diff --git a/.compat-openldap.metadata b/.compat-openldap.metadata
new file mode 100644
index 0000000..b926df5
--- /dev/null
+++ b/.compat-openldap.metadata
@@ -0,0 +1,2 @@
+ffad8e108aae3a02373a11f00f4fd23056770cf2 SOURCES/openldap-config-sasl-options.patch
+796b5db37ae5243b84f7b9c11217bbec44e0da8c SOURCES/openldap-2.3.43.tgz
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/openldap-ai-addrconfig.patch b/SOURCES/openldap-ai-addrconfig.patch
new file mode 100644
index 0000000..a0146ce
--- /dev/null
+++ b/SOURCES/openldap-ai-addrconfig.patch
@@ -0,0 +1,29 @@
+use AI_ADDRCONFIG if defined in the environment
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7326
+Resolves: #835013
+
+---
+ libraries/libldap/os-ip.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
+index c95f34f..fe531a7 100644
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -421,9 +421,8 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
+
+ #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
+ memset( &hints, '\0', sizeof(hints) );
+-#ifdef USE_AI_ATTRCONFIG /* FIXME: configure test needed */
+- /* Use AI_ATTRCONFIG only on systems where its known to be needed. */
+- hints.ai_flags = AI_ATTRCONFIG;
++#ifdef AI_ADDRCONFIG
++ hints.ai_flags = AI_ADDRCONFIG;
+ #endif
+ hints.ai_family = ldap_int_inet4or6;
+ hints.ai_socktype = socktype;
+--
+1.7.10.4
+
diff --git a/SOURCES/openldap-chase-referral.patch b/SOURCES/openldap-chase-referral.patch
new file mode 100644
index 0000000..dabd42e
--- /dev/null
+++ b/SOURCES/openldap-chase-referral.patch
@@ -0,0 +1,198 @@
+diff -up openldap-2.3.43/libraries/libldap/os-ip.c.orig openldap-2.3.43/libraries/libldap/os-ip.c
+--- openldap-2.3.43/libraries/libldap/os-ip.c.orig 2008-05-19 19:28:54.000000000 -0400
++++ openldap-2.3.43/libraries/libldap/os-ip.c 2009-07-29 17:01:32.000000000 -0400
+@@ -738,6 +738,9 @@ ldap_mark_select_read( LDAP *ld, Sockbuf
+
+ sip = (struct selectinfo *)ld->ld_selectinfo;
+
++ if (ber_sockbuf_ctrl( sb, LBER_SB_OPT_DATA_READY, NULL ))
++ return;
++
+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd );
+
+ #ifdef HAVE_POLL
+diff -up openldap-2.3.43/libraries/libldap/result.c.orig openldap-2.3.43/libraries/libldap/result.c
+--- openldap-2.3.43/libraries/libldap/result.c.orig 2009-07-29 17:00:42.000000000 -0400
++++ openldap-2.3.43/libraries/libldap/result.c 2009-07-29 18:10:35.000000000 -0400
+@@ -73,7 +73,7 @@ static int ldap_mark_abandoned LDAP_P((
+ static int wait4msg LDAP_P(( LDAP *ld, ber_int_t msgid, int all, struct timeval *timeout,
+ LDAPMessage **result ));
+ static ber_tag_t try_read1msg LDAP_P(( LDAP *ld, ber_int_t msgid,
+- int all, LDAPConn **lc, LDAPMessage **result ));
++ int all, LDAPConn *lc, LDAPMessage **result ));
+ static ber_tag_t build_result_ber LDAP_P(( LDAP *ld, BerElement **bp, LDAPRequest *lr ));
+ static void merge_error_info LDAP_P(( LDAP *ld, LDAPRequest *parentr, LDAPRequest *lr ));
+ static LDAPMessage * chkResponseList LDAP_P(( LDAP *ld, int msgid, int all));
+@@ -118,15 +118,9 @@ ldap_result(
