openldap port from stx to yocto
Not complete yet. Missing ltb-project-openldap-ppolicy
This commit is contained in:
parent
cf25d967b7
commit
6fe3bd37d9
95
issues/openldap.patches
Normal file
95
issues/openldap.patches
Normal file
@ -0,0 +1,95 @@
|
||||
|
||||
Patch50: openldap-openssl-its7506-fix-DH-params-1.patch << openldap commit: 6f120920d359d3b880c5c56bde4c1b91c3bedb01
|
||||
Patch51: openldap-openssl-its7506-fix-DH-params-2.patch << openldap commit: cfeb28412c28ce9feeea6e6c055286f201bd0a34
|
||||
Patch52: openldap-openssl-ITS7595-Add-EC-support-1.patch
|
||||
Patch53: openldap-openssl-ITS7595-Add-EC-support-2.patch
|
||||
|
||||
CentOS openldap commit level: d690e90fec0ecba6e9eb47bfc7ef8e311dce9eac tag: OPENLDAP_REL_ENG_2_4_44
|
||||
Poky openldap commit level: 1c9416493bd219b08d839cd9e93fc64daa89b752 tag: OPENLDAP_REL_ENG_2_4_46
|
||||
|
||||
Whatchanged OPENLDAP_REL_ENG_2_4_44 OPENLDAP_REL_ENG_2_4_46:
|
||||
commit eebf662409f646646fe2364c26f095d7c242ed2e
|
||||
commit e2c6bec025ef6e38bb95e4b173d4c896de74152e
|
||||
commit d8ccf649bcb17cb97541154f27a5673c13254d11
|
||||
commit 9db93a138932ddbe68f2a4215d136383d4f3dc46
|
||||
commit 556a832c4a7ed54d94d0ec204baba5865a36732a
|
||||
commit 8144463186ddc6c7b1b2509244c0a2e4eba50539
|
||||
commit ebf74c7bb1c079a640074a8685583a7ee0cb5d39
|
||||
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
|
||||
commit 47f8b3c425c5e1fe4097f0685bbe9aefe56ba911
|
||||
commit 691dab11a0d6334c401bac59f476a382303c7a24
|
||||
commit 38d0a8bbdebdf1af212c36008f7d7c2de2a28af4
|
||||
commit 051f14f6d6809ff6074fd22e461bed71e160da92
|
||||
commit d8c9c414ac6992f38378a95fbb510bfde93c1c0d
|
||||
commit eacd5798a5d83e6658a823c01bcb0f600e3b9898 << openldap-openssl-its7506-fix-DH-params-2.patch
|
||||
commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8 << openldap-openssl-its7506-fix-DH-params-1.patch
|
||||
commit 9b5972dc9e14e1f7a7bef755bfd0dc61bcf1ffb3
|
||||
commit b60820ee696c09bad18fd04fdd982df7af15c6c3
|
||||
commit 35e549b49b1f58ec494bc05cc2718f82d20c30c6
|
||||
commit 3370868748d330f896645965145ad77720c3aba6
|
||||
commit 9cdb7b18a929d546a7681d3ac0f830821069c5a5
|
||||
commit b46547ada17b4585cc5c40150933be325bb1e9ac
|
||||
commit 1f723195873454ac2d46592deb5d2f7c6885993a
|
||||
commit 42c1ff8a28d35482e9c34d063b4bd5d441bb364a
|
||||
commit 769083f84816a380a4ae9bb48ab55631ff596751
|
||||
commit 7761c923bab53870802c287611b17bb906ce3a0b
|
||||
commit 6d0f6f414f90c67db850751915a6640668d6cd44
|
||||
commit 1adee08e8912c1f47c7b170fe62bebdd9797921f
|
||||
commit 158a47cbe467a6c50c6a6e85247959f20e51c1d4
|
||||
commit 6c9b08ce2679fccb224dd02afd9221ed28623f9b
|
||||
commit 77caf6040f1f5770460ddb56c2a304a0d0b8cbe8
|
||||
commit 3a2e98e91c3a8f93e5b37cb7e5a76708194cff77
|
||||
commit 49f2e6a5f703f874852fe60a1c5faaf362df4bdc
|
||||
commit 1cee5dcd12701a972feb1dd974f3f393a97c6dca
|
||||
commit 39ddec3a9cfa04f7f466a7ebbd8569e498a63a64
|
||||
commit 988f1bbdc7590fc01c149a36eeb88a0cffd4c4bc
|
||||
commit 2147c854efe9fac300ab7095df8dfc6c943d3b15
|
||||
commit 4b7eb173e7953d9e5ecce80fc08709bcdd67d179
|
||||
|
||||
Cherry picked into CentOS: Adds Elliptic Curve support for Openssl and 2 dont use EC if openssl lacks it
|
||||
commit e631ce808ed56119e61321463d06db7999ba5a08 << openldap-openssl-ITS7595-Add-EC-support-1.patch
|
||||
commit 721e46fe6695077d63a3df6ea2e397920a72308d << openldap-openssl-ITS7595-Add-EC-support-2.patch
|
||||
|
||||
Poky:
|
||||
|
||||
commit eebf662409f646646fe2364c26f095d7c242ed2e << openldap repo: Cleanup
|
||||
commit e2c6bec025ef6e38bb95e4b173d4c896de74152e << openldap repo: Cleanup
|
||||
commit d8ccf649bcb17cb97541154f27a5673c13254d11 << openldap repo: ITS#8791 OpenSSL 1.1.1 BIOP_method
|
||||
commit 9db93a138932ddbe68f2a4215d136383d4f3dc46 << openldap repo: ITS#8687 EGD is disabled by default in openssl 1.1. TODO validate on poky
|
||||
commit 556a832c4a7ed54d94d0ec204baba5865a36732a << openldap repo: ITS#8353/ITS#8533 Cleanup
|
||||
commit 8144463186ddc6c7b1b2509244c0a2e4eba50539 << openldap repo: ITS#8353/ITS#8533 libldap_r build error
|
||||
commit ebf74c7bb1c079a640074a8685583a7ee0cb5d39 << openldap repo: ITS#8353/ITS#8533 / Dont use deprecated API with OpenSSL 1.1 or later
|
||||
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8 << openldap repo: ITS#8529
|
||||
commit 47f8b3c425c5e1fe4097f0685bbe9aefe56ba911 << openldap repo: ITS#8353/ITS#8533 OpenSSL 1.1.0c compat
|
||||
commit 691dab11a0d6334c401bac59f476a382303c7a24 << openldap repo: Copyright update
|
||||
commit 38d0a8bbdebdf1af212c36008f7d7c2de2a28af4 << openldap repo: ITS#8353
|
||||
commit 051f14f6d6809ff6074fd22e461bed71e160da92 << openldap repo: ITS#8353
|
||||
commit eacd5798a5d83e6658a823c01bcb0f600e3b9898 << openldap-openssl-its7506-fix-DH-params-2.patch
|
||||
commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8 << openldap-openssl-its7506-fix-DH-params-1.patch
|
||||
|
||||
|
||||
Patches:
|
||||
|
||||
0001-Various-manual-pages-changes.patch: ....................... Commit 9321119bac67aeb1a3d61fda9d1a60f32785468b /
|
||||
0002-Correct-log-levels-in-ppolicy-overlay.patch: .............. Use Log3 instead of Debug
|
||||
0003-Removes-unnecessary-linking-of-SQL-Libs-into-slad.patch:... Is this patch needed? Removes sql linking
|
||||
0004-openlap-reentrant-gethostby.patch: ........................ Is this patch needed? use reentrant versions -- fix should be elsewhere -- test case?
|
||||
0005-openldap-smbk5pwd-overlay.patch: .......................... Redo NOTE A.
|
||||
0006-openldap-ldaprc-currentdir.patch:.......................... Disable openning of ldaprc file/ Keep this patch
|
||||
0007-openldap-userconfig-setgid.patch: ......................... Adds same behavior as geteuid != getuid to getegid != getgid
|
||||
0008-openldap-allop-overlay.patch: ............................. Redo NOTE A.
|
||||
0009-openldap-syncrepl-unset-tls-options.patch: ................ Keep
|
||||
0010-openldap-ai-addrconfig.patch: ............................. Keep Commit ebf0ef5cb11fc3f92715e644d95c1bf38cc33ebb.
|
||||
0011-openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL.patch: Keep
|
||||
0012-openldap-ldapi-sasl.patch: ................................ Keep 6c5a79be983fafa435454e9cce34a4658e31de79
|
||||
0013-openldap-missing-unlock-in-accesslog-overlay.patch: ....... Keep but is this really needed
|
||||
0014-openldap-module-passwd-sha2.patch: ........................ Redo NOTE A.
|
||||
0015-openldap-man-tls-reqcert.patch: ........................... Keep
|
||||
0016-openldap-man-ldap-conf.patch: ............................. Keep
|
||||
0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch: ..... Keep for now. Removed in upstream ec2cb12e68923f7b3db60fe20935ca01d4a3932c
|
||||
0018-openldap-tlsmc.patch: ..................................... Keep But is this needed. We are linking with openssl
|
||||
0019-openldap-fedora-systemd.patch: ............................ Remove The fix needs to go into systemd ENV file
|
||||
|
||||
|
||||
NOTE A:
|
||||
These patches need cleanup.
|
@ -1,7 +1,7 @@
|
||||
From 462675a5b797afb411de4506425f12ac6ebdf56a Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:28:29 -0800
|
||||
Subject: [PATCH 01/19] Various manual pages changes:
|
||||
Subject: [PATCH 01/20] Various manual pages changes:
|
||||
|
||||
remove LIBEXECDIR from slapd.8
|
||||
remove references to non-existing manpages (bz 624616)
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 35907952c646b971ba5b14002db2aac8d2324f21 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:30:27 -0800
|
||||
Subject: [PATCH 02/19] Correct log levels in ppolicy overlay
|
||||
Subject: [PATCH 02/20] Correct log levels in ppolicy overlay
|
||||
|
||||
From STX 1901 openldap-ppolicy-loglevels.patch
|
||||
---
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 15b7c5ebcbb607cd2edc2119dfefd16b41cddc21 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:32:09 -0800
|
||||
Subject: [PATCH 03/19] Removes unnecessary linking of SQL Libs into slad.
|
||||
Subject: [PATCH 03/20] Removes unnecessary linking of SQL Libs into slad.
|
||||
|
||||
This makes openldap-servers package independent of libodbc (SQL
|
||||
backend is packaged separately in openldap-servers-sql.)
|
||||
|
@ -1,7 +1,7 @@
|
||||
From df22708bcbe727570daada3fbf8065a447444716 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:34:19 -0800
|
||||
Subject: [PATCH 04/19] openlap reentrant gethostby
|
||||
Subject: [PATCH 04/20] openlap reentrant gethostby
|
||||
|
||||
The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
|
||||
example if libldap needs to be initialized from within gethostbyXXXX() (which
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 75e89e30c2ef819169b5f77b0ac8d450271f516b Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:35:23 -0800
|
||||
Subject: [PATCH 05/19] openldap smbk5pwd overlay
|
||||
Subject: [PATCH 05/20] openldap smbk5pwd overlay
|
||||
|
||||
Compile smbk5pwd together with other overlays.
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From b7f7a583e8a63b1787c3a98f4c43ccbb6c3e39df Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:36:48 -0800
|
||||
Subject: [PATCH 06/19] openldap ldaprc currentdir
|
||||
Subject: [PATCH 06/20] openldap ldaprc currentdir
|
||||
|
||||
From Stx 1901: openldap-ldaprc-currentdir.patch
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From c4906ff521df3f1c9fc4a302300fc135447ee40a Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:38:21 -0800
|
||||
Subject: [PATCH 07/19] openldap userconfig setgid
|
||||
Subject: [PATCH 07/20] openldap userconfig setgid
|
||||
|
||||
From Stx 1901: openldap-userconfig-setgid.patch
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From ac607279df96d4f29f0778ad2657b1f962b496bb Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:40:33 -0800
|
||||
Subject: [PATCH 08/19] openldap allop overlay
|
||||
Subject: [PATCH 08/20] openldap allop overlay
|
||||
|
||||
From Stx 1901: openldap-allop-overlay.patch
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From d87f33bf42e3ee1ce47ea61fde809fe693eede87 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:42:04 -0800
|
||||
Subject: [PATCH 09/19] openldap syncrepl unset tls options
|
||||
Subject: [PATCH 09/20] openldap syncrepl unset tls options
|
||||
|
||||
From Stx 1901: openldap-syncrepl-unset-tls-options.patch
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 6fcc222021258cf00cef05bdc487c614c33ab371 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:44:05 -0800
|
||||
Subject: [PATCH 10/19] openldap ai addrconfig
|
||||
Subject: [PATCH 10/20] openldap ai addrconfig
|
||||
|
||||
From stx 1901: openldap-ai-addrconfig.patch
|
||||
use AI_ADDRCONFIG if defined in the environment
|
||||
|
@ -1,7 +1,7 @@
|
||||
From b0b00385bf7564fa39f711f958b90512559f7f70 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:45:27 -0800
|
||||
Subject: [PATCH 11/19] openldap switch to t_dlopenadvise to get RTLD_GLOBAL
|
||||
Subject: [PATCH 11/20] openldap switch to t_dlopenadvise to get RTLD_GLOBAL
|
||||
set
|
||||
|
||||
From-stx-1901: openldap-switch-to-t_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 4533a8029bdb309eaa63ebb68d71243fa1f9835a Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:47:27 -0800
|
||||
Subject: [PATCH 12/19] openldap ldapi sasl
|
||||
Subject: [PATCH 12/20] openldap ldapi sasl
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 7cc8c2c22dc6a5999554e64b25f162b3673cd922 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:48:29 -0800
|
||||
Subject: [PATCH 13/19] openldap missing unlock in accesslog overlay
|
||||
Subject: [PATCH 13/20] openldap missing unlock in accesslog overlay
|
||||
|
||||
From stx 1901: openldap-missing-unlock-in-accesslog-overlay.patch
|
||||
A mutex lock might not get unlocked when plausible
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 1281efe5b451e0fd030406bc68be9d1f9356adc5 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 14:55:58 -0800
|
||||
Subject: [PATCH 14/19] openldap module passwd sha2
|
||||
Subject: [PATCH 14/20] openldap module passwd sha2
|
||||
|
||||
From Stx 1901: openldap-module-passwd-sha2.patch
|
||||
Include sha2 module
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 5b8f3344a00d1623d54d1e1de9e7207895067473 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 15:13:00 -0800
|
||||
Subject: [PATCH 15/19] openldap man tls reqcert
|
||||
Subject: [PATCH 15/20] openldap man tls reqcert
|
||||
|
||||
From Stx 1901: openldap-man-tls-reqcert.patch
|
||||
From f7027b3118ea90d616d0ddeeb348f15ba91cd08b Mon Sep 17 00:00:00 2001
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 8196f53139c4d7e6c1cb8508d1a421299f7eaa61 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 15:14:39 -0800
|
||||
Subject: [PATCH 16/19] openldap man ldap conf
|
||||
Subject: [PATCH 16/20] openldap man ldap conf
|
||||
|
||||
From Stx 1901: openldap-man-ldap-conf.patch
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 4e495a37939a605577c72ed43e1f5a3ab3780611 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 15:16:35 -0800
|
||||
Subject: [PATCH 17/19] openldap bdb_idl_fetch_key correct key pointer
|
||||
Subject: [PATCH 17/20] openldap bdb_idl_fetch_key correct key pointer
|
||||
|
||||
From Stx 1901: openldap-bdb_idl_fetch_key-correct-key-pointer.patch
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 35b08487213749c6da625a446f605b6e7f74d07f Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 15:24:11 -0800
|
||||
Subject: [PATCH 18/19] openldap tlsmc
|
||||
Subject: [PATCH 18/20] openldap tlsmc
|
||||
|
||||
From Stx 1901: openldap-tlsmc.patch
|
||||
---
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 4cec0c0cc03d8e9e942be6126676853603487575 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Sun, 3 Nov 2019 15:25:21 -0800
|
||||
Subject: [PATCH 19/19] openldap fedora systemd
|
||||
|
||||
From stx 1901: openldap-fedora-systemd.patch
|
||||
Skip any empty parameters when parsing command line options.
