPD_OPTIONS in environment file. - -Fedora specific patch. - -Author: Jan Vcelak ---- - servers/slapd/main.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/servers/slapd/main.c b/servers/slapd/main.c -index c212209..23f7656 100644 ---- a/servers/slapd/main.c -+++ b/servers/slapd/main.c -@@ -685,6 +685,10 @@ unhandled_option:; - } - } - -+ /* skip empty parameters */ -+ while ( optind < argc && *argv[optind] == '\0' ) -+ optind += 1; -+ - if ( optind != argc ) - goto unhandled_option; - --- -2.17.1 - diff --git a/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-ITS7595-Add-EC-support-1.patch b/recipes-support/openldap/files/0019-openldap-openssl-ITS7596-Add-EC-support.patch similarity index 83% rename from recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-ITS7595-Add-EC-support-1.patch rename to recipes-support/openldap/files/0019-openldap-openssl-ITS7596-Add-EC-support.patch index 62af09f..ef3da1e 100644 --- a/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-ITS7595-Add-EC-support-1.patch +++ b/recipes-support/openldap/files/0019-openldap-openssl-ITS7596-Add-EC-support.patch @@ -1,15 +1,26 @@ -ITS#7595 Add Elliptic Curve support for OpenSSL +From dc82cdf9c6c25c69c7eee203d1c4f4c91f969ba9 Mon Sep 17 00:00:00 2001 +From: babak sarashki +Date: Tue, 5 Nov 2019 09:30:49 -0800 +Subject: [PATCH 19/20] openldap openssl ITS7596 Add EC support -Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08 -Author: Howard Chu -Date: Sat Sep 7 09:47:19 2013 -0700 +From e631ce808ed56119e61321463d06db7999ba5a08 +From stx 1901 openldap-openssl-ITS7595-Add-EC-support-1.patch +--- + doc/man/man5/slapd-config.5 | 7 +++++++ + doc/man/man5/slapd.conf.5 | 7 +++++++ + include/ldap.h | 1 + + libraries/libldap/ldap-int.h | 2 ++ + libraries/libldap/tls2.c | 17 +++++++++++++++++ + libraries/libldap/tls_o.c | 33 ++++++++++++++++++++++++++++++--- + servers/slapd/bconfig.c | 12 +++++++++++- + 7 files changed, 75 insertions(+), 4 deletions(-) diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 -index 49a3959ae..9cd0a4dd1 100644 +index 42032d4..733ff1e 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 -@@ -918,6 +918,13 @@ from the default, otherwise no certificate exchanges or verification will - be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly +@@ -922,6 +922,13 @@ are not used. + When using Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP +.B olcTLSECName: @@ -23,12 +34,12 @@ index 49a3959ae..9cd0a4dd1 100644 Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 -index e2344547e..4eb238162 100644 +index 2d4431f..ffe74ff 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 -@@ -1149,6 +1149,13 @@ from the default, otherwise no certificate exchanges or verification will - be done. When using GnuTLS these parameters are always generated randomly so - this directive is ignored. This directive is ignored when using Mozilla NSS. +@@ -1153,6 +1153,13 @@ are not used. + When using Mozilla NSS these parameters are always generated randomly + so this directive is ignored. .TP +.B TLSECName +Specify the name of a curve to use for Elliptic curve Diffie-Hellman @@ -41,7 +52,7 @@ index e2344547e..4eb238162 100644 Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, diff --git a/include/ldap.h b/include/ldap.h -index d4d10fa79..9922c9fa8 100644 +index 7bc0644..bb22cb8 100644 --- a/include/ldap.h +++ b/include/ldap.h @@ -158,6 +158,7 @@ LDAP_BEGIN_DECL @@ -53,7 +64,7 @@ index d4d10fa79..9922c9fa8 100644 #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0 diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h -index 1a26b3cb0..5fff785d8 100644 +index 15092c1..f504f44 100644 --- a/libraries/libldap/ldap-int.h +++ b/libraries/libldap/ldap-int.h @@ -165,6 +165,7 @@ struct ldaptls { @@ -73,7 +84,7 @@ index 1a26b3cb0..5fff785d8 100644 #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index a616133da..f39546450 100644 +index 198d0b1..ba4b9c5 100644 --- a/libraries/libldap/tls2.c +++ b/libraries/libldap/tls2.c @@ -121,6 +121,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo ) @@ -106,7 +117,7 @@ index a616133da..f39546450 100644 #endif return rc; } -@@ -674,6 +683,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) +@@ -686,6 +695,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) *(char **)arg = lo->ldo_tls_dhfile ? LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; break; @@ -117,7 +128,7 @@ index a616133da..f39546450 100644 case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ *(char **)arg = lo->ldo_tls_crlfile ? LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; -@@ -796,6 +809,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) +@@ -808,6 +821,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; return 0; @@ -129,10 +140,10 @@ index a616133da..f39546450 100644 if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index a2d9cd31f..1a81bc625 100644 +index 92c708b..45afc11 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c -@@ -296,10 +296,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) +@@ -371,10 +371,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) return -1; } @@ -145,7 +156,7 @@ index a2d9cd31f..1a81bc625 100644 if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { Debug( LDAP_DEBUG_ANY, -@@ -318,7 +317,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) +@@ -393,7 +392,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) } BIO_free( bio ); SSL_CTX_set_tmp_dh( ctx, dh ); @@ -182,7 +193,7 @@ index a2d9cd31f..1a81bc625 100644 if ( tlso_opt_trace ) { SSL_CTX_set_info_callback( ctx, tlso_info_cb ); diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c -index 8ade0c3f2..5a3c67a72 100644 +index 250f141..8b1e4e5 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -194,6 +194,7 @@ enum { @@ -225,3 +236,6 @@ index 8ade0c3f2..5a3c67a72 100644 #ifdef HAVE_GNUTLS case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break; #endif +-- +2.17.1 + diff --git a/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-ITS7595-Add-EC-support-2.patch b/recipes-support/openldap/files/0020-openldap-openssl-ITS7596-Add-EC-support-patch-2.patch similarity index 53% rename from recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-ITS7595-Add-EC-support-2.patch rename to recipes-support/openldap/files/0020-openldap-openssl-ITS7596-Add-EC-support-patch-2.patch index 6c28f3f..388f46d 100644 --- a/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-ITS7595-Add-EC-support-2.patch +++ b/recipes-support/openldap/files/0020-openldap-openssl-ITS7596-Add-EC-support-patch-2.patch @@ -1,14 +1,19 @@ -ITS#7595 don't try to use EC if OpenSSL lacks it +From 14058818a2d2aa42427a0e9433957c90a1264ec5 Mon Sep 17 00:00:00 2001 +From: babak sarashki +Date: Tue, 5 Nov 2019 09:50:55 -0800 +Subject: [PATCH 20/20] openldap openssl ITS7596 Add EC support patch 2 -Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d -Author: Howard Chu -Date: Sun Sep 8 06:32:23 2013 -0700 +From 721e46fe6695077d63a3df6ea2e397920a72308d +From stx 1901 openldap-openssl-ITS7595-Add-EC-support-2.patch +--- + libraries/libldap/tls_o.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index 1a81bc625..71c2b055c 100644 +index 45afc11..0a70156 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c -@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) +@@ -396,8 +396,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) DH_free( dh ); } @@ -22,7 +27,7 @@ index 1a81bc625..71c2b055c 100644 EC_KEY *ecdh; int nid = OBJ_sn2nid( lt->lt_ecname ); -@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) +@@ -419,8 +423,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) SSL_CTX_set_tmp_ecdh( ctx, ecdh ); SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); EC_KEY_free( ecdh ); @@ -32,3 +37,6 @@ index 1a81bc625..71c2b055c 100644 if ( tlso_opt_trace ) { SSL_CTX_set_info_callback( ctx, tlso_info_cb ); +-- +2.17.1 + diff --git a/recipes-support/openldap/files/0021-openldap-and-stx-source-and-config-files.patch b/recipes-support/openldap/files/0021-openldap-and-stx-source-and-config-files.patch new file mode 100644 index 0000000..14f74d0 --- /dev/null +++ b/recipes-support/openldap/files/0021-openldap-and-stx-source-and-config-files.patch @@ -0,0 +1,997 @@ +From 2adc9fa71e3a47542793e61c7794629fa9255a57 Mon Sep 17 00:00:00 2001 +From: babak sarashki +Date: Tue, 5 Nov 2019 14:49:06 -0800 +Subject: [PATCH] openldap and stx source and config files + +From stx 1901 openldap-2.4.44-21.el7_6.src.rpm +--- + stx-sources/ldap.conf | 18 +++ + stx-sources/libexec-check-config.sh | 91 ++++++++++++ + stx-sources/libexec-convert-config.sh | 79 ++++++++++ + stx-sources/libexec-create-certdb.sh | 70 +++++++++ + stx-sources/libexec-functions | 136 +++++++++++++++++ + stx-sources/libexec-generate-server-cert.sh | 118 +++++++++++++++ + stx-sources/libexec-update-ppolicy-schema.sh | 142 ++++++++++++++++++ + stx-sources/libexec-upgrade-db.sh | 40 +++++ + stx-sources/openldap.tmpfiles | 3 + + stx-sources/slapd.ldif | 148 +++++++++++++++++++ + stx-sources/slapd.service | 19 +++ + stx-sources/slapd.sysconfig | 15 ++ + stx-sources/slapd.tmpfiles | 2 + + 13 files changed, 881 insertions(+) + create mode 100644 stx-sources/ldap.conf + create mode 100755 stx-sources/libexec-check-config.sh + create mode 100755 stx-sources/libexec-convert-config.sh + create mode 100755 stx-sources/libexec-create-certdb.sh + create mode 100644 stx-sources/libexec-functions + create mode 100755 stx-sources/libexec-generate-server-cert.sh + create mode 100755 stx-sources/libexec-update-ppolicy-schema.sh + create mode 100755 stx-sources/libexec-upgrade-db.sh + create mode 100644 stx-sources/openldap.tmpfiles + create mode 100644 stx-sources/slapd.ldif + create mode 100644 stx-sources/slapd.service + create mode 100644 stx-sources/slapd.sysconfig + create mode 100644 stx-sources/slapd.tmpfiles + +diff --git a/stx-sources/ldap.conf b/stx-sources/ldap.conf +new file mode 100644 +index 0000000..aa6f8fd +--- /dev/null ++++ b/stx-sources/ldap.conf +@@ -0,0 +1,18 @@ ++# ++# LDAP Defaults ++# ++ ++# See ldap.conf(5) for details ++# This file should be world readable but not world writable. ++ ++#BASE dc=example,dc=com ++#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 ++ ++#SIZELIMIT 12 ++#TIMELIMIT 15 ++#DEREF never ++ ++TLS_CACERTDIR /etc/openldap/certs ++ ++# Turning this off breaks GSSAPI used with krb5 when rdns = false ++SASL_NOCANON on +diff --git a/stx-sources/libexec-check-config.sh b/stx-sources/libexec-check-config.sh +new file mode 100755 +index 0000000..87e377f +--- /dev/null ++++ b/stx-sources/libexec-check-config.sh +@@ -0,0 +1,91 @@ ++#!