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_lock( &ld->ld_res_mutex );
+ #endif
+- lm = chkResponseList(ld, msgid, all);
+
+- if ( lm == NULL ) {
+- rc = wait4msg( ld, msgid, all, timeout, result );
+- } else {
+- *result = lm;
+- ld->ld_errno = LDAP_SUCCESS;
+- rc = lm->lm_msgtype;
+- }
++ rc = wait4msg( ld, msgid, all, timeout, result );
++
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_unlock( &ld->ld_res_mutex );
+ #endif
+@@ -233,7 +227,7 @@ wait4msg(
+ *tvp;
+ time_t start_time = 0;
+ time_t tmp_time;
+- LDAPConn *lc;
++ LDAPConn *lc, *nextlc;
+
+ assert( ld != NULL );
+ assert( result != NULL );
+@@ -280,13 +274,6 @@ wait4msg(
+ for ( lc = ld->ld_conns; lc != NULL; lc = lc->lconn_next ) {
+ if ( ber_sockbuf_ctrl( lc->lconn_sb,
+ LBER_SB_OPT_DATA_READY, NULL ) ) {
+-#ifdef LDAP_R_COMPILE
+- ldap_pvt_thread_mutex_unlock( &ld->ld_conn_mutex );
+-#endif
+- rc = try_read1msg( ld, msgid, all, &lc, result );
+-#ifdef LDAP_R_COMPILE
+- ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
+-#endif
+ lc_ready = 1;
+ break;
+ }
+@@ -319,7 +306,11 @@ wait4msg(
+ if ( rc == -1 ) {
+ rc = LDAP_MSG_X_KEEP_LOOKING; /* select interrupted: loop */
+ } else {
+- rc = LDAP_MSG_X_KEEP_LOOKING;
++ lc_ready = 1;
++ }
++ }
++ if ( lc_ready ) {
++ rc = LDAP_MSG_X_KEEP_LOOKING;
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
+ #endif
+@@ -335,38 +326,43 @@ wait4msg(
+ ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
+ #endif
+ for ( lc = ld->ld_conns;
+- rc == LDAP_MSG_X_KEEP_LOOKING && lc != NULL; )
++ rc == LDAP_MSG_X_KEEP_LOOKING && lc != NULL;
++ lc = nextlc )
+ {
+ if ( lc->lconn_status == LDAP_CONNST_CONNECTED &&
+ ldap_is_read_ready( ld, lc->lconn_sb ))
+ {
++ /* Don't let it get freed out from under us */
++ ++lc->lconn_refcnt;
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_unlock( &ld->ld_conn_mutex );
+ #endif
+- rc = try_read1msg( ld, msgid, all, &lc, result );
++ rc = try_read1msg( ld, msgid, all, lc, result );
++ nextlc = lc->lconn_next;
++
++ /* Only take locks if we're really freeing */
++ if ( lc->lconn_refcnt <= 1 ) {
+ #ifdef LDAP_R_COMPILE
+- ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
++ ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
+ #endif
+- if ( lc == NULL ) {
+- /* if lc gets free()'d,
+- * there's no guarantee
+- * lc->lconn_next is still
+- * sane; better restart
+- * (ITS#4405) */
+- lc = ld->ld_conns;
+-
+- /* don't get to next conn! */
+- break;
++ ldap_free_connection( ld, lc, 0, 1 );
++#ifdef LDAP_R_COMPILE
++ ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
++#endif
++ } else {
++ --lc->lconn_refcnt;
+ }
++#ifdef LDAP_R_COMPILE
++ ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
++#endif
++ } else {
++ /* next conn */
++ nextlc = lc->lconn_next;
+ }
+-
+- /* next conn */
+- lc = lc->lconn_next;
+ }
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_unlock( &ld->ld_conn_mutex );
+ #endif
+- }
+ }
+ }
+
+@@ -380,7 +376,6 @@ wait4msg(
+ if ( tv0.tv_sec <= delta_time ) {
+ rc = 0; /* timed out */
+ ld->ld_errno = LDAP_TIMEOUT;