|
||||
This is required because systemd does not expand variables the same way as shell does,
|
||||
we need it because of an empty SLAPD_OPTIONS in environment file.
|
||||
|
||||
Fedora specific patch.
|
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
---
|
||||
servers/slapd/main.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/servers/slapd/main.c b/servers/slapd/main.c
|
||||
index c212209..23f7656 100644
|
||||
--- a/servers/slapd/main.c
|
||||
+++ b/servers/slapd/main.c
|
||||
@@ -685,6 +685,10 @@ unhandled_option:;
|
||||
}
|
||||
}
|
||||
|
||||
+ /* skip empty parameters */
|
||||
+ while ( optind < argc && *argv[optind] == '\0' )
|
||||
+ optind += 1;
|
||||
+
|
||||
if ( optind != argc )
|
||||
goto unhandled_option;
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,15 +1,26 @@
|
||||
ITS#7595 Add Elliptic Curve support for OpenSSL
|
||||
From dc82cdf9c6c25c69c7eee203d1c4f4c91f969ba9 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Tue, 5 Nov 2019 09:30:49 -0800
|
||||
Subject: [PATCH 19/20] openldap openssl ITS7596 Add EC support
|
||||
|
||||
Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
|
||||
Author: Howard Chu <hyc@openldap.org>
|
||||
Date: Sat Sep 7 09:47:19 2013 -0700
|
||||
From e631ce808ed56119e61321463d06db7999ba5a08
|
||||
From stx 1901 openldap-openssl-ITS7595-Add-EC-support-1.patch
|
||||
---
|
||||
doc/man/man5/slapd-config.5 | 7 +++++++
|
||||
doc/man/man5/slapd.conf.5 | 7 +++++++
|
||||
include/ldap.h | 1 +
|
||||
libraries/libldap/ldap-int.h | 2 ++
|
||||
libraries/libldap/tls2.c | 17 +++++++++++++++++
|
||||
libraries/libldap/tls_o.c | 33 ++++++++++++++++++++++++++++++---
|
||||
servers/slapd/bconfig.c | 12 +++++++++++-
|
||||
7 files changed, 75 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
|
||||
index 49a3959ae..9cd0a4dd1 100644
|
||||
index 42032d4..733ff1e 100644
|
||||
--- a/doc/man/man5/slapd-config.5
|
||||
+++ b/doc/man/man5/slapd-config.5
|
||||
@@ -918,6 +918,13 @@ from the default, otherwise no certificate exchanges or verification will
|
||||
be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
|
||||
@@ -922,6 +922,13 @@ are not used.
|
||||
When using Mozilla NSS these parameters are always generated randomly
|
||||
so this directive is ignored.
|
||||
.TP
|
||||
+.B olcTLSECName: <name>
|
||||
@ -23,12 +34,12 @@ index 49a3959ae..9cd0a4dd1 100644
|
||||
Specifies minimum SSL/TLS protocol version that will be negotiated.
|
||||
If the server doesn't support at least that version,
|
||||
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
|
||||
index e2344547e..4eb238162 100644
|
||||
index 2d4431f..ffe74ff 100644
|
||||
--- a/doc/man/man5/slapd.conf.5
|
||||
+++ b/doc/man/man5/slapd.conf.5
|
||||
@@ -1149,6 +1149,13 @@ from the default, otherwise no certificate exchanges or verification will
|
||||
be done. When using GnuTLS these parameters are always generated randomly so
|
||||
this directive is ignored. This directive is ignored when using Mozilla NSS.
|
||||
@@ -1153,6 +1153,13 @@ are not used.
|
||||
When using Mozilla NSS these parameters are always generated randomly
|
||||
so this directive is ignored.
|
||||
.TP
|
||||
+.B TLSECName <name>
|
||||
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
|
||||
@ -41,7 +52,7 @@ index e2344547e..4eb238162 100644
|
||||
Specifies minimum SSL/TLS protocol version that will be negotiated.
|
||||
If the server doesn't support at least that version,
|
||||
diff --git a/include/ldap.h b/include/ldap.h
|
||||
index d4d10fa79..9922c9fa8 100644
|
||||
index 7bc0644..bb22cb8 100644
|
||||
--- a/include/ldap.h
|
||||
+++ b/include/ldap.h
|
||||
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
|
||||
@ -53,7 +64,7 @@ index d4d10fa79..9922c9fa8 100644
|
||||
|
||||
#define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0
|
||||
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
|
||||
index 1a26b3cb0..5fff785d8 100644
|
||||
index 15092c1..f504f44 100644
|
||||
--- a/libraries/libldap/ldap-int.h
|
||||
+++ b/libraries/libldap/ldap-int.h
|
||||
@@ -165,6 +165,7 @@ struct ldaptls {
|
||||
@ -73,7 +84,7 @@ index 1a26b3cb0..5fff785d8 100644
|
||||
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
|
||||
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
|
||||
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
||||
index a616133da..f39546450 100644
|
||||
index 198d0b1..ba4b9c5 100644
|
||||
--- a/libraries/libldap/tls2.c
|
||||
+++ b/libraries/libldap/tls2.c
|
||||
@@ -121,6 +121,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
|
||||
@ -106,7 +117,7 @@ index a616133da..f39546450 100644
|
||||
#endif
|
||||
return rc;
|
||||
}
|
||||
@@ -674,6 +683,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
|
||||
@@ -686,6 +695,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
|
||||
*(char **)arg = lo->ldo_tls_dhfile ?
|
||||
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
|
||||
break;
|
||||
@ -117,7 +128,7 @@ index a616133da..f39546450 100644
|
||||
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
|
||||
*(char **)arg = lo->ldo_tls_crlfile ?
|
||||
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
|
||||
@@ -796,6 +809,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
|
||||
@@ -808,6 +821,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
|
||||
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
|
||||
lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
|
||||
return 0;
|
||||
@ -129,10 +140,10 @@ index a616133da..f39546450 100644
|
||||
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
|
||||
lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
|
||||
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||
index a2d9cd31f..1a81bc625 100644
|
||||
index 92c708b..45afc11 100644
|
||||
--- a/libraries/libldap/tls_o.c
|
||||
+++ b/libraries/libldap/tls_o.c
|
||||
@@ -296,10 +296,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
@@ -371,10 +371,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -145,7 +156,7 @@ index a2d9cd31f..1a81bc625 100644
|
||||
|
||||
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
@@ -318,7 +317,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
@@ -393,7 +392,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
}
|
||||
BIO_free( bio );
|
||||
SSL_CTX_set_tmp_dh( ctx, dh );
|
||||
@ -182,7 +193,7 @@ index a2d9cd31f..1a81bc625 100644
|
||||
if ( tlso_opt_trace ) {
|
||||
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
|
||||
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
|
||||
index 8ade0c3f2..5a3c67a72 100644
|
||||
index 250f141..8b1e4e5 100644
|
||||
--- a/servers/slapd/bconfig.c
|
||||
+++ b/servers/slapd/bconfig.c
|
||||
@@ -194,6 +194,7 @@ enum {
|
||||
@ -225,3 +236,6 @@ index 8ade0c3f2..5a3c67a72 100644
|
||||
#ifdef HAVE_GNUTLS
|
||||
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
|
||||
#endif
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,14 +1,19 @@
|
||||
ITS#7595 don't try to use EC if OpenSSL lacks it
|
||||
From 14058818a2d2aa42427a0e9433957c90a1264ec5 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Tue, 5 Nov 2019 09:50:55 -0800
|
||||
Subject: [PATCH 20/20] openldap openssl ITS7596 Add EC support patch 2
|
||||
|
||||
Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
|
||||
Author: Howard Chu <hyc@openldap.org>
|
||||
Date: Sun Sep 8 06:32:23 2013 -0700
|
||||
From 721e46fe6695077d63a3df6ea2e397920a72308d
|
||||
From stx 1901 openldap-openssl-ITS7595-Add-EC-support-2.patch
|
||||
---
|
||||
libraries/libldap/tls_o.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||
index 1a81bc625..71c2b055c 100644
|
||||
index 45afc11..0a70156 100644
|
||||
--- a/libraries/libldap/tls_o.c
|
||||
+++ b/libraries/libldap/tls_o.c
|
||||
@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
@@ -396,8 +396,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
DH_free( dh );
|
||||
}
|
||||
|
||||
@ -22,7 +27,7 @@ index 1a81bc625..71c2b055c 100644
|
||||
EC_KEY *ecdh;
|
||||
|
||||
int nid = OBJ_sn2nid( lt->lt_ecname );
|
||||
@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
@@ -419,8 +423,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
SSL_CTX_set_tmp_ecdh( ctx, ecdh );
|
||||
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
|
||||
EC_KEY_free( ecdh );
|
||||
@ -32,3 +37,6 @@ index 1a81bc625..71c2b055c 100644
|
||||
|
||||
if ( tlso_opt_trace ) {
|
||||
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,997 @@
|
||||
From 2adc9fa71e3a47542793e61c7794629fa9255a57 Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Tue, 5 Nov 2019 14:49:06 -0800
|
||||
Subject: [PATCH] openldap and stx source and config files
|
||||
|
||||
From stx 1901 openldap-2.4.44-21.el7_6.src.rpm
|
||||
---
|
||||
stx-sources/ldap.conf | 18 +++
|
||||
stx-sources/libexec-check-config.sh | 91 ++++++++++++
|
||||
stx-sources/libexec-convert-config.sh | 79 ++++++++++
|
||||
stx-sources/libexec-create-certdb.sh | 70 +++++++++
|
||||
stx-sources/libexec-functions | 136 +++++++++++++++++
|
||||
stx-sources/libexec-generate-server-cert.sh | 118 +++++++++++++++
|
||||
stx-sources/libexec-update-ppolicy-schema.sh | 142 ++++++++++++++++++
|
||||
stx-sources/libexec-upgrade-db.sh | 40 +++++
|
||||
stx-sources/openldap.tmpfiles | 3 +
|
||||
stx-sources/slapd.ldif | 148 +++++++++++++++++++
|
||||
stx-sources/slapd.service | 19 +++
|
||||
stx-sources/slapd.sysconfig | 15 ++
|
||||
stx-sources/slapd.tmpfiles | 2 +
|
||||
13 files changed, 881 insertions(+)
|
||||
create mode 100644 stx-sources/ldap.conf
|
||||
create mode 100755 stx-sources/libexec-check-config.sh
|
||||
create mode 100755 stx-sources/libexec-convert-config.sh
|
||||
create mode 100755 stx-sources/libexec-create-certdb.sh
|
||||
create mode 100644 stx-sources/libexec-functions
|
||||
create mode 100755 stx-sources/libexec-generate-server-cert.sh
|
||||
create mode 100755 stx-sources/libexec-update-ppolicy-schema.sh
|
||||
create mode 100755 stx-sources/libexec-upgrade-db.sh
|
||||
create mode 100644 stx-sources/openldap.tmpfiles
|
||||
create mode 100644 stx-sources/slapd.ldif
|
||||
create mode 100644 stx-sources/slapd.service
|
||||
create mode 100644 stx-sources/slapd.sysconfig
|
||||
create mode 100644 stx-sources/slapd.tmpfiles
|
||||
|
||||
diff --git a/stx-sources/ldap.conf b/stx-sources/ldap.conf
|
||||
new file mode 100644
|
||||
index 0000000..aa6f8fd
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/ldap.conf
|
||||
@@ -0,0 +1,18 @@
|
||||
+#
|
||||
+# LDAP Defaults
|
||||
+#
|
||||
+
|
||||
+# See ldap.conf(5) for details
|
||||
+# This file should be world readable but not world writable.
|
||||
+
|
||||
+#BASE dc=example,dc=com
|
||||
+#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
||||
+
|
||||
+#SIZELIMIT 12
|
||||
+#TIMELIMIT 15
|
||||
+#DEREF never
|
||||
+
|
||||
+TLS_CACERTDIR /etc/openldap/certs
|
||||
+
|
||||
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
|
||||
+SASL_NOCANON on
|
||||
diff --git a/stx-sources/libexec-check-config.sh b/stx-sources/libexec-check-config.sh
|
||||
new file mode 100755
|
||||
index 0000000..87e377f
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/libexec-check-config.sh
|
||||
@@ -0,0 +1,91 @@
|
||||
+#!/bin/sh
|
||||
+# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
+
|
||||
+. /usr/libexec/openldap/functions
|
||||
+
|
||||
+function check_config_syntax()
|
||||
+{
|
||||
+ retcode=0
|
||||
+ tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
|
||||
+ run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ error "Checking configuration file failed:"
|
||||
+ cat $tmp_slaptest >&2
|
||||
+ retcode=1
|
||||
+ fi
|
||||
+ rm $tmp_slaptest
|
||||
+ return $retcode
|
||||
+}
|
||||
+
|
||||
+function check_certs_perms()
|
||||
+{
|
||||
+ retcode=0
|
||||
+ for cert in `certificates`; do
|
||||
+ run_as_ldap "/usr/bin/test -e \"$cert\""
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ error "TLS certificate/key/DB '%s' was not found." "$cert"
|
||||
+ retcoder=1
|
||||
+ continue
|
||||
+ fi
|
||||
+ run_as_ldap "/usr/bin/test -r \"$cert\""
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ error "TLS certificate/key/DB '%s' is not readable." "$cert"
|
||||
+ retcode=1
|
||||
+ fi
|
||||
+ done
|
||||
+ return $retcode
|
||||
+}
|
||||
+
|
||||
+function check_db_perms()
|
||||
+{
|
||||
+ retcode=0
|
||||
+ for dbdir in `databases`; do
|
||||
+ [ -d "$dbdir" ] || continue
|
||||
+ for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
|
||||
+ run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ error "Read/write permissions for DB file '%s' are required." "$dbfile"
|
||||
+ retcode=1
|
||||
+ fi
|
||||
+ done
|
||||
+ done
|
||||
+ return $retcode
|
||||
+}
|
||||
+
|
||||
+function check_everything()
|
||||
+{
|
||||
+ retcode=0
|
||||
+ check_config_syntax || retcode=1
|
||||
+ # TODO: need support for Mozilla NSS, disabling temporarily
|
||||
+ #check_certs_perms || retcode=1
|
||||
+ check_db_perms || retcode=1
|
||||
+ return $retcode
|
||||
+}
|
||||
+
|
||||
+if [ `id -u` -ne 0 ]; then
|
||||
+ error "You have to be root to run this script."