/bin/sh ++# Author: Jan Vcelak ++ ++. /usr/libexec/openldap/functions ++ ++function check_config_syntax() ++{ ++ retcode=0 ++ tmp_slaptest=`mktemp --tmpdir=/var/run/openldap` ++ run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest ++ if [ $? -ne 0 ]; then ++ error "Checking configuration file failed:" ++ cat $tmp_slaptest >&2 ++ retcode=1 ++ fi ++ rm $tmp_slaptest ++ return $retcode ++} ++ ++function check_certs_perms() ++{ ++ retcode=0 ++ for cert in `certificates`; do ++ run_as_ldap "/usr/bin/test -e \"$cert\"" ++ if [ $? -ne 0 ]; then ++ error "TLS certificate/key/DB '%s' was not found." "$cert" ++ retcoder=1 ++ continue ++ fi ++ run_as_ldap "/usr/bin/test -r \"$cert\"" ++ if [ $? -ne 0 ]; then ++ error "TLS certificate/key/DB '%s' is not readable." "$cert" ++ retcode=1 ++ fi ++ done ++ return $retcode ++} ++ ++function check_db_perms() ++{ ++ retcode=0 ++ for dbdir in `databases`; do ++ [ -d "$dbdir" ] || continue ++ for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do ++ run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" ++ if [ $? -ne 0 ]; then ++ error "Read/write permissions for DB file '%s' are required." "$dbfile" ++ retcode=1 ++ fi ++ done ++ done ++ return $retcode ++} ++ ++function check_everything() ++{ ++ retcode=0 ++ check_config_syntax || retcode=1 ++ # TODO: need support for Mozilla NSS, disabling temporarily ++ #check_certs_perms || retcode=1 ++ check_db_perms || retcode=1 ++ return $retcode ++} ++ ++if [ `id -u` -ne 0 ]; then ++ error "You have to be root to run this script." ++ exit 4 ++fi ++ ++load_sysconfig ++ ++if [ -n "$SLAPD_CONFIG_DIR" ]; then ++ if [ ! -d "$SLAPD_CONFIG_DIR" ]; then ++ error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" ++ else ++ check_everything ++ exit $? ++ fi ++fi ++ ++if [ -n "$SLAPD_CONFIG_FILE" ]; then ++ if [ ! -f "$SLAPD_CONFIG_FILE" ]; then ++ error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" ++ else ++ error "Warning: Usage of a configuration file is obsolete!" ++ check_everything ++ exit $? ++ fi ++fi ++ ++exit 1 +diff --git a/stx-sources/libexec-convert-config.sh b/stx-sources/libexec-convert-config.sh +new file mode 100755 +index 0000000..824c3b1 +--- /dev/null ++++ b/stx-sources/libexec-convert-config.sh +@@ -0,0 +1,79 @@ ++#!/bin/sh ++# Author: Jan Vcelak ++ ++. /usr/libexec/openldap/functions ++ ++function help() ++{ ++ error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`" ++ exit 2 ++} ++ ++load_sysconfig ++ ++while getopts :f:F: opt; do ++ case "$opt" in ++ f) ++ SLAPD_CONFIG_FILE="$OPTARG" ++ ;; ++ F) ++ SLAPD_CONFIG_DIR="$OPTARG" ++ ;; ++ *) ++ help ++ ;; ++ esac ++done ++shift $((OPTIND-1)) ++[ -n "$1" ] && help ++ ++# check source, target ++ ++if [ ! -f "$SLAPD_CONFIG_FILE" ]; then ++ error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE" ++ exit 1 ++fi ++ ++if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then ++ SLAPD_CONFIG_FILE_FORMAT=ldif ++else ++ SLAPD_CONFIG_FILE_FORMAT=conf ++fi ++ ++if [ -d "$SLAPD_CONFIG_DIR" ]; then ++ if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then ++ error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR" ++ exit 1 ++ fi ++fi ++ ++# perform the conversion ++ ++tmp_convert=`mktemp --tmpdir=/var/run/openldap` ++ ++if [ `id -u` -eq 0 ]; then ++ install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert ++ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then ++ run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert ++ else ++ run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert ++ fi ++ retcode=$? ++else ++ error "You are not root! Permission will not be set." ++ install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert ++ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then ++ /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert ++ else ++ /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert ++ fi ++ retcode=$? ++fi ++ ++if [ $retcode -ne 0 ]; then ++ error "Configuration conversion failed:" ++ cat $tmp_convert >&2 ++fi ++ ++rm $tmp_convert ++exit $retcode +diff --git a/stx-sources/libexec-create-certdb.sh b/stx-sources/libexec-create-certdb.sh +new file mode 100755 +index 0000000..2377fdd +--- /dev/null ++++ b/stx-sources/libexec-create-certdb.sh +@@ -0,0 +1,70 @@ ++#!/bin/bash ++# Author: Jan Vcelak ++ ++set -e ++ ++# default options ++ ++CERTDB_DIR=/etc/openldap/certs ++ ++# internals ++ ++MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so" ++RANDOM_SOURCE=/dev/urandom ++PASSWORD_BYTES=32 ++ ++# parse arguments ++ ++usage() { ++ printf "usage: create-certdb.sh [-d certdb]\n" >&2 ++ exit 1 ++} ++ ++while getopts "d:" opt; do ++ case "$opt" in ++ d) ++ CERTDB_DIR="$OPTARG" ++ ;; ++ \?) ++ usage ++ ;; ++ esac ++done ++ ++[ "$OPTIND" -le "$#" ] && usage ++ ++# verify target location ++ ++if [ ! -d "$CERTDB_DIR" ]; then ++ printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2 ++ exit 1 ++fi ++ ++if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then ++ printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2 ++ exit 1 ++fi ++ ++# create the database ++ ++printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2 ++ ++PASSWORD_FILE="$CERTDB_DIR/password" ++OLD_UMASK="$(umask)" ++umask 0377 ++dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE" ++umask "$OLD_UMASK" ++ ++certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null ++ ++# load module with builtin CA certificates ++ ++echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null ++ ++# tune permissions ++ ++for dbfile in "$CERTDB_DIR"/*.db; do ++ chmod 0644 "$dbfile" ++done ++ ++exit 0 +diff --git a/stx-sources/libexec-functions b/stx-sources/libexec-functions +new file mode 100644 +index 0000000..98c8631 +--- /dev/null ++++ b/stx-sources/libexec-functions +@@ -0,0 +1,136 @@ ++# Author: Jan Vcelak ++ ++SLAPD_USER= ++SLAPD_CONFIG_FILE= ++SLAPD_CONFIG_DIR= ++SLAPD_CONFIG_CUSTOM= ++SLAPD_GLOBAL_OPTIONS= ++SLAPD_SYSCONFIG_FILE= ++ ++function default_config() ++{ ++ SLAPD_USER=ldap ++ SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf ++ SLAPD_CONFIG_DIR=/etc/openldap/slapd.d ++ SLAPD_CONFIG_CUSTOM= ++ SLAPD_GLOBAL_OPTIONS= ++ SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd ++} ++ ++function parse_config_options() ++{ ++ user= ++ config_file= ++ config_dir= ++ while getopts :u:f:F: opt; do ++ case "$opt" in ++ u) ++ user="$OPTARG" ++ ;; ++ f) ++ config_file="$OPTARG" ++ ;; ++ F) ++ config_dir="$OPTARG" ++ ;; ++ esac ++ done ++ ++ unset OPTIND ++ ++ if [ -n "$user" ]; then ++ SLAPD_USER="$user" ++ fi ++ ++ if [ -n "$config_dir" ]; then ++ SLAPD_CONFIG_DIR="$config_dir" ++ SLAPD_CONFIG_FILE= ++ SLAPD_CONFIG_CUSTOM=1 ++ SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" ++ elif [ -n "$config_file" ]; then ++ SLAPD_CONFIG_DIR= ++ SLAPD_CONFIG_FILE="$config_file" ++ SLAPD_CONFIG_CUSTOM=1 ++ SLAPD_GLOBAL_OPTIONS="-f '$config_file'" ++ fi ++} ++ ++function uses_new_config() ++{ ++ [ -n "$SLAPD_CONFIG_DIR" ] ++ return $? ++} ++ ++function run_as_ldap() ++{ ++ /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" ++ return $? ++} ++ ++function ldif_unbreak() ++{ ++ sed ':a;N;s/\n //;ta;P;D' ++} ++ ++function ldif_value() ++{ ++ sed 's/^[^:]*: //' ++} ++ ++function databases_new() ++{ ++ slapcat $SLAPD_GLOBAL_OPTIONS -c \ ++ -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ ++ ldif_unbreak | \ ++ grep '^olcDbDirectory: ' | \ ++ ldif_value ++} ++ ++function databases_old() ++{ ++ awk 'begin { database="" } ++ $1 == "database" { database=$2 } ++ $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ ++ "$SLAPD_CONFIG_FILE" ++} ++ ++function certificates_new() ++{ ++ slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ ++ ldif_unbreak | \ ++ grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ ++ ldif_value ++} ++ ++function certificates_old() ++{ ++ awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ ++ "$SLAPD_CONFIG_FILE" ++} ++ ++function certificates() ++{ ++ uses_new_config && certificates_new || certificates_old ++} ++ ++function databases() ++{ ++ uses_new_config && databases_new || databases_old ++} ++ ++ ++function error() ++{ ++ format="$1\n"; shift ++ printf "$format" $@ >&2 ++} ++ ++function load_sysconfig() ++{ ++ [ -r "$SLAPD_SYSCONFIG_FILE" ] || return ++ ++ . "$SLAPD_SYSCONFIG_FILE" ++ [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS ++} ++ ++default_config +diff --git a/stx-sources/libexec-generate-server-cert.sh b/stx-sources/libexec-generate-server-cert.sh +new file mode 100755 +index 0000000..e2f4974 +--- /dev/null ++++ b/stx-sources/libexec-generate-server-cert.sh +@@ -0,0 +1,118 @@ ++#!