+- break;
+ }
+ tv0.tv_sec -= delta_time;
+ tv.tv_sec = tv0.tv_sec;
+@@ -400,7 +395,7 @@ try_read1msg(
+ LDAP *ld,
+ ber_int_t msgid,
+ int all,
+- LDAPConn **lcp,
++ LDAPConn *lc,
+ LDAPMessage **result )
+ {
+ BerElement *ber;
+@@ -410,7 +405,6 @@ try_read1msg(
+ ber_len_t len;
+ int foundit = 0;
+ LDAPRequest *lr, *tmplr;
+- LDAPConn *lc;
+ BerElement tmpber;
+ int rc, refer_cnt, hadref, simple_request, err;
+ ber_int_t lderr;
+@@ -431,14 +425,11 @@ try_read1msg(
+ } v3ref;
+
+ assert( ld != NULL );
+- assert( lcp != NULL );
+- assert( *lcp != NULL );
++ assert( lc != NULL );
+
+ Debug( LDAP_DEBUG_TRACE, "read1msg: ld %p msgid %d all %d\n",
+ (void *)ld, msgid, all );
+
+- lc = *lcp;
+-
+ retry:
+ if ( lc->lconn_ber == NULL ) {
+ lc->lconn_ber = ldap_alloc_ber_with_options(ld);
+@@ -839,14 +830,8 @@ lr->lr_res_matched ? lr->lr_res_matched
+ }
+
+ if ( lc != NULL ) {
+-#ifdef LDAP_R_COMPILE
+- ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
+-#endif
+- ldap_free_connection( ld, lc, 0, 1 );
+-#ifdef LDAP_R_COMPILE
+- ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
+-#endif
+- lc = *lcp = NULL;
++ --lc->lconn_refcnt;
++ lc = NULL;
+ }
+ }
+ }
diff --git a/SOURCES/openldap-compat-macros.patch b/SOURCES/openldap-compat-macros.patch
new file mode 100644
index 0000000..f6492c5
--- /dev/null
+++ b/SOURCES/openldap-compat-macros.patch
@@ -0,0 +1,26 @@
+--- openldap-2.3.43/libraries/libldap/os-ip.c.orig 2010-05-06 13:48:15.000000000 +0200
++++ openldap-2.3.43/libraries/libldap/os-ip.c 2010-05-06 13:48:23.000000000 +0200
+@@ -652,7 +652,7 @@ ldap_host_connected_to( Sockbuf *sb, con
+ char *herr;
+ #ifdef NI_MAXHOST
+ char hbuf[NI_MAXHOST];
+-#elif defined( MAXHOSTNAMELEN
++#elif defined( MAXHOSTNAMELEN )
+ char hbuf[MAXHOSTNAMELEN];
+ #else
+ char hbuf[256];
+--- openldap-2.3.43/include/ldap_pvt_thread.h.orig 2010-05-06 14:35:45.000000000 +0200
++++ openldap-2.3.43/include/ldap_pvt_thread.h 2010-05-06 14:36:08.000000000 +0200
+@@ -61,9 +61,11 @@ ldap_pvt_thread_set_concurrency LDAP_P((
+ /* LARGE stack. Will be twice as large on 64 bit machine. */
+ #define LDAP_PVT_THREAD_STACK_SIZE ( 1 * 1024 * 1024 * sizeof(void *) )
+ /* May be explicitly defined to zero to disable it */
+-#elif LDAP_PVT_THREAD_STACK_SIZE == 0
++#else
++#if LDAP_PVT_THREAD_STACK_SIZE == 0
+ #undef LDAP_PVT_THREAD_SET_STACK_SIZE
+ #endif
++#endif
+ #endif /* !LDAP_PVT_THREAD_H_DONE */
+
+ LDAP_F( int )
diff --git a/SOURCES/openldap-gethostbyXXXX_r.patch b/SOURCES/openldap-gethostbyXXXX_r.patch
new file mode 100644
index 0000000..7fc9727
--- /dev/null
+++ b/SOURCES/openldap-gethostbyXXXX_r.patch
@@ -0,0 +1,29 @@
+The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
+example if libldap needs to be initialized from within gethostbyXXXX() (which
+actually happens if nss_ldap is used for hostname resolution and earlier
+modules can't resolve the local host name), so use the reentrant versions of
+the functions, even if we're not being compiled for use in libldap_r (patch
+from Jeffery Layton, #179730).