|
||||
+ exit 4
|
||||
+fi
|
||||
+
|
||||
+load_sysconfig
|
||||
+
|
||||
+if [ -n "$SLAPD_CONFIG_DIR" ]; then
|
||||
+ if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
|
||||
+ error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
|
||||
+ else
|
||||
+ check_everything
|
||||
+ exit $?
|
||||
+ fi
|
||||
+fi
|
||||
+
|
||||
+if [ -n "$SLAPD_CONFIG_FILE" ]; then
|
||||
+ if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
|
||||
+ error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
|
||||
+ else
|
||||
+ error "Warning: Usage of a configuration file is obsolete!"
|
||||
+ check_everything
|
||||
+ exit $?
|
||||
+ fi
|
||||
+fi
|
||||
+
|
||||
+exit 1
|
||||
diff --git a/stx-sources/libexec-convert-config.sh b/stx-sources/libexec-convert-config.sh
|
||||
new file mode 100755
|
||||
index 0000000..824c3b1
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/libexec-convert-config.sh
|
||||
@@ -0,0 +1,79 @@
|
||||
+#!/bin/sh
|
||||
+# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
+
|
||||
+. /usr/libexec/openldap/functions
|
||||
+
|
||||
+function help()
|
||||
+{
|
||||
+ error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`"
|
||||
+ exit 2
|
||||
+}
|
||||
+
|
||||
+load_sysconfig
|
||||
+
|
||||
+while getopts :f:F: opt; do
|
||||
+ case "$opt" in
|
||||
+ f)
|
||||
+ SLAPD_CONFIG_FILE="$OPTARG"
|
||||
+ ;;
|
||||
+ F)
|
||||
+ SLAPD_CONFIG_DIR="$OPTARG"
|
||||
+ ;;
|
||||
+ *)
|
||||
+ help
|
||||
+ ;;
|
||||
+ esac
|
||||
+done
|
||||
+shift $((OPTIND-1))
|
||||
+[ -n "$1" ] && help
|
||||
+
|
||||
+# check source, target
|
||||
+
|
||||
+if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
|
||||
+ error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE"
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then
|
||||
+ SLAPD_CONFIG_FILE_FORMAT=ldif
|
||||
+else
|
||||
+ SLAPD_CONFIG_FILE_FORMAT=conf
|
||||
+fi
|
||||
+
|
||||
+if [ -d "$SLAPD_CONFIG_DIR" ]; then
|
||||
+ if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then
|
||||
+ error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR"
|
||||
+ exit 1
|
||||
+ fi
|
||||
+fi
|
||||
+
|
||||
+# perform the conversion
|
||||
+
|
||||
+tmp_convert=`mktemp --tmpdir=/var/run/openldap`
|
||||
+
|
||||
+if [ `id -u` -eq 0 ]; then
|
||||
+ install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
|
||||
+ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
|
||||
+ run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert
|
||||
+ else
|
||||
+ run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert
|
||||
+ fi
|
||||
+ retcode=$?
|
||||
+else
|
||||
+ error "You are not root! Permission will not be set."
|
||||
+ install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
|
||||
+ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
|
||||
+ /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert
|
||||
+ else
|
||||
+ /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert
|
||||
+ fi
|
||||
+ retcode=$?
|
||||
+fi
|
||||
+
|
||||
+if [ $retcode -ne 0 ]; then
|
||||
+ error "Configuration conversion failed:"
|
||||
+ cat $tmp_convert >&2
|
||||
+fi
|
||||
+
|
||||
+rm $tmp_convert
|
||||
+exit $retcode
|
||||
diff --git a/stx-sources/libexec-create-certdb.sh b/stx-sources/libexec-create-certdb.sh
|
||||
new file mode 100755
|
||||
index 0000000..2377fdd
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/libexec-create-certdb.sh
|
||||
@@ -0,0 +1,70 @@
|
||||
+#!/bin/bash
|
||||
+# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
+
|
||||
+set -e
|
||||
+
|
||||
+# default options
|
||||
+
|
||||
+CERTDB_DIR=/etc/openldap/certs
|
||||
+
|
||||
+# internals
|
||||
+
|
||||
+MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
|
||||
+RANDOM_SOURCE=/dev/urandom
|
||||
+PASSWORD_BYTES=32
|
||||
+
|
||||
+# parse arguments
|
||||
+
|
||||
+usage() {
|
||||
+ printf "usage: create-certdb.sh [-d certdb]\n" >&2
|
||||
+ exit 1
|
||||
+}
|
||||
+
|
||||
+while getopts "d:" opt; do
|
||||
+ case "$opt" in
|
||||
+ d)
|
||||
+ CERTDB_DIR="$OPTARG"
|
||||
+ ;;
|
||||
+ \?)
|
||||
+ usage
|
||||
+ ;;
|
||||
+ esac
|
||||
+done
|
||||
+
|
||||
+[ "$OPTIND" -le "$#" ] && usage
|
||||
+
|
||||
+# verify target location
|
||||
+
|
||||
+if [ ! -d "$CERTDB_DIR" ]; then
|
||||
+ printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
|
||||
+ printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+# create the database
|
||||
+
|
||||
+printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
|
||||
+
|
||||
+PASSWORD_FILE="$CERTDB_DIR/password"
|
||||
+OLD_UMASK="$(umask)"
|
||||
+umask 0377
|
||||
+dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
|
||||
+umask "$OLD_UMASK"
|
||||
+
|
||||
+certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
|
||||
+
|
||||
+# load module with builtin CA certificates
|
||||
+
|
||||
+echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
|
||||
+
|
||||
+# tune permissions
|
||||
+
|
||||
+for dbfile in "$CERTDB_DIR"/*.db; do
|
||||
+ chmod 0644 "$dbfile"
|
||||
+done
|
||||
+
|
||||
+exit 0
|
||||
diff --git a/stx-sources/libexec-functions b/stx-sources/libexec-functions
|
||||
new file mode 100644
|
||||
index 0000000..98c8631
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/libexec-functions
|
||||
@@ -0,0 +1,136 @@
|
||||
+# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
+
|
||||
+SLAPD_USER=
|
||||
+SLAPD_CONFIG_FILE=
|
||||
+SLAPD_CONFIG_DIR=
|
||||
+SLAPD_CONFIG_CUSTOM=
|
||||
+SLAPD_GLOBAL_OPTIONS=
|
||||
+SLAPD_SYSCONFIG_FILE=
|
||||
+
|
||||
+function default_config()
|
||||
+{
|
||||
+ SLAPD_USER=ldap
|
||||
+ SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
|
||||
+ SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
|
||||
+ SLAPD_CONFIG_CUSTOM=
|
||||
+ SLAPD_GLOBAL_OPTIONS=
|
||||
+ SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
|
||||
+}
|
||||
+
|
||||
+function parse_config_options()
|
||||
+{
|
||||
+ user=
|
||||
+ config_file=
|
||||
+ config_dir=
|
||||
+ while getopts :u:f:F: opt; do
|
||||
+ case "$opt" in
|
||||
+ u)
|
||||
+ user="$OPTARG"
|
||||
+ ;;
|
||||
+ f)
|
||||
+ config_file="$OPTARG"
|
||||
+ ;;
|
||||
+ F)
|
||||
+ config_dir="$OPTARG"
|
||||
+ ;;
|
||||
+ esac
|
||||
+ done
|
||||
+
|
||||
+ unset OPTIND
|
||||
+
|
||||
+ if [ -n "$user" ]; then
|
||||
+ SLAPD_USER="$user"
|
||||
+ fi
|
||||
+
|
||||
+ if [ -n "$config_dir" ]; then
|
||||
+ SLAPD_CONFIG_DIR="$config_dir"
|
||||
+ SLAPD_CONFIG_FILE=
|
||||
+ SLAPD_CONFIG_CUSTOM=1
|
||||
+ SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
|
||||
+ elif [ -n "$config_file" ]; then
|
||||
+ SLAPD_CONFIG_DIR=
|
||||
+ SLAPD_CONFIG_FILE="$config_file"
|
||||
+ SLAPD_CONFIG_CUSTOM=1
|
||||
+ SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+function uses_new_config()
|
||||
+{
|
||||
+ [ -n "$SLAPD_CONFIG_DIR" ]
|
||||
+ return $?
|
||||
+}
|
||||
+
|
||||
+function run_as_ldap()
|
||||
+{
|
||||
+ /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
|
||||
+ return $?
|
||||
+}
|
||||
+
|
||||
+function ldif_unbreak()
|
||||
+{
|
||||
+ sed ':a;N;s/\n //;ta;P;D'
|
||||
+}
|
||||
+
|
||||
+function ldif_value()
|
||||
+{
|
||||
+ sed 's/^[^:]*: //'
|
||||
+}
|
||||
+
|
||||
+function databases_new()
|
||||
+{
|
||||
+ slapcat $SLAPD_GLOBAL_OPTIONS -c \
|
||||
+ -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
|
||||
+ ldif_unbreak | \
|
||||
+ grep '^olcDbDirectory: ' | \
|
||||
+ ldif_value
|
||||
+}
|
||||
+
|
||||
+function databases_old()
|
||||
+{
|
||||
+ awk 'begin { database="" }
|
||||
+ $1 == "database" { database=$2 }
|
||||
+ $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
|
||||
+ "$SLAPD_CONFIG_FILE"
|
||||
+}
|
||||
+
|
||||
+function certificates_new()
|
||||
+{
|
||||
+ slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
|
||||
+ ldif_unbreak | \
|
||||
+ grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
|
||||
+ ldif_value
|
||||
+}
|
||||
+
|
||||
+function certificates_old()
|
||||
+{
|
||||
+ awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
|
||||
+ "$SLAPD_CONFIG_FILE"
|
||||
+}
|
||||
+
|
||||
+function certificates()
|
||||
+{
|
||||
+ uses_new_config && certificates_new || certificates_old
|
||||
+}
|
||||
+
|
||||
+function databases()
|
||||
+{
|
||||
+ uses_new_config && databases_new || databases_old
|
||||
+}
|
||||
+
|
||||
+
|
||||
+function error()
|
||||
+{
|
||||
+ format="$1\n"; shift
|
||||
+ printf "$format" $@ >&2
|
||||
+}
|
||||
+
|
||||
+function load_sysconfig()
|
||||
+{
|
||||
+ [ -r "$SLAPD_SYSCONFIG_FILE" ] || return
|
||||
+
|
||||
+ . "$SLAPD_SYSCONFIG_FILE"
|
||||
+ [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
|
||||
+}
|
||||
+
|
||||
+default_config
|
||||
diff --git a/stx-sources/libexec-generate-server-cert.sh b/stx-sources/libexec-generate-server-cert.sh
|
||||
new file mode 100755
|
||||
index 0000000..e2f4974
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/libexec-generate-server-cert.sh
|
||||
@@ -0,0 +1,118 @@
|
||||
+#!/bin/bash
|
||||
+# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
+
|
||||
+set -e
|
||||
+
|
||||
+# default options
|
||||
+
|
||||
+CERTDB_DIR=/etc/openldap/certs
|
||||
+CERT_NAME="OpenLDAP Server"
|
||||
+PASSWORD_FILE=
|
||||
+HOSTNAME_FQDN="$(hostname --fqdn)"
|
||||
+ALT_NAMES=
|
||||
+ONCE=0
|
||||
+
|
||||
+# internals
|
||||
+
|
||||
+RANDOM_SOURCE=/dev/urandom
|
||||
+CERT_RANDOM_BYTES=256
|
||||
+CERT_KEY_TYPE=rsa
|
||||
+CERT_KEY_SIZE=1024
|
||||
+CERT_VALID_MONTHS=12
|
||||
+
|
||||
+# parse arguments
|
||||
+
|
||||
+usage() {
|
||||
+ printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
|
||||
+ printf " [-p password-file] [-h hostnames]\n" >&2
|
||||
+ printf " [-a dns-alt-names] [-o]\n" >&2
|
||||
+ exit 1
|
||||
+}
|
||||
+
|
||||
+while getopts "d:n:p:h:a:o" opt; do
|
||||
+ case "$opt" in
|
||||
+ d)
|
||||
+ CERTDB_DIR="$OPTARG"
|
||||
+ ;;
|
||||
+ n)
|
||||
+ CERT_NAME="$OPTARG"
|
||||
+ ;;
|
||||
+ p)
|
||||
+ PASSWORD_FILE="$OPTARG"
|
||||
+ ;;
|
||||
+ h)
|
||||
+ HOSTNAME_FQDN="$OPTARG"
|
||||
+ ;;
|
||||
+ a)
|
||||
+ ALT_NAMES="$OPTARG"
|
||||
+ ;;
|
||||
+ o)
|
||||
+ ONCE=1
|
||||
+ ;;
|
||||
+ \?)
|
||||
+ usage
|
||||
+ ;;
|
||||
+ esac
|
||||
+done
|
||||
+
|
||||
+[ "$OPTIND" -le "$#" ] && usage
|
||||
+
|
||||
+# generated options
|
||||
+
|
||||
+ONCE_FILE="$CERTDB_DIR/.slapd-leave"
|
||||
+PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
|
||||
+ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
|
||||
+
|
||||
+# verify target location
|
||||
+
|
||||
+if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
|
||||
+ printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
+if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
|
||||
+ printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
|
||||
+
|
||||
+if [ ! -r "$PASSWORD_FILE" ]; then
|
||||
+ printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
|
||||
+ printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+# generate server certificate (self signed)
|
||||
+
|
||||
+
|
||||
+CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
|
||||
+dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
|
||||
+
|
||||
+certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
|
||||
+ -S -x -n "$CERT_NAME" \
|
||||
+ -s "CN=$HOSTNAME_FQDN" \
|
||||
+ -t TC,, \
|
||||
+ -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
|
||||
+ -v $CERT_VALID_MONTHS \
|
||||
+ -8 "$ALT_NAMES" \
|
||||
+ &>/dev/null
|
||||
+
|
||||
+rm -f $CERT_RANDOM
|
||||
+
|
||||
+# tune permissions
|
||||
+
|
||||
+if [ "$(id -u)" -eq 0 ]; then
|
||||
+ chgrp ldap "$PASSWORD_FILE"
|
||||
+ chmod g+r "$PASSWORD_FILE"
|
||||
+else
|
||||
+ printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
|
||||
+ printf " load it's private key from the certificate database.\n" >&2
|
||||
+fi
|
||||
+
|
||||
+touch "$ONCE_FILE"
|
||||
+exit 0
|
||||
diff --git a/stx-sources/libexec-update-ppolicy-schema.sh b/stx-sources/libexec-update-ppolicy-schema.sh
|
||||
new file mode 100755
|
||||
index 0000000..a853b27
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/libexec-update-ppolicy-schema.sh
|
||||
@@ -0,0 +1,142 @@
|
||||
+#!/bin/bash
|
||||
+# This script serves one purpose, to add a possibly missing attribute
|
||||
+# to a ppolicy schema in a dynamic configuration of OpenLDAP. This
|
||||
+# attribute was introduced in openldap-2.4.43 and slapd will not
|
||||
+# start without it later on.
|
||||
+#
|
||||
+# The script tries to update in a directory given as first parameter,
|
||||
+# or in /etc/openldap/slapd.d implicitly.