/bin/bash ++# Author: Jan Vcelak ++ ++set -e ++ ++# default options ++ ++CERTDB_DIR=/etc/openldap/certs ++CERT_NAME="OpenLDAP Server" ++PASSWORD_FILE= ++HOSTNAME_FQDN="$(hostname --fqdn)" ++ALT_NAMES= ++ONCE=0 ++ ++# internals ++ ++RANDOM_SOURCE=/dev/urandom ++CERT_RANDOM_BYTES=256 ++CERT_KEY_TYPE=rsa ++CERT_KEY_SIZE=1024 ++CERT_VALID_MONTHS=12 ++ ++# parse arguments ++ ++usage() { ++ printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2 ++ printf " [-p password-file] [-h hostnames]\n" >&2 ++ printf " [-a dns-alt-names] [-o]\n" >&2 ++ exit 1 ++} ++ ++while getopts "d:n:p:h:a:o" opt; do ++ case "$opt" in ++ d) ++ CERTDB_DIR="$OPTARG" ++ ;; ++ n) ++ CERT_NAME="$OPTARG" ++ ;; ++ p) ++ PASSWORD_FILE="$OPTARG" ++ ;; ++ h) ++ HOSTNAME_FQDN="$OPTARG" ++ ;; ++ a) ++ ALT_NAMES="$OPTARG" ++ ;; ++ o) ++ ONCE=1 ++ ;; ++ \?) ++ usage ++ ;; ++ esac ++done ++ ++[ "$OPTIND" -le "$#" ] && usage ++ ++# generated options ++ ++ONCE_FILE="$CERTDB_DIR/.slapd-leave" ++PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}" ++ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}" ++ ++# verify target location ++ ++if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then ++ printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2 ++ exit 0 ++fi ++ ++if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then ++ printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2 ++ exit 1 ++fi ++ ++printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2 ++ ++if [ ! -r "$PASSWORD_FILE" ]; then ++ printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2 ++ exit 1 ++fi ++ ++if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then ++ printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2 ++ exit 1 ++fi ++ ++# generate server certificate (self signed) ++ ++ ++CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap) ++dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null ++ ++certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \ ++ -S -x -n "$CERT_NAME" \ ++ -s "CN=$HOSTNAME_FQDN" \ ++ -t TC,, \ ++ -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \ ++ -v $CERT_VALID_MONTHS \ ++ -8 "$ALT_NAMES" \ ++ &>/dev/null ++ ++rm -f $CERT_RANDOM ++ ++# tune permissions ++ ++if [ "$(id -u)" -eq 0 ]; then ++ chgrp ldap "$PASSWORD_FILE" ++ chmod g+r "$PASSWORD_FILE" ++else ++ printf "WARNING: The server requires read permissions on the password file in order to\n" >&2 ++ printf " load it's private key from the certificate database.\n" >&2 ++fi ++ ++touch "$ONCE_FILE" ++exit 0 +diff --git a/stx-sources/libexec-update-ppolicy-schema.sh b/stx-sources/libexec-update-ppolicy-schema.sh +new file mode 100755 +index 0000000..a853b27 +--- /dev/null ++++ b/stx-sources/libexec-update-ppolicy-schema.sh +@@ -0,0 +1,142 @@ ++#!/bin/bash ++# This script serves one purpose, to add a possibly missing attribute ++# to a ppolicy schema in a dynamic configuration of OpenLDAP. This ++# attribute was introduced in openldap-2.4.43 and slapd will not ++# start without it later on. ++# ++# The script tries to update in a directory given as first parameter, ++# or in /etc/openldap/slapd.d implicitly. ++# ++# Author: Matus Honek ++# Bugzilla: #1487857 ++ ++function log { ++ echo "Update dynamic configuration: " $@ ++ true ++} ++ ++function iferr { ++ if [ $? -ne 0 ]; then ++ log "ERROR: " $@ ++ true ++ else ++ false ++ fi ++} ++ ++function update { ++ set -u ++ shopt -s extglob ++ ++ ORIGINAL="${1:-/etc/openldap/slapd.d}" ++ ORIGINAL="${ORIGINAL%*(/)}" ++ ++ ### check if necessary ++ grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null ++ [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0 ++ ++ ### prep ++ log "Prepare environment." ++ ++ TEMPDIR=$(mktemp -d) ++ iferr "Could not create a temporary directory. Quitting." && return 1 ++ DBDIR="${TEMPDIR}/db" ++ SUBDBDIR="${DBDIR}/cn=temporary" ++ ++ mkdir "${DBDIR}" ++ iferr "Could not create temporary configuration directory. Quitting." && return 1 ++ cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}" ++ iferr "Could not copy configuration. Quitting." && return 1 ++ ++ pushd "$TEMPDIR" >/dev/null ++ ++ cat > temp.conf </dev/null 2>&1 & ++ SLAPDPID="$!" ++ sleep 2 ++ ++ ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 </dev/null \ ++ | sed '/^$/d') ++ DN=$(printf "$RES" | grep '^dn:') ++ OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'") ++ NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }" ++ ++ test $(echo "$DN" | wc -l) = 1 ++ iferr "Received more than one DN. Cannot continue. Quitting." && return 1 ++ test "$NEWOC" != "$OC" ++ iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1 ++ ++ ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 </dev/null ++ ++ ### apply ++ log "Apply changes." ++ cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup" ++ iferr "Backing up old configuration failed. Quitting." && return 1 ++ cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL" ++ iferr "Applying new configuration failed. Quitting." && return 1 ++ ++ ### clean up ++ log "Clean up." ++ kill "$SLAPDPID" ++ SLAPDPID= ++ rm -rf "$TEMPDIR" ++ TEMPDIR= ++} ++ ++SLAPDPID= ++TEMPDIR= ++update "$1" ++if [ $? -ne 0 ]; then ++ log "Clean up." ++ echo "$SLAPDPID" ++ echo "$TEMPDIR" ++ kill "$SLAPDPID" ++ rm -rf "$TEMPDIR" ++fi ++log "Finished." +diff --git a/stx-sources/libexec-upgrade-db.sh b/stx-sources/libexec-upgrade-db.sh +new file mode 100755 +index 0000000..1543c80 +--- /dev/null ++++ b/stx-sources/libexec-upgrade-db.sh +@@ -0,0 +1,40 @@ ++#!/bin/sh ++# Author: Jan Vcelak ++ ++. /usr/libexec/openldap/functions ++ ++if [ `id -u` -ne 0 ]; then ++ error "You have to be root to run this command." ++ exit 4 ++fi ++ ++load_sysconfig ++retcode=0 ++ ++for dbdir in `databases`; do ++ upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" ++ bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` ++ ++ # skip uninitialized database ++ [ -z "$bdb_files"] || continue ++ ++ printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" ++ ++ # perform the update ++ for command in \ ++ "/usr/bin/db_recover -v -h \"$dbdir\"" \ ++ "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ ++ "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ ++ ; do ++ printf "Executing: %s\n" "$command" &>>$upgrade_log ++ run_as_ldap "$command" &>>$upgrade_log ++ result=$? ++ printf "Exit code: %d\n" $result >>"$upgrade_log" ++ if [ $result -ne 0 ]; then ++ printf "Upgrade failed: %d\n" $result ++ retcode=1 ++ fi ++ done ++done ++ ++exit $retcode +diff --git a/stx-sources/openldap.tmpfiles b/stx-sources/openldap.tmpfiles +new file mode 100644 +index 0000000..aa0e805 +--- /dev/null ++++ b/stx-sources/openldap.tmpfiles +@@ -0,0 +1,3 @@ ++# OpenLDAP TLSMC runtime directories ++x /tmp/openldap-tlsmc-* ++X /tmp/openldap-tlsmc-* +diff --git a/stx-sources/slapd.ldif b/stx-sources/slapd.ldif +new file mode 100644 +index 0000000..7b7f328 +--- /dev/null ++++ b/stx-sources/slapd.ldif +@@ -0,0 +1,148 @@ ++# ++# See slapd-config(5) for details on configuration options. ++# This file should NOT be world readable. ++# ++ ++dn: cn=config ++objectClass: olcGlobal ++cn: config ++olcArgsFile: /var/run/openldap/slapd.args ++olcPidFile: /var/run/openldap/slapd.pid ++# ++# TLS settings ++# ++olcTLSCACertificatePath: /etc/openldap/certs ++olcTLSCertificateFile: "OpenLDAP Server" ++olcTLSCertificateKeyFile: /etc/openldap/certs/password ++# ++# Do not enable referrals until AFTER you have a working directory ++# service AND an understanding of referrals. ++# ++#olcReferral: ldap://root.openldap.org ++# ++# Sample security restrictions ++# Require integrity protection (prevent hijacking) ++# Require 112-bit (3DES or better) encryption for updates ++# Require 64-bit encryption for simple bind ++# ++#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 ++ ++ ++# ++# Load dynamic backend modules: ++# - modulepath is architecture dependent value (32/64-bit system) ++# - back_sql.la backend requires openldap-servers-sql package ++# - dyngroup.la and dynlist.la cannot be used at the same time ++# ++ ++#dn: cn=module,cn=config ++#objectClass: olcModuleList ++#cn: module ++#olcModulepath: /usr/lib/openldap ++#olcModulepath: /usr/lib64/openldap ++#olcModuleload: accesslog.la ++#olcModuleload: auditlog.la ++#olcModuleload: back_dnssrv.la ++#olcModuleload: back_ldap.la ++#olcModuleload: back_mdb.la ++#olcModuleload: back_meta.la ++#olcModuleload: back_null.la ++#olcModuleload: back_passwd.la ++#olcModuleload: back_relay.la ++#olcModuleload: back_shell.la ++#olcModuleload: back_sock.la ++#olcModuleload: collect.la ++#olcModuleload: constraint.la ++#olcModuleload: dds.la ++#olcModuleload: deref.la ++#olcModuleload: dyngroup.la ++#olcModuleload: dynlist.la ++#olcModuleload: memberof.la ++#olcModuleload: pcache.la ++#olcModuleload: ppolicy.la ++#olcModuleload: refint.la ++#olcModuleload: retcode.la ++#olcModuleload: rwm.la ++#olcModuleload: seqmod.la ++#olcModuleload: smbk5pwd.la ++#olcModuleload: sssvlv.la ++#olcModuleload: syncprov.la ++#olcModuleload: translucent.la ++#olcModuleload: unique.la ++#olcModuleload: valsort.la ++ ++ ++# ++# Schema settings ++# ++ ++dn: cn=schema,cn=config ++objectClass: olcSchemaConfig ++cn: schema ++ ++include: file:///etc/openldap/schema/core.ldif ++ ++# ++# Frontend settings ++# ++ ++dn: olcDatabase=frontend,cn=config ++objectClass: olcDatabaseConfig ++objectClass: olcFrontendConfig ++olcDatabase: frontend ++# ++# Sample global access control policy: ++# Root DSE: allow anyone to read it ++# Subschema (sub)entry DSE: allow anyone to read it ++# Other DSEs: ++# Allow self write access ++# Allow authenticated users read access ++# Allow anonymous users to authenticate ++# ++#olcAccess: to dn.base="" by * read ++#olcAccess: to dn.base="cn=Subschema" by * read ++#olcAccess: to * ++# by self write ++# by users read ++# by anonymous auth ++# ++# if no access controls are present, the default policy ++# allows anyone and everyone to read anything but restricts ++# updates to rootdn. (e.g., "access to * by * read") ++# ++# rootdn can always read and write EVERYTHING! ++# ++ ++# ++# Configuration database ++# ++ ++dn: olcDatabase=config,cn=config ++objectClass: olcDatabaseConfig ++olcDatabase: config ++olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c ++ n=auth" manage by * none ++ ++# ++# Server status monitoring ++# ++ ++dn: olcDatabase=monitor,cn=config ++objectClass: olcDatabaseConfig ++olcDatabase: monitor ++olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c ++ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none ++ ++# ++# Backend database definitions ++# ++ ++dn: olcDatabase=hdb,cn=config ++objectClass: olcDatabaseConfig ++objectClass: olcHdbConfig ++olcDatabase: hdb ++olcSuffix: dc=my-domain,dc=com ++olcRootDN: cn=Manager,dc=my-domain,dc=com ++olcDbDirectory: /var/lib/ldap ++olcDbIndex: objectClass eq,pres ++olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub +diff --git a/stx-sources/slapd.service b/stx-sources/slapd.service +new file mode 100644 +index 0000000..8a3a722 +--- /dev/null ++++ b/stx-sources/slapd.service +@@ -0,0 +1,19 @@ ++[Unit] ++Description=OpenLDAP Server Daemon ++After=syslog.target network-online.target ++Documentation=man:slapd ++Documentation=man:slapd-config ++Documentation=man:slapd-hdb ++Documentation=man:slapd-mdb ++Documentation=file:///usr/share/doc/openldap-servers/guide.html ++ ++[Service] ++Type=forking ++PIDFile=/var/run/openldap/slapd.pid ++Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS=" ++EnvironmentFile=/etc/sysconfig/slapd ++ExecStartPre=/usr/libexec/openldap/check-config.sh ++ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS ++ ++[Install] ++WantedBy=multi-user.target +diff --git a/stx-sources/slapd.sysconfig b/stx-sources/slapd.sysconfig +new file mode 100644 +index 0000000..68091a5 +--- /dev/null ++++ b/stx-sources/slapd.sysconfig +@@ -0,0 +1,15 @@ ++# OpenLDAP server configuration ++# see 'man slapd' for additional information ++ ++# Where the server will run (-h option) ++# - ldapi:/// is required for on-the-fly configuration using client tools ++# (use SASL with EXTERNAL mechanism for authentication) ++# - default: ldapi:/// ldap:/// ++# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// ++SLAPD_URLS="ldapi:/// ldap:///" ++ ++# Any custom options ++#SLAPD_OPTIONS="" ++ ++# Keytab location for GSSAPI Kerberos authentication ++#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" +diff --git a/stx-sources/slapd.tmpfiles b/stx-sources/slapd.tmpfiles +new file mode 100644 +index 0000000..56aa32e +--- /dev/null ++++ b/stx-sources/slapd.tmpfiles +@@ -0,0 +1,2 @@ ++# openldap runtime directory for slapd.arg and slapd.pid ++d /var/run/openldap 0755 ldap ldap - +-- +2.17.1 + diff --git a/recipes-support/openldap/files/0022-ltb-project-openldap-ppolicy-check-password-1.1.patch b/recipes-support/openldap/files/0022-ltb-project-openldap-ppolicy-check-password-1.1.patch new file mode 100644 index 0000000..d66cc7a --- /dev/null +++ b/recipes-support/openldap/files/0022-ltb-project-openldap-ppolicy-check-password-1.1.patch @@ -0,0 +1,775 @@ +From 26002bd1d02d871e3c0526f3a0b7b99e25f3564c Mon Sep 17 00:00:00 2001 +From: babak sarashki +Date: Tue, 5 Nov 2019 18:02:38 -0800 +Subject: [PATCH] ltb project openldap ppolicy check password 1.1 + +From stx 1901 openldap src RPM 2.4.44 +Upstream at https://github.com/ltb-project/openldap-ppolicy-check-password.git +--- + .../INSTALL | 31 ++ + .../LICENSE | 50 ++ + .../Makefile | 48 ++ + .../README | 146 ++++++ + .../check_password.c | 447 ++++++++++++++++++ + 5 files changed, 722 insertions(+) + create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/INSTALL + create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/LICENSE + create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/Makefile + create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/README + create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/check_password.c + +diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL b/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL +new file mode 100644 +index 0000000..eb2dab4 +--- /dev/null ++++ b/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL +@@ -0,0 +1,31 @@ ++INSTALLATION ++============ ++ ++Build dependencies ++------------------ ++cracklib header files (link with -lcrack). The Makefile does not look for ++cracklib; you may need to provide the paths manually. ++ ++Build ++----- ++Use the provided Makefile to build the module. ++ ++Copy the resulting check_password.so into the OpenLDAP modulepath. ++ ++Or, change the installation path to match with the OpenLDAP module path in the ++Makefile and use 'make install'. ++ ++ ++USAGE ++===== ++Add objectClass 'pwdPolicyChecker' with an attribute ++ ++ pwdCheckModule: check_password.so ++ ++to a password policy entry. ++ ++The module depends on a working cracklib installation including wordlist files. ++If the wordlist files are not readable, the cracklib check will be skipped ++silently. ++ ++But you can use this module without cracklib, just checks for syntatic checks. +diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE b/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE +new file mode 100644 +index 0000000..03f692b +--- /dev/null ++++ b/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE +@@ -0,0 +1,50 @@ ++OpenLDAP Public License ++ ++The OpenLDAP Public License ++ Version 2.8.1, 25 November 2003 ++ ++Redistribution and use of this software and associated documentation ++("Software"), with or without modification, are permitted provided ++that the following conditions are met: ++ ++1. Redistributions in source form must retain copyright statements ++ and notices, ++ ++2. Redistributions in binary form must reproduce applicable copyright ++ statements and notices, this list of conditions, and the following ++ disclaimer in the documentation and/or other materials provided ++ with the distribution, and ++ ++3. Redistributions must contain a verbatim copy of this document. ++ ++The OpenLDAP Foundation may revise this license from time to time. ++Each revision is distinguished by a version number. You may use ++this Software under terms of this license revision or under the ++terms of any subsequent revision of the license. ++ ++THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS ++CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, ++INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY ++AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT ++SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) ++OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, ++INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, ++BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER ++CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ++ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++POSSIBILITY OF SUCH DAMAGE. ++ ++The names of the authors and copyright holders must not be used in ++advertising or otherwise to promote the sale, use or other dealing ++in this Software without specific, written prior permission. Title ++to copyright in this Software shall at all times remain with copyright ++holders. ++ ++OpenLDAP is a registered trademark of the OpenLDAP Foundation. ++ ++Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, ++California, USA. All rights reserved. Permission to copy and ++distribute verbatim copies of this document is granted. ++ +diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/Makefile b/ltb-project-openldap-ppolicy-check-password-1.1/Makefile +new file mode 100644 +index 0000000..91de40b +--- /dev/null ++++ b/ltb-project-openldap-ppolicy-check-password-1.1/Makefile +@@ -0,0 +1,48 @@ ++# contrib/slapd-modules/check_password/Makefile ++# Copyright 2007 Michael Steinmann, Calivia. All Rights Reserved. ++# Updated by Pierre-Yves Bonnetain, B&A Consultants, 2008 ++# ++ ++CC=gcc ++ ++# Where to look for the CrackLib dictionaries ++# ++CRACKLIB=/usr/share/cracklib/pw_dict ++ ++# Path to the configuration file ++# ++CONFIG=/etc/openldap/check_password.conf ++ ++CFLAGS+=-fpic \ ++ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ ++ -DCONFIG_FILE="\"$(CONFIG)\"" \ ++ -DDEBUG ++ ++LDAP_LIB=-lldap_r -llber ++ ++# Comment out this line if you do NOT want to use the cracklib. ++# You may have to add an -Ldirectory if the libcrak is not in a standard ++# location ++# ++CRACKLIB_LIB=-lcrack ++ ++LIBS=$(LDAP_LIB) $(CRACKLIB_LIB) ++ ++LIBDIR=/usr/lib/openldap/ ++ ++ ++all: check_password ++ ++check_password.o: ++ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c ++ ++check_password: clean check_password.o ++ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) ++ ++install: check_password ++ cp -f check_password.so ../../../usr/lib/openldap/modules/ ++ ++clean: ++ $(RM) check_password.o check_password.so check_password.lo ++ $(RM) -r .libs ++ +diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/README b/ltb-project-openldap-ppolicy-check-password-1.1/README +new file mode 100644 +index 0000000..10191c2 +--- /dev/null ++++ b/ltb-project-openldap-ppolicy-check-password-1.1/README +@@ -0,0 +1,146 @@ ++ ++check_password.c - OpenLDAP pwdChecker library ++ ++2007-06-06 Michael Steinmann ++2008-01-30 Pierre-Yves Bonnetain ++2009 Clement Oudot - LTB-project ++2009 Jerome HUET - LTB-project ++ ++check_password.c is an OpenLDAP pwdPolicyChecker module used to check the ++strength and quality of user-provided passwords. ++ ++This module is used as an extension of the OpenLDAP password policy controls, ++see slapo-ppolicy(5) section pwdCheckModule. ++ ++check_password.c will run a number of checks on the passwords to ensure minimum ++strength and quality requirements are met. Passwords that do not meet these ++requirements are rejected. ++ ++ ++Password checks ++--------------- ++ - passwords shorter than 6 characters are rejected if cracklib is used (because ++ cracklib WILL reject them). ++ ++ - syntactic checks controls how many different character classes are used ++ (lower, upper, digit and punctuation characters). The minimum number of ++ classes is defined in a configuration file. You can set the minimum for each ++ class. ++ ++ - passwords are checked against cracklib if cracklib is enabled at compile ++ time. It can be disabled in configuration file. ++ ++INSTALLATION ++------------ ++Use the provided Makefile to build the module. ++ ++Compilation constants : ++ ++CONFIG_FILE : Path to the configuration file. ++ Defaults to /etc/openldap/check_password.conf ++ ++DEBUG : If defined, check_password will syslog() its actions. ++ ++Build dependencies ++cracklib header files (link with -lcrack). The Makefile does not look for ++cracklib; you may need to provide the paths manually. ++ ++Install into the slapd server module path. Change the installation ++path