+diff -up openldap-2.4.11/libraries/libldap/util-int.c.patch7 openldap-2.4.11/libraries/libldap/util-int.c
+--- openldap-2.4.11/libraries/libldap/util-int.c.patch7 2008-02-12 00:26:41.000000000 +0100
++++ openldap-2.4.11/libraries/libldap/util-int.c 2008-09-01 09:57:09.000000000 +0200
+@@ -52,8 +52,8 @@ extern int h_errno;
+ #ifndef LDAP_R_COMPILE
+ # undef HAVE_REENTRANT_FUNCTIONS
+ # undef HAVE_CTIME_R
+-# undef HAVE_GETHOSTBYNAME_R
+-# undef HAVE_GETHOSTBYADDR_R
++/* # undef HAVE_GETHOSTBYNAME_R */
++/* # undef HAVE_GETHOSTBYADDR_R */
+
+ #else
+ # include <ldap_pvt_thread.h>
+@@ -110,7 +110,7 @@ char *ldap_pvt_ctime( const time_t *tp,
+ #define BUFSTART (1024-32)
+ #define BUFMAX (32*1024-32)
+
+-#if defined(LDAP_R_COMPILE)
++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
+ static char *safe_realloc( char **buf, int len );
+
+ #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))
diff --git a/SOURCES/openldap-ldaprc.patch b/SOURCES/openldap-ldaprc.patch
new file mode 100644
index 0000000..78974ea
--- /dev/null
+++ b/SOURCES/openldap-ldaprc.patch
@@ -0,0 +1,13 @@
+diff -up openldap-2.4.11/libraries/libldap/init.c.patch2 openldap-2.4.11/libraries/libldap/init.c
+--- openldap-2.4.11/libraries/libldap/init.c.patch2 2008-02-12 00:26:41.000000000 +0100
++++ openldap-2.4.11/libraries/libldap/init.c 2008-09-01 09:57:09.000000000 +0200
+@@ -327,9 +327,6 @@ static void openldap_ldap_init_w_usercon
+ if(path != NULL) {
+ LDAP_FREE(path);
+ }
+-
+- /* try file */
+- openldap_ldap_init_w_conf(file, 1);
+ }
+
+ static void openldap_ldap_init_w_env(
diff --git a/SOURCES/openldap-network-timeout.patch b/SOURCES/openldap-network-timeout.patch
new file mode 100644
index 0000000..d10c8ee
--- /dev/null
+++ b/SOURCES/openldap-network-timeout.patch
@@ -0,0 +1,54 @@
+459132: RFE: CRM 1845142 'OpenLDAP libraries on RHEL 4 and failover'
+
+Source: upstream, cvs diff -r 1.105 -r 1.106 init.c
+ (+ delete other than NETWORK_TIMEOUT options)
+
+diff -up openldap-2.3.42/doc/man/man5/ldap.conf.5.network-timeout openldap-2.3.42/doc/man/man5/ldap.conf.5
+--- openldap-2.3.42/doc/man/man5/ldap.conf.5.network-timeout 2008-08-18 10:52:11.000000000 +0200
++++ openldap-2.3.42/doc/man/man5/ldap.conf.5 2008-02-12 00:24:09.000000000 +0100
+@@ -86,6 +86,10 @@ list of hosts may be provided.
+ is deprecated in favor of
+ .BR URI .
+ .TP
++.B NETWORK_TIMEOUT <integer>
++Specifies the timeout (in seconds) after which the poll(2)/select(2)
++following a connect(2) returns in case of no activity.
++.TP
+ .B PORT <port>
+ Specifies the default port used when connecting to LDAP servers(s).
+ The port may be specified as a number.
+diff -up openldap-2.3.42/libraries/libldap/init.c.network-timeout openldap-2.3.42/libraries/libldap/init.c
+--- openldap-2.3.42/libraries/libldap/init.c.network-timeout 2008-08-18 10:20:20.000000000 +0200
++++ openldap-2.3.42/libraries/libldap/init.c 2008-08-18 10:48:37.000000000 +0200
+@@ -43,6 +43,8 @@ struct ldapoptions ldap_int_global_optio
+ #define ATTR_SASL 6
+ #define ATTR_TLS 7
+
++#define ATTR_OPT_TV 8
++
+ struct ol_keyvalue {
+ const char * key;
+ int value;
+@@ -63,6 +65,7 @@ static const struct ol_attribute {
+ const void * data;
+ size_t offset;
+ } attrs[] = {
++ {0, ATTR_OPT_TV, "NETWORK_TIMEOUT", NULL, LDAP_OPT_NETWORK_TIMEOUT},
+ {0, ATTR_KV, "DEREF", deref_kv, /* or &deref_kv[0] */
+ offsetof(struct ldapoptions, ldo_deref)},
+ {0, ATTR_INT, "SIZELIMIT", NULL,
+@@ -241,6 +244,14 @@ static void openldap_ldap_init_w_conf(
+ ldap_int_tls_config( NULL, attrs[i].offset, opt );
+ #endif
+ break;
++ case ATTR_OPT_TV: {
++ struct timeval tv;
++ tv.tv_sec = atol( opt );
++ tv.tv_usec = 0;
++ if ( tv.tv_sec > 0 ) {
++ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv);
++ }
++ } break;
+ }
+
+ break;
diff --git a/SOURCES/openldap-setugid.patch b/SOURCES/openldap-setugid.patch
new file mode 100644
index 0000000..16c01fb
--- /dev/null
+++ b/SOURCES/openldap-setugid.patch
@@ -0,0 +1,23 @@
+Don't read the user's configuration file if we're running in a setuid
+or setgid application.