|
||||
+#
|
||||
+# Author: Matus Honek <mhonek@redhat.com>
|
||||
+# Bugzilla: #1487857
|
||||
+
|
||||
+function log {
|
||||
+ echo "Update dynamic configuration: " $@
|
||||
+ true
|
||||
+}
|
||||
+
|
||||
+function iferr {
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ log "ERROR: " $@
|
||||
+ true
|
||||
+ else
|
||||
+ false
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+function update {
|
||||
+ set -u
|
||||
+ shopt -s extglob
|
||||
+
|
||||
+ ORIGINAL="${1:-/etc/openldap/slapd.d}"
|
||||
+ ORIGINAL="${ORIGINAL%*(/)}"
|
||||
+
|
||||
+ ### check if necessary
|
||||
+ grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null
|
||||
+ [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0
|
||||
+
|
||||
+ ### prep
|
||||
+ log "Prepare environment."
|
||||
+
|
||||
+ TEMPDIR=$(mktemp -d)
|
||||
+ iferr "Could not create a temporary directory. Quitting." && return 1
|
||||
+ DBDIR="${TEMPDIR}/db"
|
||||
+ SUBDBDIR="${DBDIR}/cn=temporary"
|
||||
+
|
||||
+ mkdir "${DBDIR}"
|
||||
+ iferr "Could not create temporary configuration directory. Quitting." && return 1
|
||||
+ cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}"
|
||||
+ iferr "Could not copy configuration. Quitting." && return 1
|
||||
+
|
||||
+ pushd "$TEMPDIR" >/dev/null
|
||||
+
|
||||
+ cat > temp.conf <<EOF
|
||||
+database ldif
|
||||
+suffix cn=temporary
|
||||
+directory db
|
||||
+access to * by * manage
|
||||
+EOF
|
||||
+
|
||||
+ SOCKET="$(pwd)/socket"
|
||||
+ LISTENER="ldapi://${SOCKET//\//%2F}"
|
||||
+ CONN_PARAMS=("-Y" "EXTERNAL" "-H" "${LISTENER}")
|
||||
+
|
||||
+ slapd -f temp.conf -h "$LISTENER" -d 0 >/dev/null 2>&1 &
|
||||
+ SLAPDPID="$!"
|
||||
+ sleep 2
|
||||
+
|
||||
+ ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
|
||||
+dn: cn=temporary
|
||||
+objectClass: olcGlobal
|
||||
+cn: temporary
|
||||
+EOF
|
||||
+ iferr "Could not populate the temporary database. Quitting." && return 1
|
||||
+
|
||||
+ ### update
|
||||
+ log "Update with new pwdMaxRecordedFailure attribute."
|
||||
+ FILTER="(&"
|
||||
+ FILTER+="(olcObjectClasses=*'pwdPolicy'*)"
|
||||
+ FILTER+="(!(olcObjectClasses=*'pwdPolicy'*'pwdMaxRecordedFailure'*))"
|
||||
+ FILTER+="(!(olcAttributeTypes=*'pwdMaxRecordedFailure'*))"
|
||||
+ FILTER+=")"
|
||||
+ RES=$(ldapsearch ${CONN_PARAMS[@]} \
|
||||
+ -b cn=schema,cn=config,cn=temporary \
|
||||
+ -LLL \
|
||||
+ -o ldif-wrap=no \
|
||||
+ "$FILTER" \
|
||||
+ dn olcObjectClasses \
|
||||
+ 2>/dev/null \
|
||||
+ | sed '/^$/d')
|
||||
+ DN=$(printf "$RES" | grep '^dn:')
|
||||
+ OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'")
|
||||
+ NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }"
|
||||
+
|
||||
+ test $(echo "$DN" | wc -l) = 1
|
||||
+ iferr "Received more than one DN. Cannot continue. Quitting." && return 1
|
||||
+ test "$NEWOC" != "$OC"
|
||||
+ iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1
|
||||
+
|
||||
+ ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
|
||||
+$DN
|
||||
+changetype: modify
|
||||
+add: olcAttributeTypes
|
||||
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
|
||||
+ e' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.
|
||||
+ 1466.115.121.1.27 SINGLE-VALUE )
|
||||
+-
|
||||
+delete: olcObjectClasses
|
||||
+$OC
|
||||
+-
|
||||
+add: olcObjectClasses
|
||||
+$NEWOC
|
||||
+EOF
|
||||
+ iferr "Updating with new attribute failed. Quitting." && return 1
|
||||
+
|
||||
+ popd >/dev/null
|
||||
+
|
||||
+ ### apply
|
||||
+ log "Apply changes."
|
||||
+ cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup"
|
||||
+ iferr "Backing up old configuration failed. Quitting." && return 1
|
||||
+ cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL"
|
||||
+ iferr "Applying new configuration failed. Quitting." && return 1
|
||||
+
|
||||
+ ### clean up
|
||||
+ log "Clean up."
|
||||
+ kill "$SLAPDPID"
|
||||
+ SLAPDPID=
|
||||
+ rm -rf "$TEMPDIR"
|
||||
+ TEMPDIR=
|
||||
+}
|
||||
+
|
||||
+SLAPDPID=
|
||||
+TEMPDIR=
|
||||
+update "$1"
|
||||
+if [ $? -ne 0 ]; then
|
||||
+ log "Clean up."
|
||||
+ echo "$SLAPDPID"
|
||||
+ echo "$TEMPDIR"
|
||||
+ kill "$SLAPDPID"
|
||||
+ rm -rf "$TEMPDIR"
|
||||
+fi
|
||||
+log "Finished."
|
||||
diff --git a/stx-sources/libexec-upgrade-db.sh b/stx-sources/libexec-upgrade-db.sh
|
||||
new file mode 100755
|
||||
index 0000000..1543c80
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/libexec-upgrade-db.sh
|
||||
@@ -0,0 +1,40 @@
|
||||
+#!/bin/sh
|
||||
+# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
+
|
||||
+. /usr/libexec/openldap/functions
|
||||
+
|
||||
+if [ `id -u` -ne 0 ]; then
|
||||
+ error "You have to be root to run this command."
|
||||
+ exit 4
|
||||
+fi
|
||||
+
|
||||
+load_sysconfig
|
||||
+retcode=0
|
||||
+
|
||||
+for dbdir in `databases`; do
|
||||
+ upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
|
||||
+ bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
|
||||
+
|
||||
+ # skip uninitialized database
|
||||
+ [ -z "$bdb_files"] || continue
|
||||
+
|
||||
+ printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
|
||||
+
|
||||
+ # perform the update
|
||||
+ for command in \
|
||||
+ "/usr/bin/db_recover -v -h \"$dbdir\"" \
|
||||
+ "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
|
||||
+ "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
|
||||
+ ; do
|
||||
+ printf "Executing: %s\n" "$command" &>>$upgrade_log
|
||||
+ run_as_ldap "$command" &>>$upgrade_log
|
||||
+ result=$?
|
||||
+ printf "Exit code: %d\n" $result >>"$upgrade_log"
|
||||
+ if [ $result -ne 0 ]; then
|
||||
+ printf "Upgrade failed: %d\n" $result
|
||||
+ retcode=1
|
||||
+ fi
|
||||
+ done
|
||||
+done
|
||||
+
|
||||
+exit $retcode
|
||||
diff --git a/stx-sources/openldap.tmpfiles b/stx-sources/openldap.tmpfiles
|
||||
new file mode 100644
|
||||
index 0000000..aa0e805
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/openldap.tmpfiles
|
||||
@@ -0,0 +1,3 @@
|
||||
+# OpenLDAP TLSMC runtime directories
|
||||
+x /tmp/openldap-tlsmc-*
|
||||
+X /tmp/openldap-tlsmc-*
|
||||
diff --git a/stx-sources/slapd.ldif b/stx-sources/slapd.ldif
|
||||
new file mode 100644
|
||||
index 0000000..7b7f328
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/slapd.ldif
|
||||
@@ -0,0 +1,148 @@
|
||||
+#
|
||||
+# See slapd-config(5) for details on configuration options.
|
||||
+# This file should NOT be world readable.
|
||||
+#
|
||||
+
|
||||
+dn: cn=config
|
||||
+objectClass: olcGlobal
|
||||
+cn: config
|
||||
+olcArgsFile: /var/run/openldap/slapd.args
|
||||
+olcPidFile: /var/run/openldap/slapd.pid
|
||||
+#
|
||||
+# TLS settings
|
||||
+#
|
||||
+olcTLSCACertificatePath: /etc/openldap/certs
|
||||
+olcTLSCertificateFile: "OpenLDAP Server"
|
||||
+olcTLSCertificateKeyFile: /etc/openldap/certs/password
|
||||
+#
|
||||
+# Do not enable referrals until AFTER you have a working directory
|
||||
+# service AND an understanding of referrals.
|
||||
+#
|
||||
+#olcReferral: ldap://root.openldap.org
|
||||
+#
|
||||
+# Sample security restrictions
|
||||
+# Require integrity protection (prevent hijacking)
|
||||
+# Require 112-bit (3DES or better) encryption for updates
|
||||
+# Require 64-bit encryption for simple bind
|
||||
+#
|
||||
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
|
||||
+
|
||||
+
|
||||
+#
|
||||
+# Load dynamic backend modules:
|
||||
+# - modulepath is architecture dependent value (32/64-bit system)
|
||||
+# - back_sql.la backend requires openldap-servers-sql package
|
||||
+# - dyngroup.la and dynlist.la cannot be used at the same time
|
||||
+#
|
||||
+
|
||||
+#dn: cn=module,cn=config
|
||||
+#objectClass: olcModuleList
|
||||
+#cn: module
|
||||
+#olcModulepath: /usr/lib/openldap
|
||||
+#olcModulepath: /usr/lib64/openldap
|
||||
+#olcModuleload: accesslog.la
|
||||
+#olcModuleload: auditlog.la
|
||||
+#olcModuleload: back_dnssrv.la
|
||||
+#olcModuleload: back_ldap.la
|
||||
+#olcModuleload: back_mdb.la
|
||||
+#olcModuleload: back_meta.la
|
||||
+#olcModuleload: back_null.la
|
||||
+#olcModuleload: back_passwd.la
|
||||
+#olcModuleload: back_relay.la
|
||||
+#olcModuleload: back_shell.la
|
||||
+#olcModuleload: back_sock.la
|
||||
+#olcModuleload: collect.la
|
||||
+#olcModuleload: constraint.la
|
||||
+#olcModuleload: dds.la
|
||||
+#olcModuleload: deref.la
|
||||
+#olcModuleload: dyngroup.la
|
||||
+#olcModuleload: dynlist.la
|
||||
+#olcModuleload: memberof.la
|
||||
+#olcModuleload: pcache.la
|
||||
+#olcModuleload: ppolicy.la
|
||||
+#olcModuleload: refint.la
|
||||
+#olcModuleload: retcode.la
|
||||
+#olcModuleload: rwm.la
|
||||
+#olcModuleload: seqmod.la
|
||||
+#olcModuleload: smbk5pwd.la
|
||||
+#olcModuleload: sssvlv.la
|
||||
+#olcModuleload: syncprov.la
|
||||
+#olcModuleload: translucent.la
|
||||
+#olcModuleload: unique.la
|
||||
+#olcModuleload: valsort.la
|
||||
+
|
||||
+
|
||||
+#
|
||||
+# Schema settings
|
||||
+#
|
||||
+
|
||||
+dn: cn=schema,cn=config
|
||||
+objectClass: olcSchemaConfig
|
||||
+cn: schema
|
||||
+
|
||||
+include: file:///etc/openldap/schema/core.ldif
|
||||
+
|
||||
+#
|
||||
+# Frontend settings
|
||||
+#
|
||||
+
|
||||
+dn: olcDatabase=frontend,cn=config
|
||||
+objectClass: olcDatabaseConfig
|
||||
+objectClass: olcFrontendConfig
|
||||
+olcDatabase: frontend
|
||||
+#
|
||||
+# Sample global access control policy:
|
||||
+# Root DSE: allow anyone to read it
|
||||
+# Subschema (sub)entry DSE: allow anyone to read it
|
||||
+# Other DSEs:
|
||||
+# Allow self write access
|
||||
+# Allow authenticated users read access
|
||||
+# Allow anonymous users to authenticate
|
||||
+#
|
||||
+#olcAccess: to dn.base="" by * read
|
||||
+#olcAccess: to dn.base="cn=Subschema" by * read
|
||||
+#olcAccess: to *
|
||||
+# by self write
|
||||
+# by users read
|
||||
+# by anonymous auth
|
||||
+#
|
||||
+# if no access controls are present, the default policy
|
||||
+# allows anyone and everyone to read anything but restricts
|
||||
+# updates to rootdn. (e.g., "access to * by * read")
|
||||
+#
|
||||
+# rootdn can always read and write EVERYTHING!
|
||||
+#
|
||||
+
|
||||
+#
|
||||
+# Configuration database
|
||||
+#
|
||||
+
|
||||
+dn: olcDatabase=config,cn=config
|
||||
+objectClass: olcDatabaseConfig
|
||||
+olcDatabase: config
|
||||
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
|
||||
+ n=auth" manage by * none
|
||||
+
|
||||
+#
|
||||
+# Server status monitoring
|
||||
+#
|
||||
+
|
||||
+dn: olcDatabase=monitor,cn=config
|
||||
+objectClass: olcDatabaseConfig
|
||||
+olcDatabase: monitor
|
||||
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
|
||||
+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
|
||||
+
|
||||
+#
|
||||
+# Backend database definitions
|
||||
+#
|
||||
+
|
||||
+dn: olcDatabase=hdb,cn=config
|
||||
+objectClass: olcDatabaseConfig
|
||||
+objectClass: olcHdbConfig
|
||||
+olcDatabase: hdb
|
||||
+olcSuffix: dc=my-domain,dc=com
|
||||
+olcRootDN: cn=Manager,dc=my-domain,dc=com
|
||||
+olcDbDirectory: /var/lib/ldap
|
||||
+olcDbIndex: objectClass eq,pres
|
||||
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
|
||||
diff --git a/stx-sources/slapd.service b/stx-sources/slapd.service
|
||||
new file mode 100644
|
||||
index 0000000..8a3a722
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/slapd.service
|
||||
@@ -0,0 +1,19 @@
|
||||
+[Unit]
|
||||
+Description=OpenLDAP Server Daemon
|
||||
+After=syslog.target network-online.target
|
||||
+Documentation=man:slapd
|
||||
+Documentation=man:slapd-config
|
||||
+Documentation=man:slapd-hdb
|
||||
+Documentation=man:slapd-mdb
|
||||
+Documentation=file:///usr/share/doc/openldap-servers/guide.html
|
||||
+
|
||||
+[Service]
|
||||
+Type=forking
|
||||
+PIDFile=/var/run/openldap/slapd.pid
|
||||
+Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
|
||||
+EnvironmentFile=/etc/sysconfig/slapd
|
||||
+ExecStartPre=/usr/libexec/openldap/check-config.sh
|
||||
+ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
|
||||
+
|
||||
+[Install]
|
||||
+WantedBy=multi-user.target
|
||||
diff --git a/stx-sources/slapd.sysconfig b/stx-sources/slapd.sysconfig
|
||||
new file mode 100644
|
||||
index 0000000..68091a5
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/slapd.sysconfig
|
||||
@@ -0,0 +1,15 @@
|
||||
+# OpenLDAP server configuration
|
||||
+# see 'man slapd' for additional information
|
||||
+
|
||||
+# Where the server will run (-h option)
|
||||
+# - ldapi:/// is required for on-the-fly configuration using client tools
|
||||
+# (use SASL with EXTERNAL mechanism for authentication)
|
||||
+# - default: ldapi:/// ldap:///
|
||||
+# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
|
||||
+SLAPD_URLS="ldapi:/// ldap:///"
|
||||
+
|
||||
+# Any custom options
|
||||
+#SLAPD_OPTIONS=""
|
||||
+
|
||||
+# Keytab location for GSSAPI Kerberos authentication
|
||||
+#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
|
||||
diff --git a/stx-sources/slapd.tmpfiles b/stx-sources/slapd.tmpfiles
|
||||
new file mode 100644
|
||||
index 0000000..56aa32e
|
||||
--- /dev/null
|
||||
+++ b/stx-sources/slapd.tmpfiles
|
||||
@@ -0,0 +1,2 @@
|
||||
+# openldap runtime directory for slapd.arg and slapd.pid
|
||||
+d /var/run/openldap 0755 ldap ldap -
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,775 @@
|
||||
From 26002bd1d02d871e3c0526f3a0b7b99e25f3564c Mon Sep 17 00:00:00 2001
|
||||
From: babak sarashki <babak.sarashki@windriver.com>
|
||||
Date: Tue, 5 Nov 2019 18:02:38 -0800
|
||||
Subject: [PATCH] ltb project openldap ppolicy check password 1.1
|
||||
|
||||
From stx 1901 openldap src RPM 2.4.44
|
||||
Upstream at https://github.com/ltb-project/openldap-ppolicy-check-password.git
|
||||
---
|
||||
.../INSTALL | 31 ++
|
||||
.../LICENSE | 50 ++
|
||||
.../Makefile | 48 ++
|
||||
.../README | 146 ++++++
|
||||
.../check_password.c | 447 ++++++++++++++++++
|
||||
5 files changed, 722 insertions(+)
|
||||
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/INSTALL
|
||||
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/LICENSE
|
||||
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/Makefile
|
||||
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/README
|
||||
create mode 100644 ltb-project-openldap-ppolicy-check-password-1.1/check_password.c
|
||||
|
||||
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL b/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL
|
||||
new file mode 100644
|
||||
index 0000000..eb2dab4
|
||||
--- /dev/null
|
||||
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/INSTALL
|
||||
@@ -0,0 +1,31 @@
|
||||
+INSTALLATION
|
||||
+============
|
||||
+
|
||||
+Build dependencies
|
||||
+------------------
|
||||
+cracklib header files (link with -lcrack). The Makefile does not look for
|
||||
+cracklib; you may need to provide the paths manually.