to match with the OpenLDAP module path in the Makefile. ++ ++The module may be defined with slapd.conf parameter "modulepath". ++ ++USAGE ++----- ++To use this module you need to add objectClass pwdPolicyChecker with an ++attribute 'pwdCheckModule: check_password.so' to a password policy entry. ++ ++The module depends on a working cracklib installation including wordlist files. ++If the wordlist files are not readable, the cracklib check will be skipped ++silently. ++ ++Note: pwdPolicyChecker modules are loaded on *every* password change operation. ++ ++Configuration ++------------- ++The configuration file (/etc/openldap/check_password.conf by default) contains ++parameters for the module. If the file is not found, parameters are given their ++default value. ++ ++The syntax of the file is : ++ ++parameter value ++ ++with spaces being delimiters. Parameter names ARE case sensitive (this may ++change in the future). ++ ++Current parameters : ++ ++- useCracklib: integer. Default value: 1. Set it to 0 to disable cracklib verification. ++ It has no effect if cracklib is not included at compile time. ++ ++- minPoints: integer. Default value: 3. Minimum number of quality points a new ++ password must have to be accepted. One quality point is awarded for each character ++ class used in the password. ++ ++- minUpper: integer. Defaut value: 0. Minimum upper characters expected. ++ ++- minLower: integer. Defaut value: 0. Minimum lower characters expected. ++ ++- minDigit: integer. Defaut value: 0. Minimum digit characters expected. ++ ++- minPunct: integer. Defaut value: 0. Minimum punctuation characters expected. ++ ++Logs ++---- ++If a user password is rejected by an OpenLDAP pwdChecker module, the user will ++*not* get a detailed error message, this is by design. ++ ++Typical user message from ldappasswd(5): ++ Result: Constraint violation (19) ++ Additional info: Password fails quality checking policy ++ ++A more detailed message is written to the server log. ++ ++Server log: ++ check_password_quality: module error: (check_password.so) ++ Password for dn=".." does not pass required number of strength checks (2 of 3) ++ ++ ++Caveats ++------- ++Runtime errors with this module (such as cracklib configuration problems) may ++bring down the slapd process. ++ ++Use at your own risk. ++ ++ ++TODO ++---- ++* use proper malloc function, see ITS#4998 ++ ++ ++HISTORY ++------- ++* 2009-10-30 Clement OUDOT - LTB-project ++ Version 1.1 ++ - Apply patch from Jerome HUET for minUpper/minLower/minDigit/minPunct ++ ++* 2009-02-05 Clement Oudot - LINAGORA Group ++ Version 1.0.3 ++ - Add useCracklib parameter in config file (with help of Pascal Pejac) ++ - Prefix log messages with "check_password: " ++ - Log what character type is found for quality checking ++ ++* 2008-01-31 Pierre-Yves Bonnetain ++ Version 1.0.2 ++ - Several bug fixes. ++ - Add external config file ++ ++* 2007-06-06 Michael Steinmann ++ Version 1.0.1 ++ - add dn to error messages ++ ++* 2007-06-02 Michael Steinmann ++ Version 1.0 ++ +diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c b/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c +new file mode 100644 +index 0000000..f4dd1cb +--- /dev/null ++++ b/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c +@@ -0,0 +1,447 @@ ++/* ++ * check_password.c for OpenLDAP ++ * ++ * See LICENSE, README and INSTALL files ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#ifdef HAVE_CRACKLIB ++#include ++#endif ++ ++#if defined(DEBUG) ++#include ++#endif ++ ++#ifndef CRACKLIB_DICTPATH ++#define CRACKLIB_DICTPATH "/usr/share/cracklib/pw_dict" ++#endif ++ ++#ifndef CONFIG_FILE ++#define CONFIG_FILE "/etc/openldap/check_password.conf" ++#endif ++ ++#define DEFAULT_QUALITY 3 ++#define DEFAULT_CRACKLIB 1 ++#define MEMORY_MARGIN 50 ++#define MEM_INIT_SZ 64 ++#define FILENAME_MAXLEN 512 ++ ++#define PASSWORD_TOO_SHORT_SZ \ ++ "Password for dn=\"%s\" is too short (%d/6)" ++#define PASSWORD_QUALITY_SZ \ ++ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)" ++#define BAD_PASSWORD_SZ \ ++ "Bad password for dn=\"%s\" because %s" ++#define UNKNOWN_ERROR_SZ \ ++ "An unknown error occurred, please see your systems administrator" ++ ++typedef int (*validator) (char*); ++static int read_config_file (); ++static validator valid_word (char *); ++static int set_quality (char *); ++static int set_cracklib (char *); ++ ++int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); ++ ++struct config_entry { ++ char* key; ++ char* value; ++ char* def_value; ++} config_entries[] = { { "minPoints", NULL, "3"}, ++ { "useCracklib", NULL, "1"}, ++ { "minUpper", NULL, "0"}, ++ { "minLower", NULL, "0"}, ++ { "minDigit", NULL, "0"}, ++ { "minPunct", NULL, "0"}, ++ { NULL, NULL, NULL }}; ++ ++int get_config_entry_int(char* entry) { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ char* key = centry[i].key; ++ while (key != NULL) { ++ if ( strncmp(key, entry, strlen(key)) == 0 ) { ++ if ( centry[i].value == NULL ) { ++ return atoi(centry[i].def_value); ++ } ++ else { ++ return atoi(centry[i].value); ++ } ++ } ++ i++; ++ key = centry[i].key; ++ } ++ ++ return -1; ++} ++ ++void dealloc_config_entries() { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ while (centry[i].key != NULL) { ++ if ( centry[i].value != NULL ) { ++ ber_memfree(centry[i].value); ++ } ++ i++; ++ } ++} ++ ++char* chomp(char *s) ++{ ++ char* t = ber_memalloc(strlen(s)+1); ++ strncpy (t,s,strlen(s)+1); ++ ++ if ( t[strlen(t)-1] == '\n' ) { ++ t[strlen(t)-1] = '\0'; ++ } ++ ++ return t; ++} ++ ++static int set_quality (char *value) ++{ ++#if defined(DEBUG) ++ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value); ++#endif ++ ++ /* No need to require more quality than we can check for. */ ++ if (!isdigit(*value) || (int) (value[0] - '0') > 4) return DEFAULT_QUALITY; ++ return (int) (value[0] - '0'); ++ ++} ++ ++static int set_cracklib (char *value) ++{ ++#if defined(DEBUG) ++ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value); ++#endif ++ ++ ++ return (int) (value[0] - '0'); ++ ++} ++ ++static int set_digit (char *value) ++{ ++#if defined(DEBUG) ++ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value); ++#endif ++ if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0; ++ return (int) (value[0] - '0'); ++} ++ ++static validator valid_word (char *word) ++{ ++ struct { ++ char * parameter; ++ validator dealer; ++ } list[] = { { "minPoints", set_quality }, ++ { "useCracklib", set_cracklib }, ++ { "minUpper", set_digit }, ++ { "minLower", set_digit }, ++ { "minDigit", set_digit }, ++ { "minPunct", set_digit }, ++ { NULL, NULL } }; ++ int index = 0; ++ ++#if defined(DEBUG) ++ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word); ++#endif ++ ++ while (list[index].parameter != NULL) { ++ if (strlen(word) == strlen(list[index].parameter) && ++ strcmp(list[index].parameter, word) == 0) { ++#if defined(DEBUG) ++ syslog(LOG_DEBUG, "check_password: Parameter accepted."); ++#endif ++ return list[index].dealer; ++ } ++ index++; ++ } ++ ++#if defined(DEBUG) ++ syslog(LOG_DEBUG, "check_password: Parameter rejected."); ++#endif ++ ++ return NULL; ++} ++ ++static int read_config_file () ++{ ++ FILE * config; ++ char * line; ++ int returnValue = -1; ++ ++ line = ber_memcalloc(260, sizeof(char)); ++ ++ if ( line == NULL ) { ++ return returnValue; ++ } ++ ++ if ( (config = fopen(CONFIG_FILE, "r")) == NULL) { ++#if defined(DEBUG) ++ syslog(LOG_ERR, "check_password: Opening file %s failed", CONFIG_FILE); ++#endif ++ ++ ber_memfree(line); ++ return returnValue; ++ } ++ ++ returnValue = 0; ++ ++ while (fgets(line, 256, config) != NULL) { ++ char *start = line; ++ char *word, *value; ++ validator dealer; ++ ++#if defined(DEBUG) ++ /* Debug traces to syslog. */ ++ syslog(LOG_DEBUG, "check_password: Got line |%s|", line); ++#endif ++ ++ while (isspace(*start) && isascii(*start)) start++; ++ ++ /* If we've got punctuation, just skip the line. */ ++ if ( ispunct(*start)) { ++#if defined(DEBUG) ++ /* Debug traces to syslog. */ ++ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line); ++#endif ++ continue; ++ } ++ ++ if( isascii(*start)) { ++ ++ struct config_entry* centry = config_entries; ++ int i = 0; ++ char* keyWord = centry[i].key; ++ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) { ++ while ( keyWord != NULL ) { ++ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { ++ ++#if defined(DEBUG) ++ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value); ++#endif ++ ++ centry[i].value = chomp(value); ++ break; ++ } ++ i++; ++ keyWord = centry[i].key; ++ } ++ } ++ } ++ } ++ fclose(config); ++ ber_memfree(line); ++ ++ return returnValue; ++} ++ ++static int realloc_error_message (char ** target, int curlen, int nextlen) ++{ ++ if (curlen < nextlen + MEMORY_MARGIN) { ++#if defined(DEBUG) ++ syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", ++ curlen, nextlen + MEMORY_MARGIN); ++#endif ++ ber_memfree(*target); ++ curlen = nextlen + MEMORY_MARGIN; ++ *target = (char *) ber_memalloc(curlen); ++ } ++ ++ return curlen; ++} ++ ++int ++check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) ++{ ++ ++ char *szErrStr = (char *) ber_memalloc(MEM_INIT_SZ); ++ int mem_len = MEM_INIT_SZ; ++ ++ int nLen; ++ int nLower = 0; ++ int nUpper = 0; ++ int nDigit = 0; ++ int nPunct = 0; ++ int minLower = 0; ++ int minUpper = 0; ++ int minDigit = 0; ++ int minPunct = 0; ++ int nQuality = 0; ++ int i; ++ ++ /* Set a sensible default to keep original behaviour. */ ++ int minQuality = DEFAULT_QUALITY; ++ int useCracklib = DEFAULT_CRACKLIB; ++ ++ /** bail out early as cracklib will reject passwords shorter ++ * than 6 characters ++ */ ++ ++ nLen = strlen (pPasswd); ++ if ( nLen < 6) { ++ mem_len = realloc_error_message(&szErrStr, mem_len, ++ strlen(PASSWORD_TOO_SHORT_SZ) + ++ strlen(pEntry->e_name.bv_val) + 1); ++ sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); ++ goto fail; ++ } ++ ++ if (read_config_file() == -1) { ++ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); ++ } ++ ++ minQuality = get_config_entry_int("minPoints"); ++ useCracklib = get_config_entry_int("useCracklib"); ++ minUpper = get_config_entry_int("minUpper"); ++ minLower = get_config_entry_int("minLower"); ++ minDigit = get_config_entry_int("minDigit"); ++ minPunct = get_config_entry_int("minPunct"); ++ ++ /** The password must have at least minQuality strength points with one ++ * point for the first occurrance of a lower, upper, digit and ++ * punctuation character ++ */ ++ ++ for ( i = 0; i < nLen; i++ ) { ++ ++ if ( islower (pPasswd[i]) ) { ++ minLower--; ++ if ( !nLower && (minLower < 1)) { ++ nLower = 1; nQuality++; ++#if defined(DEBUG) ++ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality); ++#endif ++ } ++ continue; ++ } ++ ++ if ( isupper (pPasswd[i]) ) { ++ minUpper--; ++ if ( !nUpper && (minUpper < 1)) { ++ nUpper = 1; nQuality++; ++#if defined(DEBUG) ++ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality); ++#endif ++ } ++ continue; ++ } ++ ++ if ( isdigit (pPasswd[i]) ) { ++ minDigit--; ++ if ( !nDigit && (minDigit < 1)) { ++ nDigit = 1; nQuality++; ++#if defined(DEBUG) ++ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality); ++#endif ++ } ++ continue; ++ } ++ ++ if ( ispunct (pPasswd[i]) ) { ++ minPunct--; ++ if ( !nPunct && (minPunct < 1)) { ++ nPunct = 1; nQuality++; ++#if defined(DEBUG) ++ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality); ++#endif ++ } ++ continue; ++ } ++ } ++ ++ /* ++ * If you have a required field, then it should be required in the strength ++ * checks. ++ */ ++ ++ if ( ++ (minLower > 0 ) || ++ (minUpper > 0 ) || ++ (minDigit > 0 ) || ++ (minPunct > 0 ) || ++ (nQuality < minQuality) ++ ) { ++ mem_len = realloc_error_message(&szErrStr, mem_len, ++ strlen(PASSWORD_QUALITY_SZ) + ++ strlen(pEntry->e_name.bv_val) + 2); ++ sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, ++ nQuality, minQuality); ++ goto fail; ++ } ++ ++#ifdef HAVE_CRACKLIB ++ ++ /** Check password with cracklib */ ++ ++ if ( useCracklib > 0 ) { ++ int j = 0; ++ FILE* fp; ++ char filename[FILENAME_MAXLEN]; ++ char const* ext[] = { "hwm", "pwd", "pwi" }; ++ int nErr = 0; ++ ++ /** ++ * Silently fail when cracklib wordlist is not found ++ */ ++ ++ for ( j = 0; j < 3; j++ ) { ++ ++ snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ ++ CRACKLIB_DICTPATH, ext[j]); ++ ++ if (( fp = fopen ( filename, "r")) == NULL ) { ++ ++ nErr = 1; ++ break; ++ ++ } else { ++ ++ fclose (fp); ++ ++ } ++ } ++ ++ char *r; ++ if ( nErr == 0) { ++ ++ r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); ++ if ( r != NULL ) { ++ mem_len = realloc_error_message(&szErrStr, mem_len, ++ strlen(BAD_PASSWORD_SZ) + ++ strlen(pEntry->e_name.bv_val) + ++ strlen(r)); ++ sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); ++ goto fail; ++ } ++ } ++ } ++ ++ else { ++#if defined(DEBUG) ++ syslog(LOG_NOTICE, "check_password: Cracklib verification disabled by configuration"); ++#endif ++ } ++ ++#endif ++ dealloc_config_entries(); ++ *ppErrStr = strdup (""); ++ ber_memfree(szErrStr); ++ return (LDAP_SUCCESS); ++ ++fail: ++ dealloc_config_entries(); ++ *ppErrStr = strdup (szErrStr); ++ ber_memfree(szErrStr); ++ return (EXIT_FAILURE); ++ ++} +-- +2.17.1 + diff --git a/recipes-support/openldap/files/centos_patches_notported_yet/check-password-loglevels.patch b/recipes-support/openldap/files/centos_patches_notported_yet/check-password-loglevels.patch deleted file mode 100644 index e8ddea7..0000000 --- a/recipes-support/openldap/files/centos_patches_notported_yet/check-password-loglevels.patch +++ /dev/null @@ -1,124 +0,0 @@ -Correct log levels in check_password module. - -Author: Matus Honek -Resolves: #1356158 - -diff --git a/check_password.c b/check_password.c ---- a/check_password.c -+++ b/check_password.c -@@ -108,7 +108,7 @@ char* chomp(char *s) - static int set_quality (char *value) - { - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value); -+ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value); - #endif - - /* No need to require more quality than we can check for. */ -@@ -120,7 +120,7 @@ static int set_quality (char *value) - static int set_cracklib (char *value) - { - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", value); -+ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value); - #endif - - -@@ -131,7 +131,7 @@ static int set_cracklib (char *value) - static int set_digit (char *value) - { - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value); -+ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value); - #endif - if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0; - return (int) (value[0] - '0'); -@@ -152,14 +152,14 @@ static validator valid_word (char *word) - int index = 0; - - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word); -+ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word); - #endif - - while (list[index].parameter != NULL) { - if (strlen(word) == strlen(list[index].parameter) && - strcmp(list[index].parameter, word) == 0) { - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Parameter accepted."); -+ syslog(LOG_DEBUG, "check_password: Parameter accepted."); - #endif - return list[index].dealer; - } -@@ -167,7 +167,7 @@ static validator valid_word (char *word) - } - - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Parameter rejected."); -+ syslog(LOG_DEBUG, "check_password: Parameter rejected."); - #endif - - return NULL; -@@ -203,7 +203,7 @@ static int read_config_file () - - #if defined(DEBUG) - /* Debug traces to syslog. */ -- syslog(LOG_NOTICE, "check_password: Got line |%s|", line); -+ syslog(LOG_DEBUG, "check_password: Got line |%s|", line); - #endif - - while (isspace(*start) && isascii(*start)) start++; -@@ -212,7 +212,7 @@ static int read_config_file () - if ( ispunct(*start)) { - #if defined(DEBUG) - /* Debug traces to syslog. */ -- syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); -+ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line); - #endif - continue; - } -@@ -227,7 +227,7 @@ static int read_config_file () - if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { - - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); -+ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value); - #endif - - centry[i].value = chomp(value); -@@ -319,7 +319,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) - if ( !nLower && (minLower < 1)) { - nLower = 1; nQuality++; - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality); -+ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality); - #endif - } - continue; -@@ -330,7 +330,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) - if ( !nUpper && (minUpper < 1)) { - nUpper = 1; nQuality++; - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality); -+ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality); - #endif - } - continue; -@@ -341,7 +341,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) - if ( !nDigit && (minDigit < 1)) { - nDigit = 1; nQuality++; - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality); -+ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality); - #endif - } - continue; -@@ -352,7 +352,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) - if ( !nPunct && (minPunct < 1)) { - nPunct = 1; nQuality++; - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality); -+ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality); - #endif - } - continue; diff --git a/recipes-support/openldap/files/centos_patches_notported_yet/check-password-makefile.patch b/recipes-support/openldap/files/centos_patches_notported_yet/check-password-makefile.patch deleted file mode 100644 index f39ba81..0000000 --- a/recipes-support/openldap/files/centos_patches_notported_yet/check-password-makefile.patch +++ /dev/null @@ -1,41 +0,0 @@ ---- a/Makefile 2009-10-31 18:59:06.000000000 +0100 -+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100 -@@ -13,22 +13,11 @@ - # - CONFIG=/etc/openldap/check_password.conf - --OPT=-g -O2 -Wall -fpic \ -- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ -- -DCONFIG_FILE="\"$(CONFIG)\"" \ -+CFLAGS+=-fpic \ -+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ -+ -DCONFIG_FILE="\"$(CONFIG)\"" \ - -DDEBUG - --# Where to find the OpenLDAP headers. --# --LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \ -- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd -- --# Where to find the CrackLib headers. --# --CRACK_INC= -- --INCS=$(LDAP_INC) $(CRACK_INC) -- - LDAP_LIB=-lldap_r -llber - - # Comment out this line if you do NOT want to use the cracklib. -@@ -45,10 +34,10 @@ - all: check_password - - check_password.o: -- $(CC) $(OPT) -c $(INCS) check_password.c -+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c - - check_password: clean check_password.o -- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) -+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) - - install: check_password - cp -f check_password.so ../../../usr/lib/openldap/modules/ diff --git a/recipes-support/openldap/files/centos_patches_notported_yet/check-password.patch b/recipes-support/openldap/files/centos_patches_notported_yet/check-password.patch deleted file mode 100644 index 7a79e95..0000000 --- a/recipes-support/openldap/files/centos_patches_notported_yet/check-password.patch +++ /dev/null @@ -1,321 +0,0 @@ ---- a/check_password.c 2009-10-31 18:59:06.000000000 +0100 -+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100 -@@ -10,7 +10,7 @@ - #include - - #ifdef HAVE_CRACKLIB --#include "crack.h" -+#include - #endif - - #if defined(DEBUG) -@@ -34,18 +34,77 @@ - #define PASSWORD_TOO_SHORT_SZ \ - "Password for dn=\"%s\" is too short (%d/6)" - #define PASSWORD_QUALITY_SZ \ -- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)" -+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)" - #define BAD_PASSWORD_SZ \ - "Bad password for dn=\"%s\" because %s" -+#define UNKNOWN_ERROR_SZ \ -+ "An unknown error occurred, please see your systems administrator" - - typedef int (*validator) (char*); --static