+--- openldap-2.2.13/libraries/libldap/init.c 2004-06-15 11:51:32.000000000 -0400
++++ openldap-2.2.13/libraries/libldap/init.c 2004-06-15 13:42:35.000000000 -0400
+@@ -572,10 +572,11 @@
+ if( user != NULL ) {
+ gopts->ldo_def_sasl_authcid = LDAP_STRDUP( user );
+ }
+- }
++ }
+ #endif
+
+ openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
++ if( ( getuid() == geteuid() ) && ( getgid() == getegid() ) ) {
+ openldap_ldap_init_w_userconf(LDAP_USERRC_FILE);
+
+ {
+@@ -605,4 +606,5 @@
+ }
+
+ openldap_ldap_init_w_env(gopts, NULL);
++ }
+ }
diff --git a/SOURCES/openldap-tls-null-char.patch b/SOURCES/openldap-tls-null-char.patch
new file mode 100644
index 0000000..60738a9
--- /dev/null
+++ b/SOURCES/openldap-tls-null-char.patch
@@ -0,0 +1,120 @@
+--- openldap-2.3.43/libraries/libldap/tls.c.orig 2010-02-08 13:58:47.000000000 +0100
++++ openldap-2.3.43/libraries/libldap/tls.c 2010-02-08 14:10:37.000000000 +0100
+@@ -981,7 +981,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
+ X509 *x;
+ const char *name;
+ char *ptr;
+- int ntype = IS_DNS;
++ int ntype = IS_DNS, nlen;
+ #ifdef LDAP_PF_INET6
+ struct in6_addr addr;
+ #else
+@@ -995,6 +995,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
+ } else {
+ name = name_in;
+ }
++ nlen = strlen(name);
+
+ x = tls_get_cert((SSL *)s);
+ if (!x) {
+@@ -1028,15 +1029,14 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
+ ex = X509_get_ext(x, i);
+ alt = X509V3_EXT_d2i(ex);
+ if (alt) {
+- int n, len1 = 0, len2 = 0;
++ int n, len2 = 0;
+ char *domain = NULL;
+ GENERAL_NAME *gn;
+
+ if (ntype == IS_DNS) {
+- len1 = strlen(name);
+ domain = strchr(name, '.');
+ if (domain) {
+- len2 = len1 - (domain-name);
++ len2 = nlen - (domain-name);
+ }
+ }
+ n = sk_GENERAL_NAME_num(alt);
+@@ -1054,7 +1054,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
+ if (sl == 0) continue;
+
+ /* Is this an exact match? */
+- if ((len1 == sl) && !strncasecmp(name, sn, len1)) {
++ if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
+ break;
+ }
+
+@@ -1094,13 +1094,28 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
+
+ if (ret != LDAP_SUCCESS) {
+ X509_NAME *xn;
+- char buf[2048];
+- buf[0] = '\0';
++ X509_NAME_ENTRY *ne;
++ ASN1_OBJECT *obj;
++ ASN1_STRING *cn = NULL;
++ int navas;
++
++ /* find the last CN */
++ obj = OBJ_nid2obj( NID_commonName );
++ if ( !obj ) goto no_cn; /* should never happen */
+
+ xn = X509_get_subject_name(x);
+- if( X509_NAME_get_text_by_NID( xn, NID_commonName,
+- buf, sizeof(buf)) == -1)
+- {
++ navas = X509_NAME_entry_count( xn );
++ for ( i=navas-1; i>=0; i-- ) {
++ ne = X509_NAME_get_entry( xn, i );
++ if ( !OBJ_cmp( ne->object, obj )) {
++ cn = X509_NAME_ENTRY_get_data( ne );
++ break;
++ }
++ }
++
++ if( !cn )
++ {
++no_cn:
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: unable to get common name from peer certificate.\n",
+ 0, 0, 0 );
+@@ -1111,21 +1126,20 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: unable to get CN from peer certificate"));
+
+- } else if (strcasecmp(name, buf) == 0 ) {
++ } else if ( cn->length == nlen &&
++ strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
+ ret = LDAP_SUCCESS;
+
+- } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {
++ } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
+ char *domain = strchr(name, '.');
+ if( domain ) {
+- size_t dlen = 0;
+- size_t sl;
++ size_t dlen;
+
+- sl = strlen(name);
+- dlen = sl - (domain-name);
+- sl = strlen(buf);
++ dlen = nlen - (domain-name);
+
+ /* Is this a wildcard match? */