|
||||
+
|
||||
+Build
|
||||
+-----
|
||||
+Use the provided Makefile to build the module.
|
||||
+
|
||||
+Copy the resulting check_password.so into the OpenLDAP modulepath.
|
||||
+
|
||||
+Or, change the installation path to match with the OpenLDAP module path in the
|
||||
+Makefile and use 'make install'.
|
||||
+
|
||||
+
|
||||
+USAGE
|
||||
+=====
|
||||
+Add objectClass 'pwdPolicyChecker' with an attribute
|
||||
+
|
||||
+ pwdCheckModule: check_password.so
|
||||
+
|
||||
+to a password policy entry.
|
||||
+
|
||||
+The module depends on a working cracklib installation including wordlist files.
|
||||
+If the wordlist files are not readable, the cracklib check will be skipped
|
||||
+silently.
|
||||
+
|
||||
+But you can use this module without cracklib, just checks for syntatic checks.
|
||||
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE b/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE
|
||||
new file mode 100644
|
||||
index 0000000..03f692b
|
||||
--- /dev/null
|
||||
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/LICENSE
|
||||
@@ -0,0 +1,50 @@
|
||||
+OpenLDAP Public License
|
||||
+
|
||||
+The OpenLDAP Public License
|
||||
+ Version 2.8.1, 25 November 2003
|
||||
+
|
||||
+Redistribution and use of this software and associated documentation
|
||||
+("Software"), with or without modification, are permitted provided
|
||||
+that the following conditions are met:
|
||||
+
|
||||
+1. Redistributions in source form must retain copyright statements
|
||||
+ and notices,
|
||||
+
|
||||
+2. Redistributions in binary form must reproduce applicable copyright
|
||||
+ statements and notices, this list of conditions, and the following
|
||||
+ disclaimer in the documentation and/or other materials provided
|
||||
+ with the distribution, and
|
||||
+
|
||||
+3. Redistributions must contain a verbatim copy of this document.
|
||||
+
|
||||
+The OpenLDAP Foundation may revise this license from time to time.
|
||||
+Each revision is distinguished by a version number. You may use
|
||||
+this Software under terms of this license revision or under the
|
||||
+terms of any subsequent revision of the license.
|
||||
+
|
||||
+THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
|
||||
+CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
|
||||
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
|
||||
+SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
|
||||
+OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||||
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
||||
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
+POSSIBILITY OF SUCH DAMAGE.
|
||||
+
|
||||
+The names of the authors and copyright holders must not be used in
|
||||
+advertising or otherwise to promote the sale, use or other dealing
|
||||
+in this Software without specific, written prior permission. Title
|
||||
+to copyright in this Software shall at all times remain with copyright
|
||||
+holders.
|
||||
+
|
||||
+OpenLDAP is a registered trademark of the OpenLDAP Foundation.
|
||||
+
|
||||
+Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
|
||||
+California, USA. All rights reserved. Permission to copy and
|
||||
+distribute verbatim copies of this document is granted.
|
||||
+
|
||||
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/Makefile b/ltb-project-openldap-ppolicy-check-password-1.1/Makefile
|
||||
new file mode 100644
|
||||
index 0000000..91de40b
|
||||
--- /dev/null
|
||||
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/Makefile
|
||||
@@ -0,0 +1,48 @@
|
||||
+# contrib/slapd-modules/check_password/Makefile
|
||||
+# Copyright 2007 Michael Steinmann, Calivia. All Rights Reserved.
|
||||
+# Updated by Pierre-Yves Bonnetain, B&A Consultants, 2008
|
||||
+#
|
||||
+
|
||||
+CC=gcc
|
||||
+
|
||||
+# Where to look for the CrackLib dictionaries
|
||||
+#
|
||||
+CRACKLIB=/usr/share/cracklib/pw_dict
|
||||
+
|
||||
+# Path to the configuration file
|
||||
+#
|
||||
+CONFIG=/etc/openldap/check_password.conf
|
||||
+
|
||||
+CFLAGS+=-fpic \
|
||||
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
|
||||
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
|
||||
+ -DDEBUG
|
||||
+
|
||||
+LDAP_LIB=-lldap_r -llber
|
||||
+
|
||||
+# Comment out this line if you do NOT want to use the cracklib.
|
||||
+# You may have to add an -Ldirectory if the libcrak is not in a standard
|
||||
+# location
|
||||
+#
|
||||
+CRACKLIB_LIB=-lcrack
|
||||
+
|
||||
+LIBS=$(LDAP_LIB) $(CRACKLIB_LIB)
|
||||
+
|
||||
+LIBDIR=/usr/lib/openldap/
|
||||
+
|
||||
+
|
||||
+all: check_password
|
||||
+
|
||||
+check_password.o:
|
||||
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
|
||||
+
|
||||
+check_password: clean check_password.o
|
||||
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
|
||||
+
|
||||
+install: check_password
|
||||
+ cp -f check_password.so ../../../usr/lib/openldap/modules/
|
||||
+
|
||||
+clean:
|
||||
+ $(RM) check_password.o check_password.so check_password.lo
|
||||
+ $(RM) -r .libs
|
||||
+
|
||||
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/README b/ltb-project-openldap-ppolicy-check-password-1.1/README
|
||||
new file mode 100644
|
||||
index 0000000..10191c2
|
||||
--- /dev/null
|
||||
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/README
|
||||
@@ -0,0 +1,146 @@
|
||||
+
|
||||
+check_password.c - OpenLDAP pwdChecker library
|
||||
+
|
||||
+2007-06-06 Michael Steinmann <msl@calivia.com>
|
||||
+2008-01-30 Pierre-Yves Bonnetain <py.bonnetain@ba-cst.com>
|
||||
+2009 Clement Oudot <clem.oudot@gmail.com> - LTB-project
|
||||
+2009 Jerome HUET - LTB-project
|
||||
+
|
||||
+check_password.c is an OpenLDAP pwdPolicyChecker module used to check the
|
||||
+strength and quality of user-provided passwords.
|
||||
+
|
||||
+This module is used as an extension of the OpenLDAP password policy controls,
|
||||
+see slapo-ppolicy(5) section pwdCheckModule.
|
||||
+
|
||||
+check_password.c will run a number of checks on the passwords to ensure minimum
|
||||
+strength and quality requirements are met. Passwords that do not meet these
|
||||
+requirements are rejected.
|
||||
+
|
||||
+
|
||||
+Password checks
|
||||
+---------------
|
||||
+ - passwords shorter than 6 characters are rejected if cracklib is used (because
|
||||
+ cracklib WILL reject them).
|
||||
+
|
||||
+ - syntactic checks controls how many different character classes are used
|
||||
+ (lower, upper, digit and punctuation characters). The minimum number of
|
||||
+ classes is defined in a configuration file. You can set the minimum for each
|
||||
+ class.
|
||||
+
|
||||
+ - passwords are checked against cracklib if cracklib is enabled at compile
|
||||
+ time. It can be disabled in configuration file.
|
||||
+
|
||||
+INSTALLATION
|
||||
+------------
|
||||
+Use the provided Makefile to build the module.
|
||||
+
|
||||
+Compilation constants :
|
||||
+
|
||||
+CONFIG_FILE : Path to the configuration file.
|
||||
+ Defaults to /etc/openldap/check_password.conf
|
||||
+
|
||||
+DEBUG : If defined, check_password will syslog() its actions.
|
||||
+
|
||||
+Build dependencies
|
||||
+cracklib header files (link with -lcrack). The Makefile does not look for
|
||||
+cracklib; you may need to provide the paths manually.
|
||||
+
|
||||
+Install into the slapd server module path. Change the installation
|
||||
+path to match with the OpenLDAP module path in the Makefile.
|
||||
+
|
||||
+The module may be defined with slapd.conf parameter "modulepath".
|
||||
+
|
||||
+USAGE
|
||||
+-----
|
||||
+To use this module you need to add objectClass pwdPolicyChecker with an
|
||||
+attribute 'pwdCheckModule: check_password.so' to a password policy entry.
|
||||
+
|
||||
+The module depends on a working cracklib installation including wordlist files.
|
||||
+If the wordlist files are not readable, the cracklib check will be skipped
|
||||
+silently.
|
||||
+
|
||||
+Note: pwdPolicyChecker modules are loaded on *every* password change operation.
|
||||
+
|
||||
+Configuration
|
||||
+-------------
|
||||
+The configuration file (/etc/openldap/check_password.conf by default) contains
|
||||
+parameters for the module. If the file is not found, parameters are given their
|
||||
+default value.
|
||||
+
|
||||
+The syntax of the file is :
|
||||
+
|
||||
+parameter value
|
||||
+
|
||||
+with spaces being delimiters. Parameter names ARE case sensitive (this may
|
||||
+change in the future).
|
||||
+
|
||||
+Current parameters :
|
||||
+
|
||||
+- useCracklib: integer. Default value: 1. Set it to 0 to disable cracklib verification.
|
||||
+ It has no effect if cracklib is not included at compile time.
|
||||
+
|
||||
+- minPoints: integer. Default value: 3. Minimum number of quality points a new
|
||||
+ password must have to be accepted. One quality point is awarded for each character
|
||||
+ class used in the password.
|
||||
+
|
||||
+- minUpper: integer. Defaut value: 0. Minimum upper characters expected.
|
||||
+
|
||||
+- minLower: integer. Defaut value: 0. Minimum lower characters expected.
|
||||
+
|
||||
+- minDigit: integer. Defaut value: 0. Minimum digit characters expected.
|
||||
+
|
||||
+- minPunct: integer. Defaut value: 0. Minimum punctuation characters expected.
|
||||
+
|
||||
+Logs
|
||||
+----
|
||||
+If a user password is rejected by an OpenLDAP pwdChecker module, the user will
|
||||
+*not* get a detailed error message, this is by design.
|
||||
+
|
||||
+Typical user message from ldappasswd(5):
|
||||
+ Result: Constraint violation (19)
|
||||
+ Additional info: Password fails quality checking policy
|
||||
+
|
||||
+A more detailed message is written to the server log.
|
||||
+
|
||||
+Server log:
|
||||
+ check_password_quality: module error: (check_password.so)
|
||||
+ Password for dn=".." does not pass required number of strength checks (2 of 3)
|
||||
+
|
||||
+
|
||||
+Caveats
|
||||
+-------
|
||||
+Runtime errors with this module (such as cracklib configuration problems) may
|
||||
+bring down the slapd process.
|
||||
+
|
||||
+Use at your own risk.
|
||||
+
|
||||
+
|
||||
+TODO
|
||||
+----
|
||||
+* use proper malloc function, see ITS#4998
|
||||
+
|
||||
+
|
||||
+HISTORY
|
||||
+-------
|
||||
+* 2009-10-30 Clement OUDOT - LTB-project
|
||||
+ Version 1.1
|
||||
+ - Apply patch from Jerome HUET for minUpper/minLower/minDigit/minPunct
|
||||
+
|
||||
+* 2009-02-05 Clement Oudot <clem.oudot@gmail.com> - LINAGORA Group
|
||||
+ Version 1.0.3
|
||||
+ - Add useCracklib parameter in config file (with help of Pascal Pejac)
|
||||
+ - Prefix log messages with "check_password: "
|
||||
+ - Log what character type is found for quality checking
|
||||
+
|
||||
+* 2008-01-31 Pierre-Yves Bonnetain <py.bonnetain@ba-cst.com>
|
||||
+ Version 1.0.2
|
||||
+ - Several bug fixes.