int read_config_file (char *); -+static int read_config_file (); - static validator valid_word (char *); - static int set_quality (char *); - static int set_cracklib (char *); - - int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); - -+struct config_entry { -+ char* key; -+ char* value; -+ char* def_value; -+} config_entries[] = { { "minPoints", NULL, "3"}, -+ { "useCracklib", NULL, "1"}, -+ { "minUpper", NULL, "0"}, -+ { "minLower", NULL, "0"}, -+ { "minDigit", NULL, "0"}, -+ { "minPunct", NULL, "0"}, -+ { NULL, NULL, NULL }}; -+ -+int get_config_entry_int(char* entry) { -+ struct config_entry* centry = config_entries; -+ -+ int i = 0; -+ char* key = centry[i].key; -+ while (key != NULL) { -+ if ( strncmp(key, entry, strlen(key)) == 0 ) { -+ if ( centry[i].value == NULL ) { -+ return atoi(centry[i].def_value); -+ } -+ else { -+ return atoi(centry[i].value); -+ } -+ } -+ i++; -+ key = centry[i].key; -+ } -+ -+ return -1; -+} -+ -+void dealloc_config_entries() { -+ struct config_entry* centry = config_entries; -+ -+ int i = 0; -+ while (centry[i].key != NULL) { -+ if ( centry[i].value != NULL ) { -+ ber_memfree(centry[i].value); -+ } -+ i++; -+ } -+} -+ -+char* chomp(char *s) -+{ -+ char* t = ber_memalloc(strlen(s)+1); -+ strncpy (t,s,strlen(s)+1); -+ -+ if ( t[strlen(t)-1] == '\n' ) { -+ t[strlen(t)-1] = '\0'; -+ } -+ -+ return t; -+} -+ - static int set_quality (char *value) - { - #if defined(DEBUG) -@@ -84,12 +143,12 @@ - char * parameter; - validator dealer; - } list[] = { { "minPoints", set_quality }, -- { "useCracklib", set_cracklib }, -- { "minUpper", set_digit }, -- { "minLower", set_digit }, -- { "minDigit", set_digit }, -- { "minPunct", set_digit }, -- { NULL, NULL } }; -+ { "useCracklib", set_cracklib }, -+ { "minUpper", set_digit }, -+ { "minLower", set_digit }, -+ { "minDigit", set_digit }, -+ { "minPunct", set_digit }, -+ { NULL, NULL } }; - int index = 0; - - #if defined(DEBUG) -@@ -98,7 +157,7 @@ - - while (list[index].parameter != NULL) { - if (strlen(word) == strlen(list[index].parameter) && -- strcmp(list[index].parameter, word) == 0) { -+ strcmp(list[index].parameter, word) == 0) { - #if defined(DEBUG) - syslog(LOG_NOTICE, "check_password: Parameter accepted."); - #endif -@@ -114,13 +173,15 @@ - return NULL; - } - --static int read_config_file (char *keyWord) -+static int read_config_file () - { - FILE * config; - char * line; - int returnValue = -1; - -- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) { -+ line = ber_memcalloc(260, sizeof(char)); -+ -+ if ( line == NULL ) { - return returnValue; - } - -@@ -133,6 +194,8 @@ - return returnValue; - } - -+ returnValue = 0; -+ - while (fgets(line, 256, config) != NULL) { - char *start = line; - char *word, *value; -@@ -145,23 +208,40 @@ - - while (isspace(*start) && isascii(*start)) start++; - -- if (! isascii(*start)) -+ /* If we've got punctuation, just skip the line. */ -+ if ( ispunct(*start)) { -+#if defined(DEBUG) -+ /* Debug traces to syslog. */ -+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); -+#endif - continue; -+ } - -- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) { -- if ((value = strtok(NULL, " \t")) == NULL) -- continue; -+ if( isascii(*start)) { -+ -+ struct config_entry* centry = config_entries; -+ int i = 0; -+ char* keyWord = centry[i].key; -+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) { -+ while ( keyWord != NULL ) { -+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { - - #if defined(DEBUG) -- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); -+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); - #endif - -- returnValue = (*dealer)(value); -+ centry[i].value = chomp(value); -+ break; -+ } -+ i++; -+ keyWord = centry[i].key; -+ } -+ } - } - } -- - fclose(config); - ber_memfree(line); -+ - return returnValue; - } - -@@ -170,7 +250,7 @@ - if (curlen < nextlen + MEMORY_MARGIN) { - #if defined(DEBUG) - syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", -- curlen, nextlen + MEMORY_MARGIN); -+ curlen, nextlen + MEMORY_MARGIN); - #endif - ber_memfree(*target); - curlen = nextlen + MEMORY_MARGIN; -@@ -180,7 +260,7 @@ - return curlen; - } - -- int -+int - check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) - { - -@@ -210,20 +290,22 @@ - nLen = strlen (pPasswd); - if ( nLen < 6) { - mem_len = realloc_error_message(&szErrStr, mem_len, -- strlen(PASSWORD_TOO_SHORT_SZ) + -- strlen(pEntry->e_name.bv_val) + 1); -+ strlen(PASSWORD_TOO_SHORT_SZ) + -+ strlen(pEntry->e_name.bv_val) + 1); - sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); - goto fail; - } - -- /* Read config file */ -- minQuality = read_config_file("minPoints"); -+ if (read_config_file() == -1) { -+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); -+ } - -- useCracklib = read_config_file("useCracklib"); -- minUpper = read_config_file("minUpper"); -- minLower = read_config_file("minLower"); -- minDigit = read_config_file("minDigit"); -- minPunct = read_config_file("minPunct"); -+ minQuality = get_config_entry_int("minPoints"); -+ useCracklib = get_config_entry_int("useCracklib"); -+ minUpper = get_config_entry_int("minUpper"); -+ minLower = get_config_entry_int("minLower"); -+ minDigit = get_config_entry_int("minDigit"); -+ minPunct = get_config_entry_int("minPunct"); - - /** The password must have at least minQuality strength points with one - * point for the first occurrance of a lower, upper, digit and -@@ -232,8 +314,6 @@ - - for ( i = 0; i < nLen; i++ ) { - -- if ( nQuality >= minQuality ) break; -- - if ( islower (pPasswd[i]) ) { - minLower--; - if ( !nLower && (minLower < 1)) { -@@ -279,12 +359,23 @@ - } - } - -- if ( nQuality < minQuality ) { -+ /* -+ * If you have a required field, then it should be required in the strength -+ * checks. -+ */ -+ -+ if ( -+ (minLower > 0 ) || -+ (minUpper > 0 ) || -+ (minDigit > 0 ) || -+ (minPunct > 0 ) || -+ (nQuality < minQuality) -+ ) { - mem_len = realloc_error_message(&szErrStr, mem_len, -- strlen(PASSWORD_QUALITY_SZ) + -- strlen(pEntry->e_name.bv_val) + 2); -+ strlen(PASSWORD_QUALITY_SZ) + -+ strlen(pEntry->e_name.bv_val) + 2); - sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, -- nQuality, minQuality); -+ nQuality, minQuality); - goto fail; - } - -@@ -306,7 +397,7 @@ - for ( j = 0; j < 3; j++ ) { - - snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ -- CRACKLIB_DICTPATH, ext[j]); -+ CRACKLIB_DICTPATH, ext[j]); - - if (( fp = fopen ( filename, "r")) == NULL ) { - -@@ -326,9 +417,9 @@ - r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); - if ( r != NULL ) { - mem_len = realloc_error_message(&szErrStr, mem_len, -- strlen(BAD_PASSWORD_SZ) + -- strlen(pEntry->e_name.bv_val) + -- strlen(r)); -+ strlen(BAD_PASSWORD_SZ) + -+ strlen(pEntry->e_name.bv_val) + -+ strlen(r)); - sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); - goto fail; - } -@@ -342,15 +433,15 @@ - } - - #endif -- -+ dealloc_config_entries(); - *ppErrStr = strdup (""); - ber_memfree(szErrStr); - return (LDAP_SUCCESS); - - fail: -+ dealloc_config_entries(); - *ppErrStr = strdup (szErrStr); - ber_memfree(szErrStr); - return (EXIT_FAILURE); - - } -- diff --git a/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-its7506-fix-DH-params-1.patch b/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-its7506-fix-DH-params-1.patch deleted file mode 100644 index 5e105e2..0000000 --- a/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-its7506-fix-DH-params-1.patch +++ /dev/null @@ -1,219 +0,0 @@ -commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8 -Author: Ben Jencks -Date: Sun Jan 27 18:27:03 2013 -0500 - - ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. - - If a DHParamFile or olcDHParamFile is specified, then it will be used, - otherwise a hardcoded 1024 bit parameter will be used. This allows the use of - larger parameters; previously only 512 or 1024 bit parameters would ever be - used. - -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index 48ce1ceab..c6a3540c9 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -59,15 +59,13 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); - static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); - static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); - --static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ); -- --typedef struct dhplist { -- struct dhplist *next; -- int keylength; -- DH *param; --} dhplist; -- --static dhplist *tlso_dhparams; -+/* From the OpenSSL 0.9.7 distro */ -+static const char tlso_dhpem1024[] = -+"-----BEGIN DH PARAMETERS-----\n\ -+MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ -+/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ -+/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ -+-----END DH PARAMETERS-----\n"; - - static int tlso_seed_PRNG( const char *randfile ); - -@@ -76,7 +74,6 @@ static int tlso_seed_PRNG( const char *randfile ); - * provide mutexes for the OpenSSL library. - */ - static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS]; --static ldap_pvt_thread_mutex_t tlso_dh_mutex; - - static void tlso_locking_cb( int mode, int type, const char *file, int line ) - { -@@ -107,7 +104,6 @@ static void tlso_thr_init( void ) - for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) { - ldap_pvt_thread_mutex_init( &tlso_mutexes[i] ); - } -- ldap_pvt_thread_mutex_init( &tlso_dh_mutex ); - CRYPTO_set_locking_callback( tlso_locking_cb ); - CRYPTO_set_id_callback( tlso_thread_self ); - } -@@ -308,28 +304,32 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - return -1; - } - -- if ( lo->ldo_tls_dhfile ) { -+ if (is_server) { - DH *dh = NULL; - BIO *bio; -- dhplist *p; -+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); -+ if ( lo->ldo_tls_dhfile ) { - -- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { -+ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not use DH parameters file `%s'.\n", -+ lo->ldo_tls_dhfile,0,0); -+ tlso_report_error(); -+ return -1; -+ } -+ } else { -+ bio = BIO_new_mem_buf( tlso_dhpem1024, -1 ); -+ } -+ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { - Debug( LDAP_DEBUG_ANY, -- "TLS: could not use DH parameters file `%s'.\n", -+ "TLS: could not read DH parameters file `%s'.\n", - lo->ldo_tls_dhfile,0,0); - tlso_report_error(); -+ BIO_free( bio ); - return -1; - } -- while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { -- p = LDAP_MALLOC( sizeof(dhplist) ); -- if ( p != NULL ) { -- p->keylength = DH_size( dh ) * 8; -- p->param = dh; -- p->next = tlso_dhparams; -- tlso_dhparams = p; -- } -- } - BIO_free( bio ); -+ SSL_CTX_set_tmp_dh( ctx, dh ); - } - - if ( tlso_opt_trace ) { -@@ -349,9 +349,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ? - tlso_verify_ok : tlso_verify_cb ); - SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); -- if ( lo->ldo_tls_dhfile ) { -- SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb ); -- } - #ifdef HAVE_OPENSSL_CRL - if ( lo->ldo_tls_crlcheck ) { - X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); -@@ -1160,108 +1157,6 @@ tlso_seed_PRNG( const char *randfile ) - return 0; - } - --struct dhinfo { -- int keylength; -- const char *pem; -- size_t size; --}; -- -- --/* From the OpenSSL 0.9.7 distro */ --static const char tlso_dhpem512[] = --"-----BEGIN DH PARAMETERS-----\n\ --MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\ --a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\ -------END DH PARAMETERS-----\n"; -- --static const char tlso_dhpem1024[] = --"-----BEGIN DH PARAMETERS-----\n\ --MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ --/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ --/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ -------END DH PARAMETERS-----\n"; -- --static const char tlso_dhpem2048[] = --"-----BEGIN DH PARAMETERS-----\n\ --MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\ --AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\ --z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\ --pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\ --aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\ --Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\ -------END DH PARAMETERS-----\n"; -- --static const char tlso_dhpem4096[] = --"-----BEGIN DH PARAMETERS-----\n\ --MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\ --vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\ --TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\ --bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\ --rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\ --EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\ --bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\ --W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\ --ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\ --NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\ --jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\ -------END DH PARAMETERS-----\n"; -- --static const struct dhinfo tlso_dhpem[] = { -- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, -- { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, -- { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, -- { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, -- { 0, NULL, 0 } --}; -- --static DH * --tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) --{ -- struct dhplist *p = NULL; -- BIO *b = NULL; -- DH *dh = NULL; -- int i; -- -- /* Do we have params of this length already? */ -- LDAP_MUTEX_LOCK( &tlso_dh_mutex ); -- for ( p = tlso_dhparams; p; p=p->next ) { -- if ( p->keylength == key_length ) { -- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); -- return p->param; -- } -- } -- -- /* No - check for hardcoded params */ -- -- for (i=0; tlso_dhpem[i].keylength; i++) { -- if ( tlso_dhpem[i].keylength == key_length ) { -- b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size ); -- break; -- } -- } -- -- if ( b ) { -- dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL ); -- BIO_free( b ); -- } -- -- /* Generating on the fly is expensive/slow... */ -- if ( !dh ) { -- dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL ); -- } -- if ( dh ) { -- p = LDAP_MALLOC( sizeof(struct dhplist) ); -- if ( p != NULL ) { -- p->keylength = key_length; -- p->param = dh; -- p->next = tlso_dhparams; -- tlso_dhparams = p; -- } -- } -- -- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); -- return dh; --} - - tls_impl ldap_int_tls_impl = { - "OpenSSL", diff --git a/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-its7506-fix-DH-params-2.patch b/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-its7506-fix-DH-params-2.patch deleted file mode 100644 index 799c6e5..0000000 --- a/recipes-support/openldap/files/centos_patches_notported_yet/openldap-openssl-its7506-fix-DH-params-2.patch +++ /dev/null @@ -1,58 +0,0 @@ -commit eacd5798a5d83e6658a823c01bcb0f600e3b9898 -Author: Howard Chu -Date: Sat Sep 7 06:39:53 2013 -0700 - - ITS#7506 fix prev commit - - The patch unconditionally enabled DHparams, which is a significant - change of behavior. Reverting to previous behavior, which only enables - DH use if a DHparam file was configured. - -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index c6a3540c9..a2d9cd31f 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -59,14 +59,6 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); - static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); - static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); - --/* From the OpenSSL 0.9.7 distro */ --static const char tlso_dhpem1024[] = --"-----BEGIN DH PARAMETERS-----\n\ --MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ --/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ --/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ -------END DH PARAMETERS-----\n"; -- - static int tlso_seed_PRNG( const char *randfile ); - - #ifdef LDAP_R_COMPILE -@@ -304,21 +296,17 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - return -1; - } - -- if (is_server) { -+ if ( lo->ldo_tls_dhfile ) { - DH *dh = NULL; - BIO *bio; - SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); -- if ( lo->ldo_tls_dhfile ) { - -- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { -- Debug( LDAP_DEBUG_ANY, -- "TLS: could not use DH parameters file `%s'.\n", -- lo->ldo_tls_dhfile,0,0); -- tlso_report_error(); -- return -1; -- } -- } else { -- bio = BIO_new_mem_buf( tlso_dhpem1024, -1 ); -+ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not use DH parameters file `%s'.\n", -+ lo->ldo_tls_dhfile,0,0); -+ tlso_report_error(); -+ return -1; - } - if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { - Debug( LDAP_DEBUG_ANY, diff --git a/recipes-support/openldap/files/sources/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz b/recipes-support/openldap/files/sources/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz deleted file mode 100644 index 83544f5..0000000 Binary files a/recipes-support/openldap/files/sources/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz and /dev/null differ diff --git a/recipes-support/openldap/openldap_%.bbappend b/recipes-support/openldap/openldap_%.bbappend index 6ae81a9..42f60b6 100644 --- a/recipes-support/openldap/openldap_%.bbappend +++ b/recipes-support/openldap/openldap_%.bbappend @@ -27,7 +27,10 @@ SRC_URI += " \ file://0016-openldap-man-ldap-conf.patch \ file://0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch \ file://0018-openldap-tlsmc.patch \ - file://0019-openldap-fedora-systemd.patch \ + file://0019-openldap-openssl-ITS7596-Add-EC-support.patch \ + file://0020-openldap-openssl-ITS7596-Add-EC-support-patch-2.patch \ + file://0021-openldap-and-stx-source-and-config-files.patch \ + file://0022-ltb-project-openldap-ppolicy-check-password-1.1.patch \ " inherit pkgconfig @@ -41,6 +44,8 @@ DEPENDS += " \ libtirpc \ " +RDEPENDS_${PN}_append = " bash" + # Defaults: # --enable-bdb=no @@ -94,12 +99,47 @@ do_configure_append () { ln -f -s ${S}/contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} servers/slapd/overlays } + # If liblmdb is needed, then patch the Makefile #do_compile_append () { -# cd ${S}/libraries/liblmdb +# cd ${S}/ltb-project-openldap-ppolicy-check-password-1.1 # oe_runmake #} -FILES_${PN}_append = " ${libexecdir}/openldap/*" +do_install_append () { + + # For this we need to build ltb-project-openldap + #install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/ + cd ${S}/stx-sources + install -m 0755 -d ${D}/var/run/openldap + install -m 0755 -d ${D}/${sysconfdir}/tmpfiles.d + install -m 0755 ${S}/stx-sources/slapd.tmpfiles ${D}/${sysconfdir}/tmpfiles.d/slapd.conf + install -m 0755 ${S}/stx-sources/openldap.tmpfiles ${D}/${sysconfdir}/tmpfiles.d/openldap.conf + install -m 0755 ${S}/stx-sources/ldap.conf ${D}/${sysconfdir}/tmpfiles.d/ldap.conf + install -m 0644 libexec-functions ${D}/${libexecdir}/openldap/functions + install -m 0755 libexec-convert-config.sh ${D}/${libexecdir}/openldap/convert-config.sh + install -m 0755 libexec-check-config.sh ${D}/${libexecdir}/openldap/check-config.sh + install -m 0755 libexec-upgrade-db.sh ${D}/${libexecdir}/openldap/upgrade-db.sh + + install -m 0755 libexec-create-certdb.sh ${D}/${libexecdir}/openldap/create-certdb.sh + install -m 0755 libexec-generate-server-cert.sh ${D}/${libexecdir}/openldap/generate-server-cert.sh + install -m 0755 libexec-update-ppolicy-schema.sh ${D}/${libexecdir}/openldap/update-ppolicy-schema.sh + + install -m 0644 slapd.service ${D}/${systemd_unitdir}/stx-slapd.service + install -m 0755 -d ${D}/${sysconfdir}/sysconfig + install -m 0644 slapd.sysconfig ${D}/${sysconfdir}/sysconfig/slapd.sysconfig + install -m 0755 -d ${D}/${datadir}/openldap-servers + install -m 0644 slapd.ldif ${D}/${datadir}/openldap-servers/slapd.ldif + install -m 0750 -d ${D}/${sysconfdir}/openldap/slapd.d +} + +FILES_${PN}_append = " \ + ${datadir}/openldap-servers/ \ + ${libexecdir}/openldap/ \ + /run/openldap \ + ${sysconfdir}/sysconfig \ + ${sysconfdir}/tmpfiles.d \ + ${systemd_unitdir}/stx-slapd.service \ + "