|
||||
+ - Add external config file
|
||||
+
|
||||
+* 2007-06-06 Michael Steinmann <msl@calivia.com>
|
||||
+ Version 1.0.1
|
||||
+ - add dn to error messages
|
||||
+
|
||||
+* 2007-06-02 Michael Steinmann <msl@calivia.com>
|
||||
+ Version 1.0
|
||||
+
|
||||
diff --git a/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c b/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c
|
||||
new file mode 100644
|
||||
index 0000000..f4dd1cb
|
||||
--- /dev/null
|
||||
+++ b/ltb-project-openldap-ppolicy-check-password-1.1/check_password.c
|
||||
@@ -0,0 +1,447 @@
|
||||
+/*
|
||||
+ * check_password.c for OpenLDAP
|
||||
+ *
|
||||
+ * See LICENSE, README and INSTALL files
|
||||
+ */
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <ctype.h>
|
||||
+#include <portable.h>
|
||||
+#include <slap.h>
|
||||
+
|
||||
+#ifdef HAVE_CRACKLIB
|
||||
+#include <crack.h>
|
||||
+#endif
|
||||
+
|
||||
+#if defined(DEBUG)
|
||||
+#include <syslog.h>
|
||||
+#endif
|
||||
+
|
||||
+#ifndef CRACKLIB_DICTPATH
|
||||
+#define CRACKLIB_DICTPATH "/usr/share/cracklib/pw_dict"
|
||||
+#endif
|
||||
+
|
||||
+#ifndef CONFIG_FILE
|
||||
+#define CONFIG_FILE "/etc/openldap/check_password.conf"
|
||||
+#endif
|
||||
+
|
||||
+#define DEFAULT_QUALITY 3
|
||||
+#define DEFAULT_CRACKLIB 1
|
||||
+#define MEMORY_MARGIN 50
|
||||
+#define MEM_INIT_SZ 64
|
||||
+#define FILENAME_MAXLEN 512
|
||||
+
|
||||
+#define PASSWORD_TOO_SHORT_SZ \
|
||||
+ "Password for dn=\"%s\" is too short (%d/6)"
|
||||
+#define PASSWORD_QUALITY_SZ \
|
||||
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
|
||||
+#define BAD_PASSWORD_SZ \
|
||||
+ "Bad password for dn=\"%s\" because %s"
|
||||
+#define UNKNOWN_ERROR_SZ \
|
||||
+ "An unknown error occurred, please see your systems administrator"
|
||||
+
|
||||
+typedef int (*validator) (char*);
|
||||
+static int read_config_file ();
|
||||
+static validator valid_word (char *);
|
||||
+static int set_quality (char *);
|
||||
+static int set_cracklib (char *);
|
||||
+
|
||||
+int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
|
||||
+
|
||||
+struct config_entry {
|
||||
+ char* key;
|
||||
+ char* value;
|
||||
+ char* def_value;
|
||||
+} config_entries[] = { { "minPoints", NULL, "3"},
|
||||
+ { "useCracklib", NULL, "1"},
|
||||
+ { "minUpper", NULL, "0"},
|
||||
+ { "minLower", NULL, "0"},
|
||||
+ { "minDigit", NULL, "0"},
|
||||
+ { "minPunct", NULL, "0"},
|
||||
+ { NULL, NULL, NULL }};
|
||||
+
|
||||
+int get_config_entry_int(char* entry) {
|
||||
+ struct config_entry* centry = config_entries;
|
||||
+
|
||||
+ int i = 0;
|
||||
+ char* key = centry[i].key;
|
||||
+ while (key != NULL) {
|
||||
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
|
||||
+ if ( centry[i].value == NULL ) {
|
||||
+ return atoi(centry[i].def_value);
|
||||
+ }
|
||||
+ else {
|
||||
+ return atoi(centry[i].value);
|
||||
+ }
|
||||
+ }
|
||||
+ i++;
|
||||
+ key = centry[i].key;
|
||||
+ }
|
||||
+
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+void dealloc_config_entries() {
|
||||
+ struct config_entry* centry = config_entries;
|
||||
+
|
||||
+ int i = 0;
|
||||
+ while (centry[i].key != NULL) {
|
||||
+ if ( centry[i].value != NULL ) {
|
||||
+ ber_memfree(centry[i].value);
|
||||
+ }
|
||||
+ i++;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+char* chomp(char *s)
|
||||
+{
|
||||
+ char* t = ber_memalloc(strlen(s)+1);
|
||||
+ strncpy (t,s,strlen(s)+1);
|
||||
+
|
||||
+ if ( t[strlen(t)-1] == '\n' ) {
|
||||
+ t[strlen(t)-1] = '\0';
|
||||
+ }
|
||||
+
|
||||
+ return t;
|
||||
+}
|
||||
+
|
||||
+static int set_quality (char *value)
|
||||
+{
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value);
|
||||
+#endif
|
||||
+
|
||||
+ /* No need to require more quality than we can check for. */
|
||||
+ if (!isdigit(*value) || (int) (value[0] - '0') > 4) return DEFAULT_QUALITY;
|
||||
+ return (int) (value[0] - '0');
|
||||
+
|
||||
+}
|
||||
+
|
||||
+static int set_cracklib (char *value)
|
||||
+{
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value);
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
+ return (int) (value[0] - '0');
|
||||
+
|
||||
+}
|
||||
+
|
||||
+static int set_digit (char *value)
|
||||
+{
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value);
|
||||
+#endif
|
||||
+ if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0;
|
||||
+ return (int) (value[0] - '0');
|
||||
+}
|
||||
+
|
||||
+static validator valid_word (char *word)
|
||||
+{
|
||||
+ struct {
|
||||
+ char * parameter;
|
||||
+ validator dealer;
|
||||
+ } list[] = { { "minPoints", set_quality },
|
||||
+ { "useCracklib", set_cracklib },
|
||||
+ { "minUpper", set_digit },
|
||||
+ { "minLower", set_digit },
|
||||
+ { "minDigit", set_digit },
|
||||
+ { "minPunct", set_digit },
|
||||
+ { NULL, NULL } };
|
||||
+ int index = 0;
|
||||
+
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word);
|
||||
+#endif
|
||||
+
|
||||
+ while (list[index].parameter != NULL) {
|
||||
+ if (strlen(word) == strlen(list[index].parameter) &&
|
||||
+ strcmp(list[index].parameter, word) == 0) {
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_DEBUG, "check_password: Parameter accepted.");
|
||||
+#endif
|
||||
+ return list[index].dealer;
|
||||
+ }
|
||||
+ index++;
|
||||
+ }
|
||||
+
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_DEBUG, "check_password: Parameter rejected.");
|
||||
+#endif
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+static int read_config_file ()
|
||||
+{
|
||||
+ FILE * config;
|
||||
+ char * line;
|
||||
+ int returnValue = -1;
|
||||
+
|
||||
+ line = ber_memcalloc(260, sizeof(char));
|
||||
+
|
||||
+ if ( line == NULL ) {
|
||||
+ return returnValue;
|
||||
+ }
|
||||
+
|
||||
+ if ( (config = fopen(CONFIG_FILE, "r")) == NULL) {
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_ERR, "check_password: Opening file %s failed", CONFIG_FILE);
|
||||
+#endif
|
||||
+
|
||||
+ ber_memfree(line);
|
||||
+ return returnValue;
|
||||
+ }
|
||||
+
|
||||
+ returnValue = 0;
|
||||
+
|
||||
+ while (fgets(line, 256, config) != NULL) {
|
||||
+ char *start = line;
|
||||
+ char *word, *value;
|
||||
+ validator dealer;
|
||||
+
|
||||
+#if defined(DEBUG)
|
||||
+ /* Debug traces to syslog. */
|
||||
+ syslog(LOG_DEBUG, "check_password: Got line |%s|", line);
|
||||
+#endif
|
||||
+
|
||||
+ while (isspace(*start) && isascii(*start)) start++;
|
||||
+
|
||||
+ /* If we've got punctuation, just skip the line. */
|
||||
+ if ( ispunct(*start)) {
|
||||
+#if defined(DEBUG)
|
||||
+ /* Debug traces to syslog. */
|
||||
+ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line);
|
||||
+#endif
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if( isascii(*start)) {
|
||||
+
|
||||
+ struct config_entry* centry = config_entries;
|
||||
+ int i = 0;
|
||||
+ char* keyWord = centry[i].key;
|
||||
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
|
||||
+ while ( keyWord != NULL ) {
|
||||
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
|
||||
+
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value);
|
||||
+#endif
|
||||
+
|
||||
+ centry[i].value = chomp(value);
|
||||
+ break;
|
||||
+ }
|
||||
+ i++;
|
||||
+ keyWord = centry[i].key;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ fclose(config);
|
||||
+ ber_memfree(line);
|
||||
+
|
||||
+ return returnValue;
|
||||
+}
|
||||
+
|
||||
+static int realloc_error_message (char ** target, int curlen, int nextlen)
|
||||
+{
|
||||
+ if (curlen < nextlen + MEMORY_MARGIN) {
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
|
||||
+ curlen, nextlen + MEMORY_MARGIN);
|
||||
+#endif
|
||||
+ ber_memfree(*target);
|
||||
+ curlen = nextlen + MEMORY_MARGIN;
|
||||
+ *target = (char *) ber_memalloc(curlen);
|
||||
+ }
|
||||
+
|
||||
+ return curlen;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
||||
+{
|
||||
+
|
||||
+ char *szErrStr = (char *) ber_memalloc(MEM_INIT_SZ);
|
||||
+ int mem_len = MEM_INIT_SZ;
|
||||
+
|
||||
+ int nLen;
|
||||
+ int nLower = 0;
|
||||
+ int nUpper = 0;
|
||||
+ int nDigit = 0;
|
||||
+ int nPunct = 0;
|
||||
+ int minLower = 0;
|
||||
+ int minUpper = 0;
|
||||
+ int minDigit = 0;
|
||||
+ int minPunct = 0;
|
||||
+ int nQuality = 0;
|
||||
+ int i;
|
||||
+
|
||||
+ /* Set a sensible default to keep original behaviour. */
|
||||
+ int minQuality = DEFAULT_QUALITY;
|
||||
+ int useCracklib = DEFAULT_CRACKLIB;
|
||||
+
|
||||
+ /** bail out early as cracklib will reject passwords shorter
|
||||
+ * than 6 characters
|
||||
+ */
|
||||
+
|
||||
+ nLen = strlen (pPasswd);
|
||||
+ if ( nLen < 6) {
|
||||
+ mem_len = realloc_error_message(&szErrStr, mem_len,
|
||||
+ strlen(PASSWORD_TOO_SHORT_SZ) +
|
||||
+ strlen(pEntry->e_name.bv_val) + 1);
|
||||
+ sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (read_config_file() == -1) {
|
||||
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
|
||||
+ }
|
||||
+
|
||||
+ minQuality = get_config_entry_int("minPoints");
|
||||
+ useCracklib = get_config_entry_int("useCracklib");
|
||||
+ minUpper = get_config_entry_int("minUpper");
|
||||
+ minLower = get_config_entry_int("minLower");
|
||||
+ minDigit = get_config_entry_int("minDigit");
|
||||
+ minPunct = get_config_entry_int("minPunct");
|
||||
+
|
||||
+ /** The password must have at least minQuality strength points with one
|
||||
+ * point for the first occurrance of a lower, upper, digit and
|
||||
+ * punctuation character
|
||||
+ */
|
||||
+
|
||||
+ for ( i = 0; i < nLen; i++ ) {
|
||||
+
|
||||
+ if ( islower (pPasswd[i]) ) {
|
||||
+ minLower--;
|
||||
+ if ( !nLower && (minLower < 1)) {
|
||||
+ nLower = 1; nQuality++;
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality);
|
||||
+#endif
|
||||
+ }
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if ( isupper (pPasswd[i]) ) {
|
||||
+ minUpper--;
|
||||
+ if ( !nUpper && (minUpper < 1)) {
|
||||
+ nUpper = 1; nQuality++;
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality);
|
||||
+#endif
|
||||
+ }
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if ( isdigit (pPasswd[i]) ) {
|
||||
+ minDigit--;
|
||||
+ if ( !nDigit && (minDigit < 1)) {
|
||||
+ nDigit = 1; nQuality++;
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality);
|
||||
+#endif
|
||||
+ }
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if ( ispunct (pPasswd[i]) ) {
|
||||
+ minPunct--;
|
||||
+ if ( !nPunct && (minPunct < 1)) {
|
||||
+ nPunct = 1; nQuality++;
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality);
|
||||
+#endif
|
||||
+ }
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If you have a required field, then it should be required in the strength
|
||||
+ * checks.
|
||||
+ */
|
||||
+
|
||||
+ if (
|
||||
+ (minLower > 0 ) ||
|
||||
+ (minUpper > 0 ) ||
|
||||
+ (minDigit > 0 ) ||
|
||||
+ (minPunct > 0 ) ||
|
||||
+ (nQuality < minQuality)
|
||||
+ ) {
|
||||
+ mem_len = realloc_error_message(&szErrStr, mem_len,
|
||||
+ strlen(PASSWORD_QUALITY_SZ) +
|
||||
+ strlen(pEntry->e_name.bv_val) + 2);
|
||||
+ sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
|
||||
+ nQuality, minQuality);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+#ifdef HAVE_CRACKLIB
|
||||
+
|
||||
+ /** Check password with cracklib */
|
||||
+
|
||||
+ if ( useCracklib > 0 ) {
|
||||
+ int j = 0;
|
||||
+ FILE* fp;
|
||||
+ char filename[FILENAME_MAXLEN];
|
||||
+ char const* ext[] = { "hwm", "pwd", "pwi" };
|
||||
+ int nErr = 0;
|
||||
+
|
||||
+ /**
|
||||
+ * Silently fail when cracklib wordlist is not found
|
||||
+ */
|
||||
+
|
||||
+ for ( j = 0; j < 3; j++ ) {
|
||||
+
|
||||
+ snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
|
||||
+ CRACKLIB_DICTPATH, ext[j]);
|
||||
+
|
||||
+ if (( fp = fopen ( filename, "r")) == NULL ) {
|
||||
+
|
||||
+ nErr = 1;
|
||||
+ break;
|
||||
+
|
||||
+ } else {
|
||||
+
|
||||
+ fclose (fp);
|
||||
+
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ char *r;
|
||||
+ if ( nErr == 0) {
|
||||
+
|
||||
+ r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
|
||||
+ if ( r != NULL ) {
|
||||
+ mem_len = realloc_error_message(&szErrStr, mem_len,
|
||||
+ strlen(BAD_PASSWORD_SZ) +
|
||||
+ strlen(pEntry->e_name.bv_val) +
|
||||
+ strlen(r));
|
||||
+ sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ else {
|
||||
+#if defined(DEBUG)
|
||||
+ syslog(LOG_NOTICE, "check_password: Cracklib verification disabled by configuration");
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
+#endif
|
||||
+ dealloc_config_entries();
|
||||
+ *ppErrStr = strdup ("");
|
||||
+ ber_memfree(szErrStr);
|
||||
+ return (LDAP_SUCCESS);
|
||||
+
|
||||
+fail:
|
||||
+ dealloc_config_entries();
|
||||
+ *ppErrStr = strdup (szErrStr);
|
||||
+ ber_memfree(szErrStr);
|
||||
+ return (EXIT_FAILURE);
|
||||
+
|
||||
+}
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,124 +0,0 @@
|
||||
Correct log levels in check_password module.
|
||||
|
||||
Author: Matus Honek <mhonek@redhat.com>
|
||||
Resolves: #1356158
|
||||
|
||||
diff --git a/check_password.c b/check_password.c
|
||||
--- a/check_password.c
|
||||
+++ b/check_password.c
|
||||
@@ -108,7 +108,7 @@ char* chomp(char *s)
|
||||
static int set_quality (char *value)
|
||||
{
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value);
|
||||
+ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value);
|
||||
#endif
|
||||
|
||||
/* No need to require more quality than we can check for. */
|
||||
@@ -120,7 +120,7 @@ static int set_quality (char *value)
|
||||
static int set_cracklib (char *value)
|
||||
{
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", value);
|
||||
+ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value);
|
||||
#endif
|
||||
|
||||
|
||||
@@ -131,7 +131,7 @@ static int set_cracklib (char *value)
|
||||
static int set_digit (char *value)
|
||||
{
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value);
|
||||
+ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value);
|
||||
#endif
|
||||
if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0;
|
||||
return (int) (value[0] - '0');
|
||||
@@ -152,14 +152,14 @@ static validator valid_word (char *word)
|
||||
int index = 0;
|
||||
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word);
|
||||
+ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word);
|
||||
#endif
|
||||
|
||||
while (list[index].parameter != NULL) {
|
||||
if (strlen(word) == strlen(list[index].parameter) &&
|
||||
strcmp(list[index].parameter, word) == 0) {
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Parameter accepted.");
|
||||
+ syslog(LOG_DEBUG, "check_password: Parameter accepted.");
|
||||
#endif
|
||||
return list[index].dealer;
|
||||
}
|
||||
@@ -167,7 +167,7 @@ static validator valid_word (char *word)
|
||||
}
|
||||
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Parameter rejected.");
|
||||
+ syslog(LOG_DEBUG, "check_password: Parameter rejected.");
|
||||
#endif
|
||||
|
||||
return NULL;
|
||||
@@ -203,7 +203,7 @@ static int read_config_file ()
|
||||
|
||||
#if defined(DEBUG)
|
||||
/* Debug traces to syslog. */
|
||||
- syslog(LOG_NOTICE, "check_password: Got line |%s|", line);
|
||||
+ syslog(LOG_DEBUG, "check_password: Got line |%s|", line);
|
||||
#endif
|
||||
|
||||
while (isspace(*start) && isascii(*start)) start++;
|
||||
@@ -212,7 +212,7 @@ static int read_config_file ()
|
||||
if ( ispunct(*start)) {
|
||||
#if defined(DEBUG)
|
||||
/* Debug traces to syslog. */
|
||||
- syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
|
||||
+ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line);
|
||||
#endif
|
||||
continue;
|
||||
}
|
||||
@@ -227,7 +227,7 @@ static int read_config_file ()
|
||||
if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
|
||||
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
|
||||
+ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value);
|
||||
#endif
|
||||
|
||||
centry[i].value = chomp(value);
|
||||
@@ -319,7 +319,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
||||
if ( !nLower && (minLower < 1)) {
|
||||
nLower = 1; nQuality++;
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality);
|
||||
+ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality);
|
||||
#endif
|
||||
}
|
||||
continue;
|
||||
@@ -330,7 +330,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
||||
if ( !nUpper && (minUpper < 1)) {
|
||||
nUpper = 1; nQuality++;
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality);
|
||||
+ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality);
|
||||
#endif
|
||||
}
|
||||
continue;
|
||||
@@ -341,7 +341,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
||||
if ( !nDigit && (minDigit < 1)) {
|
||||
nDigit = 1; nQuality++;
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality);
|
||||
+ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality);
|
||||
#endif
|
||||
}
|
||||
continue;
|
||||
@@ -352,7 +352,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
||||
if ( !nPunct && (minPunct < 1)) {
|
||||
nPunct = 1; nQuality++;
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality);
|
||||
+ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality);
|
||||
#endif
|
||||
}
|
||||
continue;
|
@ -1,41 +0,0 @@
|
||||
--- a/Makefile 2009-10-31 18:59:06.000000000 +0100
|
||||
+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100
|
||||
@@ -13,22 +13,11 @@
|
||||
#
|
||||
CONFIG=/etc/openldap/check_password.conf
|
||||
|
||||
-OPT=-g -O2 -Wall -fpic \
|
||||
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
|
||||
- -DCONFIG_FILE="\"$(CONFIG)\"" \
|
||||
+CFLAGS+=-fpic \
|
||||
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
|
||||
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
|
||||
-DDEBUG
|
||||
|
||||
-# Where to find the OpenLDAP headers.
|
||||
-#
|
||||
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
|
||||
- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
|
||||
-
|
||||
-# Where to find the CrackLib headers.
|
||||
-#
|
||||
-CRACK_INC=
|
||||
-
|
||||
-INCS=$(LDAP_INC) $(CRACK_INC)
|
||||
-
|
||||
LDAP_LIB=-lldap_r -llber
|
||||
|
||||
# Comment out this line if you do NOT want to use the cracklib.
|
||||
@@ -45,10 +34,10 @@
|
||||
all: check_password
|
||||
|
||||
check_password.o:
|
||||
- $(CC) $(OPT) -c $(INCS) check_password.c
|
||||
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
|
||||
|
||||
check_password: clean check_password.o
|
||||
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
|
||||
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
|
||||
|
||||
install: check_password
|
||||
cp -f check_password.so ../../../usr/lib/openldap/modules/
|
@ -1,321 +0,0 @@
|
||||
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
|
||||
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
|
||||
@@ -10,7 +10,7 @@
|
||||
#include <slap.h>
|
||||
|
||||
#ifdef HAVE_CRACKLIB
|
||||
-#include "crack.h"
|
||||
+#include <crack.h>
|
||||
#endif
|
||||
|
||||
#if defined(DEBUG)
|
||||
@@ -34,18 +34,77 @@
|
||||
#define PASSWORD_TOO_SHORT_SZ \
|
||||
"Password for dn=\"%s\" is too short (%d/6)"
|
||||
#define PASSWORD_QUALITY_SZ \
|
||||
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
|
||||
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
|
||||
#define BAD_PASSWORD_SZ \
|
||||
"Bad password for dn=\"%s\" because %s"
|
||||
+#define UNKNOWN_ERROR_SZ \
|
||||
+ "An unknown error occurred, please see your systems administrator"
|
||||
|
||||
typedef int (*validator) (char*);
|
||||
-static int read_config_file (char *);
|
||||
+static int read_config_file ();
|
||||
static validator valid_word (char *);
|
||||
static int set_quality (char *);
|
||||
static int set_cracklib (char *);
|
||||
|
||||
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
|
||||
|
||||
+struct config_entry {
|
||||
+ char* key;
|
||||
+ char* value;
|
||||
+ char* def_value;
|
||||
+} config_entries[] = { { "minPoints", NULL, "3"},
|
||||
+ { "useCracklib", NULL, "1"},
|
||||
+ { "minUpper", NULL, "0"},
|
||||
+ { "minLower", NULL, "0"},
|
||||
+ { "minDigit", NULL, "0"},
|
||||
+ { "minPunct", NULL, "0"},
|
||||
+ { NULL, NULL, NULL }};
|
||||
+
|
||||
+int get_config_entry_int(char* entry) {
|
||||
+ struct config_entry* centry = config_entries;
|
||||
+
|
||||
+ int i = 0;
|
||||
+ char* key = centry[i].key;
|
||||
+ while (key != NULL) {
|
||||
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
|
||||
+ if ( centry[i].value == NULL ) {
|
||||
+ return atoi(centry[i].def_value);
|
||||
+ }
|
||||
+ else {
|
||||
+ return atoi(centry[i].value);
|
||||
+ }
|
||||
+ }
|
||||
+ i++;
|
||||
+ key = centry[i].key;
|
||||
+ }
|
||||
+
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+void dealloc_config_entries() {
|
||||
+ struct config_entry* centry = config_entries;
|
||||
+
|
||||
+ int i = 0;
|
||||
+ while (centry[i].key != NULL) {
|
||||
+ if ( centry[i].value != NULL ) {
|
||||
+ ber_memfree(centry[i].value);
|
||||
+ }
|
||||
+ i++;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+char* chomp(char *s)
|
||||
+{
|
||||
+ char* t = ber_memalloc(strlen(s)+1);
|
||||
+ strncpy (t,s,strlen(s)+1);
|
||||
+
|
||||
+ if ( t[strlen(t)-1] == '\n' ) {
|
||||
+ t[strlen(t)-1] = '\0';
|
||||
+ }
|
||||
+
|
||||
+ return t;
|
||||
+}
|
||||
+
|
||||
static int set_quality (char *value)
|
||||
{
|
||||
#if defined(DEBUG)
|
||||
@@ -84,12 +143,12 @@
|
||||
char * parameter;
|
||||
validator dealer;
|
||||
} list[] = { { "minPoints", set_quality },
|
||||
- { "useCracklib", set_cracklib },
|
||||
- { "minUpper", set_digit },
|
||||
- { "minLower", set_digit },
|
||||
- { "minDigit", set_digit },
|
||||
- { "minPunct", set_digit },
|
||||
- { NULL, NULL } };
|
||||
+ { "useCracklib", set_cracklib },
|
||||
+ { "minUpper", set_digit },
|
||||
+ { "minLower", set_digit },
|
||||
+ { "minDigit", set_digit },
|
||||
+ { "minPunct", set_digit },
|
||||
+ { NULL, NULL } };
|
||||
int index = 0;
|
||||
|
||||
#if defined(DEBUG)
|
||||
@@ -98,7 +157,7 @@
|
||||
|
||||
while (list[index].parameter != NULL) {
|
||||
if (strlen(word) == strlen(list[index].parameter) &&
|
||||
- strcmp(list[index].parameter, word) == 0) {
|
||||
+ strcmp(list[index].parameter, word) == 0) {
|
||||
#if defined(DEBUG)
|
||||
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
|
||||
#endif
|
||||
@@ -114,13 +173,15 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-static int read_config_file (char *keyWord)
|
||||
+static int read_config_file ()
|
||||
{
|
||||
FILE * config;
|
||||
char * line;
|
||||
int returnValue = -1;
|
||||
|
||||
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
|
||||
+ line = ber_memcalloc(260, sizeof(char));
|
||||
+
|
||||
+ if ( line == NULL ) {
|
||||
return returnValue;
|
||||
}
|
||||
|
||||
@@ -133,6 +194,8 @@
|
||||
return returnValue;
|
||||
}
|
||||
|
||||
+ returnValue = 0;
|
||||
+
|
||||
while (fgets(line, 256, config) != NULL) {
|
||||
char *start = line;
|
||||
char *word, *value;
|
||||
@@ -145,23 +208,40 @@
|
||||
|
||||
while (isspace(*start) && isascii(*start)) start++;
|
||||
|
||||
- if (! isascii(*start))
|
||||
+ /* If we've got punctuation, just skip the line. */
|
||||
+ if ( ispunct(*start)) {
|
||||
+#if defined(DEBUG)
|
||||
+ /* Debug traces to syslog. */
|
||||
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
|
||||
+#endif
|
||||
continue;
|
||||
+ }
|
||||
|
||||
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
|
||||
- if ((value = strtok(NULL, " \t")) == NULL)
|
||||
- continue;
|
||||
+ if( isascii(*start)) {
|
||||
+
|
||||
+ struct config_entry* centry = config_entries;
|
||||
+ int i = 0;
|
||||
+ char* keyWord = centry[i].key;
|
||||
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
|
||||
+ while ( keyWord != NULL ) {
|
||||
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
|
||||
|
||||
#if defined(DEBUG)
|
||||
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
|
||||
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
|
||||
#endif
|
||||
|
||||
- returnValue = (*dealer)(value);
|
||||
+ centry[i].value = chomp(value);
|
||||
+ break;
|
||||
+ }
|
||||
+ i++;
|
||||
+ keyWord = centry[i].key;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
}
|
||||
-
|
||||
fclose(config);
|
||||
ber_memfree(line);
|
||||
+
|
||||
return returnValue;
|
||||
}
|
||||
|
||||
@@ -170,7 +250,7 @@
|
||||
if (curlen < nextlen + MEMORY_MARGIN) {
|
||||
#if defined(DEBUG)
|
||||
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
|
||||
- curlen, nextlen + MEMORY_MARGIN);
|
||||
+ curlen, nextlen + MEMORY_MARGIN);
|
||||
#endif
|
||||
ber_memfree(*target);
|
||||
curlen = nextlen + MEMORY_MARGIN;
|
||||
@@ -180,7 +260,7 @@
|
||||
return curlen;
|
||||
}
|
||||
|
||||
- int
|
||||
+int
|
||||
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
||||
{
|
||||
|
||||
@@ -210,20 +290,22 @@
|
||||
nLen = strlen (pPasswd);
|
||||
if ( nLen < 6) {
|
||||
mem_len = realloc_error_message(&szErrStr, mem_len,
|
||||
- strlen(PASSWORD_TOO_SHORT_SZ) +
|
||||
- strlen(pEntry->e_name.bv_val) + 1);
|
||||
+ strlen(PASSWORD_TOO_SHORT_SZ) +
|
||||
+ strlen(pEntry->e_name.bv_val) + 1);
|
||||
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- /* Read config file */
|
||||
- minQuality = read_config_file("minPoints");
|
||||
+ if (read_config_file() == -1) {
|
||||
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
|
||||
+ }
|
||||
|
||||
- useCracklib = read_config_file("useCracklib");
|
||||
- minUpper = read_config_file("minUpper");
|
||||
- minLower = read_config_file("minLower");
|
||||
- minDigit = read_config_file("minDigit");
|
||||
- minPunct = read_config_file("minPunct");
|
||||
+ minQuality = get_config_entry_int("minPoints");
|
||||
+ useCracklib = get_config_entry_int("useCracklib");
|
||||
+ minUpper = get_config_entry_int("minUpper");
|
||||
+ minLower = get_config_entry_int("minLower");
|
||||
+ minDigit = get_config_entry_int("minDigit");
|
||||
+ minPunct = get_config_entry_int("minPunct");
|
||||
|
||||
/** The password must have at least minQuality strength points with one
|
||||
* point for the first occurrance of a lower, upper, digit and
|
||||
@@ -232,8 +314,6 @@
|
||||
|
||||
for ( i = 0; i < nLen; i++ ) {
|
||||
|
||||
- if ( nQuality >= minQuality ) break;
|
||||
-
|
||||
if ( islower (pPasswd[i]) ) {
|
||||
minLower--;
|
||||
if ( !nLower && (minLower < 1)) {
|
||||
@@ -279,12 +359,23 @@
|
||||
}
|
||||
}
|
||||
|
||||
- if ( nQuality < minQuality ) {
|
||||
+ /*
|
||||
+ * If you have a required field, then it should be required in the strength
|
||||
+ * checks.
|
||||
+ */
|
||||
+
|
||||
+ if (
|
||||
+ (minLower > 0 ) ||
|
||||
+ (minUpper > 0 ) ||
|
||||
+ (minDigit > 0 ) ||
|
||||
+ (minPunct > 0 ) ||
|
||||
+ (nQuality < minQuality)
|
||||
+ ) {
|
||||
mem_len = realloc_error_message(&szErrStr, mem_len,
|
||||
- strlen(PASSWORD_QUALITY_SZ) +
|
||||
- strlen(pEntry->e_name.bv_val) + 2);
|
||||
+ strlen(PASSWORD_QUALITY_SZ) +
|
||||
+ strlen(pEntry->e_name.bv_val) + 2);
|
||||
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
|
||||
- nQuality, minQuality);
|
||||
+ nQuality, minQuality);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
@@ -306,7 +397,7 @@
|
||||
for ( j = 0; j < 3; j++ ) {
|
||||
|
||||
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
|
||||
- CRACKLIB_DICTPATH, ext[j]);
|
||||
+ CRACKLIB_DICTPATH, ext[j]);
|
||||
|
||||
if (( fp = fopen ( filename, "r")) == NULL ) {
|
||||
|
||||
@@ -326,9 +417,9 @@
|
||||
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
|
||||
if ( r != NULL ) {
|
||||
mem_len = realloc_error_message(&szErrStr, mem_len,
|
||||
- strlen(BAD_PASSWORD_SZ) +
|
||||
- strlen(pEntry->e_name.bv_val) +
|
||||
- strlen(r));
|
||||
+ strlen(BAD_PASSWORD_SZ) +
|
||||
+ strlen(pEntry->e_name.bv_val) +
|
||||
+ strlen(r));
|
||||
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
|
||||
goto fail;
|
||||
}
|
||||
@@ -342,15 +433,15 @@
|
||||
}
|
||||
|
||||
#endif
|
||||
-
|
||||
+ dealloc_config_entries();
|
||||
*ppErrStr = strdup ("");
|
||||
ber_memfree(szErrStr);
|
||||
return (LDAP_SUCCESS);
|
||||
|
||||
fail:
|
||||
+ dealloc_config_entries();
|
||||
*ppErrStr = strdup (szErrStr);
|
||||
ber_memfree(szErrStr);
|
||||
return (EXIT_FAILURE);
|
||||
|
||||
}
|
||||
-
|
@ -1,219 +0,0 @@
|
||||
commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8
|
||||
Author: Ben Jencks <ben@bjencks.net>
|
||||
Date: Sun Jan 27 18:27:03 2013 -0500
|
||||
|
||||
ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage.
|
||||
|
||||
If a DHParamFile or olcDHParamFile is specified, then it will be used,
|
||||
otherwise a hardcoded 1024 bit parameter will be used. This allows the use of
|
||||
larger parameters; previously only 512 or 1024 bit parameters would ever be
|
||||
used.
|
||||
|
||||
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||
index 48ce1ceab..c6a3540c9 100644
|
||||
--- a/libraries/libldap/tls_o.c
|
||||
+++ b/libraries/libldap/tls_o.c
|
||||
@@ -59,15 +59,13 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
|
||||
static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
|
||||
static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
|
||||
|
||||
-static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length );
|
||||
-
|
||||
-typedef struct dhplist {
|
||||
- struct dhplist *next;
|
||||
- int keylength;
|
||||
- DH *param;
|
||||
-} dhplist;
|
||||
-
|
||||
-static dhplist *tlso_dhparams;
|
||||
+/* From the OpenSSL 0.9.7 distro */
|
||||
+static const char tlso_dhpem1024[] =
|
||||
+"-----BEGIN DH PARAMETERS-----\n\
|
||||
+MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
|
||||
+/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
|
||||
+/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
|
||||
+-----END DH PARAMETERS-----\n";
|
||||
|
||||
static int tlso_seed_PRNG( const char *randfile );
|
||||
|
||||
@@ -76,7 +74,6 @@ static int tlso_seed_PRNG( const char *randfile );
|
||||
* provide mutexes for the OpenSSL library.
|
||||
*/
|
||||
static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS];
|
||||
-static ldap_pvt_thread_mutex_t tlso_dh_mutex;
|
||||
|
||||
static void tlso_locking_cb( int mode, int type, const char *file, int line )
|
||||
{
|
||||
@@ -107,7 +104,6 @@ static void tlso_thr_init( void )
|
||||
for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) {
|
||||
ldap_pvt_thread_mutex_init( &tlso_mutexes[i] );
|
||||
}
|
||||
- ldap_pvt_thread_mutex_init( &tlso_dh_mutex );
|
||||
CRYPTO_set_locking_callback( tlso_locking_cb );
|
||||
CRYPTO_set_id_callback( tlso_thread_self );
|
||||
}
|
||||
@@ -308,28 +304,32 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if ( lo->ldo_tls_dhfile ) {
|
||||
+ if (is_server) {
|
||||
DH *dh = NULL;
|
||||
BIO *bio;
|
||||
- dhplist *p;
|
||||
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
|
||||
+ if ( lo->ldo_tls_dhfile ) {
|
||||
|
||||
- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
|
||||
+ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
|
||||
+ Debug( LDAP_DEBUG_ANY,
|
||||
+ "TLS: could not use DH parameters file `%s'.\n",
|
||||
+ lo->ldo_tls_dhfile,0,0);
|
||||
+ tlso_report_error();
|
||||
+ return -1;
|
||||
+ }
|
||||
+ } else {
|
||||
+ bio = BIO_new_mem_buf( tlso_dhpem1024, -1 );
|
||||
+ }
|
||||
+ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
- "TLS: could not use DH parameters file `%s'.\n",
|
||||
+ "TLS: could not read DH parameters file `%s'.\n",
|
||||
lo->ldo_tls_dhfile,0,0);
|
||||
tlso_report_error();
|
||||
+ BIO_free( bio );
|
||||
return -1;
|
||||
}
|
||||
- while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
|
||||
- p = LDAP_MALLOC( sizeof(dhplist) );
|
||||
- if ( p != NULL ) {
|
||||
- p->keylength = DH_size( dh ) * 8;
|
||||
- p->param = dh;
|
||||
- p->next = tlso_dhparams;
|
||||
- tlso_dhparams = p;
|
||||
- }
|
||||
- }
|
||||
BIO_free( bio );
|
||||
+ SSL_CTX_set_tmp_dh( ctx, dh );
|
||||
}
|
||||
|
||||
if ( tlso_opt_trace ) {
|
||||
@@ -349,9 +349,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ?
|
||||
tlso_verify_ok : tlso_verify_cb );
|
||||
SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
|
||||
- if ( lo->ldo_tls_dhfile ) {
|
||||
- SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb );
|
||||
- }
|
||||
#ifdef HAVE_OPENSSL_CRL
|
||||
if ( lo->ldo_tls_crlcheck ) {
|
||||
X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
|
||||
@@ -1160,108 +1157,6 @@ tlso_seed_PRNG( const char *randfile )
|
||||
return 0;
|
||||
}
|
||||
|
||||
-struct dhinfo {
|
||||
- int keylength;
|
||||
- const char *pem;
|
||||
- size_t size;
|
||||
-};
|
||||
-
|
||||
-
|
||||
-/* From the OpenSSL 0.9.7 distro */
|
||||
-static const char tlso_dhpem512[] =
|
||||
-"-----BEGIN DH PARAMETERS-----\n\
|
||||
-MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\
|
||||
-a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\
|
||||
------END DH PARAMETERS-----\n";
|
||||
-
|
||||
-static const char tlso_dhpem1024[] =
|
||||
-"-----BEGIN DH PARAMETERS-----\n\
|
||||
-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
|
||||
-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
|
||||
-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
|
||||
------END DH PARAMETERS-----\n";
|
||||
-
|
||||
-static const char tlso_dhpem2048[] =
|
||||
-"-----BEGIN DH PARAMETERS-----\n\
|
||||
-MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\
|
||||
-AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\
|
||||
-z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\
|
||||
-pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\
|
||||
-aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\
|
||||
-Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\
|
||||
------END DH PARAMETERS-----\n";
|
||||
-
|
||||
-static const char tlso_dhpem4096[] =
|
||||
-"-----BEGIN DH PARAMETERS-----\n\
|
||||
-MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\
|
||||
-vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\
|
||||
-TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\
|
||||
-bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\
|
||||
-rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\
|
||||
-EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\
|
||||
-bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\
|
||||
-W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\
|
||||
-ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\
|
||||
-NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\
|
||||
-jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\
|
||||
------END DH PARAMETERS-----\n";
|
||||
-
|
||||
-static const struct dhinfo tlso_dhpem[] = {
|
||||
- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
|
||||
- { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
|
||||
- { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
|
||||
- { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
|
||||
- { 0, NULL, 0 }
|
||||
-};
|
||||
-
|
||||
-static DH *
|
||||
-tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
|
||||
-{
|
||||
- struct dhplist *p = NULL;
|
||||
- BIO *b = NULL;
|
||||
- DH *dh = NULL;
|
||||
- int i;
|
||||
-
|
||||
- /* Do we have params of this length already? */
|
||||
- LDAP_MUTEX_LOCK( &tlso_dh_mutex );
|
||||
- for ( p = tlso_dhparams; p; p=p->next ) {
|
||||
- if ( p->keylength == key_length ) {
|
||||
- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
|
||||
- return p->param;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- /* No - check for hardcoded params */
|
||||
-
|
||||
- for (i=0; tlso_dhpem[i].keylength; i++) {
|
||||
- if ( tlso_dhpem[i].keylength == key_length ) {
|
||||
- b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size );
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if ( b ) {
|
||||
- dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL );
|
||||
- BIO_free( b );
|
||||
- }
|
||||
-
|
||||
- /* Generating on the fly is expensive/slow... */
|
||||
- if ( !dh ) {
|
||||
- dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL );
|
||||
- }
|
||||
- if ( dh ) {
|
||||
- p = LDAP_MALLOC( sizeof(struct dhplist) );
|
||||
- if ( p != NULL ) {
|
||||
- p->keylength = key_length;
|
||||
- p->param = dh;
|
||||
- p->next = tlso_dhparams;
|
||||
- tlso_dhparams = p;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
|
||||
- return dh;
|
||||
-}
|
||||
|
||||
tls_impl ldap_int_tls_impl = {
|
||||
"OpenSSL",
|
@ -1,58 +0,0 @@
|
||||
commit eacd5798a5d83e6658a823c01bcb0f600e3b9898
|
||||
Author: Howard Chu <hyc@openldap.org>
|
||||
Date: Sat Sep 7 06:39:53 2013 -0700
|
||||
|
||||
ITS#7506 fix prev commit
|
||||
|
||||
The patch unconditionally enabled DHparams, which is a significant
|
||||
change of behavior. Reverting to previous behavior, which only enables
|
||||
DH use if a DHparam file was configured.
|
||||
|
||||
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||
index c6a3540c9..a2d9cd31f 100644
|
||||
--- a/libraries/libldap/tls_o.c
|
||||
+++ b/libraries/libldap/tls_o.c
|
||||
@@ -59,14 +59,6 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
|
||||
static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
|
||||
static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
|
||||
|
||||
-/* From the OpenSSL 0.9.7 distro */
|
||||
-static const char tlso_dhpem1024[] =
|
||||
-"-----BEGIN DH PARAMETERS-----\n\
|
||||
-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
|
||||
-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
|
||||
-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
|
||||
------END DH PARAMETERS-----\n";
|
||||
-
|
||||
static int tlso_seed_PRNG( const char *randfile );
|
||||
|
||||
#ifdef LDAP_R_COMPILE
|
||||
@@ -304,21 +296,17 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (is_server) {
|
||||
+ if ( lo->ldo_tls_dhfile ) {
|
||||
DH *dh = NULL;
|
||||
BIO *bio;
|
||||
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
|
||||
- if ( lo->ldo_tls_dhfile ) {
|
||||
|
||||
- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
|
||||
- Debug( LDAP_DEBUG_ANY,
|
||||
- "TLS: could not use DH parameters file `%s'.\n",
|
||||
- lo->ldo_tls_dhfile,0,0);
|
||||
- tlso_report_error();
|
||||
- return -1;
|
||||
- }
|
||||
- } else {
|
||||
- bio = BIO_new_mem_buf( tlso_dhpem1024, -1 );
|
||||
+ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
|
||||
+ Debug( LDAP_DEBUG_ANY,
|
||||
+ "TLS: could not use DH parameters file `%s'.\n",
|
||||
+ lo->ldo_tls_dhfile,0,0);
|
||||
+ tlso_report_error();
|
||||
+ return -1;
|
||||
}
|
||||
if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
Binary file not shown.
@ -27,7 +27,10 @@ SRC_URI += " \
|
||||
file://0016-openldap-man-ldap-conf.patch \
|
||||
file://0017-openldap-bdb_idl_fetch_key-correct-key-pointer.patch \
|
||||
file://0018-openldap-tlsmc.patch \
|
||||
file://0019-openldap-fedora-systemd.patch \
|
||||
file://0019-openldap-openssl-ITS7596-Add-EC-support.patch \
|
||||
file://0020-openldap-openssl-ITS7596-Add-EC-support-patch-2.patch \
|
||||
file://0021-openldap-and-stx-source-and-config-files.patch \
|
||||
file://0022-ltb-project-openldap-ppolicy-check-password-1.1.patch \
|
||||
"
|
||||
|
||||
inherit pkgconfig
|
||||
@ -41,6 +44,8 @@ DEPENDS += " \
|
||||
libtirpc \
|
||||
"
|
||||
|
||||
RDEPENDS_${PN}_append = " bash"
|
||||
|
||||
|
||||
# Defaults:
|
||||
# --enable-bdb=no
|
||||
@ -94,12 +99,47 @@ do_configure_append () {
|
||||
ln -f -s ${S}/contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} servers/slapd/overlays
|
||||
}
|
||||
|
||||
|
||||
# If liblmdb is needed, then patch the Makefile
|
||||
#do_compile_append () {
|
||||
# cd ${S}/libraries/liblmdb
|
||||
# cd ${S}/ltb-project-openldap-ppolicy-check-password-1.1
|
||||
# oe_runmake
|
||||
#}
|
||||
|
||||
FILES_${PN}_append = " ${libexecdir}/openldap/*"
|
||||
do_install_append () {
|
||||
|
||||
# For this we need to build ltb-project-openldap
|
||||
#install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/
|
||||
|
||||
cd ${S}/stx-sources
|
||||
install -m 0755 -d ${D}/var/run/openldap
|
||||
install -m 0755 -d ${D}/${sysconfdir}/tmpfiles.d
|
||||
install -m 0755 ${S}/stx-sources/slapd.tmpfiles ${D}/${sysconfdir}/tmpfiles.d/slapd.conf
|
||||
install -m 0755 ${S}/stx-sources/openldap.tmpfiles ${D}/${sysconfdir}/tmpfiles.d/openldap.conf
|
||||
install -m 0755 ${S}/stx-sources/ldap.conf ${D}/${sysconfdir}/tmpfiles.d/ldap.conf
|
||||
|
||||
install -m 0644 libexec-functions ${D}/${libexecdir}/openldap/functions
|
||||
install -m 0755 libexec-convert-config.sh ${D}/${libexecdir}/openldap/convert-config.sh
|
||||
install -m 0755 libexec-check-config.sh ${D}/${libexecdir}/openldap/check-config.sh
|
||||
install -m 0755 libexec-upgrade-db.sh ${D}/${libexecdir}/openldap/upgrade-db.sh
|
||||
|
||||
install -m 0755 libexec-create-certdb.sh ${D}/${libexecdir}/openldap/create-certdb.sh
|
||||
install -m 0755 libexec-generate-server-cert.sh ${D}/${libexecdir}/openldap/generate-server-cert.sh
|
||||
install -m 0755 libexec-update-ppolicy-schema.sh ${D}/${libexecdir}/openldap/update-ppolicy-schema.sh
|
||||
|
||||
install -m 0644 slapd.service ${D}/${systemd_unitdir}/stx-slapd.service
|
||||
install -m 0755 -d ${D}/${sysconfdir}/sysconfig
|
||||
install -m 0644 slapd.sysconfig ${D}/${sysconfdir}/sysconfig/slapd.sysconfig
|
||||
install -m 0755 -d ${D}/${datadir}/openldap-servers
|
||||
install -m 0644 slapd.ldif ${D}/${datadir}/openldap-servers/slapd.ldif
|
||||
install -m 0750 -d ${D}/${sysconfdir}/openldap/slapd.d
|
||||
}
|
||||
|
||||
FILES_${PN}_append = " \
|
||||
${datadir}/openldap-servers/ \
|
||||
${libexecdir}/openldap/ \
|
||||
/run/openldap \
|
||||
${sysconfdir}/sysconfig \
|
||||
${sysconfdir}/tmpfiles.d \
|
||||
${systemd_unitdir}/stx-slapd.service \
|
||||
"
|
||||
|
Loading…
x
Reference in New Issue
Block a user