+- if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) {
++ if ((dlen == cn->length-1) &&
++ !strncasecmp(domain, (char *) &cn->data[1], dlen)) {
+ ret = LDAP_SUCCESS;
+ }
+ }
+@@ -1133,8 +1147,8 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
+
+ if( ret == LDAP_LOCAL_ERROR ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+- "common name in certificate (%s).\n",
+- name, buf, 0 );
++ "common name in certificate (%.*s).\n",
++ name, cn->length, cn->data );
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
diff --git a/SPECS/compat-openldap.spec b/SPECS/compat-openldap.spec
new file mode 100644
index 0000000..4c6ed6b
--- /dev/null
+++ b/SPECS/compat-openldap.spec
@@ -0,0 +1,135 @@
+%global _hardened_build 1
+
+Summary: OpenLDAP compatibility shared libraries
+Name: compat-openldap
+Epoch: 1
+Version: 2.3.43
+Release: 3.2%{?dist}
+License: OpenLDAP
+Group: System Environment/Libraries
+URL: http://www.openldap.org/
+
+Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
+
+Patch0: openldap-ldaprc.patch
+Patch1: openldap-gethostbyXXXX_r.patch
+Patch2: openldap-setugid.patch
+Patch3: openldap-config-sasl-options.patch
+Patch4: openldap-network-timeout.patch
+Patch5: openldap-chase-referral.patch
+Patch6: openldap-tls-null-char.patch
+Patch7: openldap-compat-macros.patch
+Patch8: openldap-ai-addrconfig.patch
+
+BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+BuildRequires: glibc-devel, cyrus-sasl-devel >= 2.1, openssl-devel
+# require current OpenLDAP libraries to have /etc/openldap/ldap.conf
+Requires: openldap >= 2.4
+
+%description
+OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. The compat-openldap package
+includes older versions of the OpenLDAP shared libraries which may be
+required by some applications.
+
+
+%prep
+%setup -q -n openldap-%{version}
+
+for patch in %patches; do
+ %__patch -p1 -i $patch
+done
+
+
+%build
+
+export CFLAGS="%{optflags} -fPIC -D_GNU_SOURCE -D_REENTRANT -fno-strict-aliasing"
+
+%configure \
+ --enable-debug \
+ --enable-dynamic \
+ --disable-syslog \
+ --disable-proctitle \
+ --enable-ipv6 \
+ --enable-local \
+ \
+ --disable-slapd \
+ --disable-slurpd \
+ \
+ --disable-modules \
+ --disable-backends \
+ --disable-overlays \
+ \
+ --disable-static \
+ --enable-shared \
+ \
+ --with-cyrus-sasl \
+ --without-fetch \
+ --with-threads \
+ --with-tls=openssl \
+ --with-gnu-ld \
+ --with-pic
+
+# get rid of rpath
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+
+make %{?_smp_mflags}
+
+
+%install
+rm -rf %{buildroot}
+
+pushd libraries
+ make install DESTDIR=%{buildroot}
+
+ # drop libarchive files
+ rm -f %{buildroot}%{_libdir}/*.la
+
+ # two sets of libraries share the soname, compat is not default
+ rm -f %{buildroot}/%{_libdir}/*.so
+
+ # fix permissions to correctly generate debuginfo
+ chmod 0755 %{buildroot}/%{_libdir}/*
+popd
+
+# remove all configuration files
+rm -rf %{buildroot}/etc
+
+
+%clean
+rm -rf %{buildroot}
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%files
+%defattr(-,root,root,-)
+%doc ANNOUNCEMENT
+%doc COPYRIGHT
+%doc LICENSE
+%attr(0755,root,root) %{_libdir}/liblber-2.3.so.*
+%attr(0755,root,root) %{_libdir}/libldap-2.3.so.*
+%attr(0755,root,root) %{_libdir}/libldap_r-2.3.so.*
+
+
+%changelog
+* Tue May 07 2013 Jan Synáček <jsynacek@redhat.com> - 1:2.3.43-3.2
+- Remove undefined rpm macros (#960090)
+
+* Fri Apr 19 2013 Daniel Mach <dmach@redhat.com> - 1:2.3.43-3.1
+- Rebuild for cyrus-sasl
+
+* Wed Aug 15 2012 Jan Vcelak <jvcelak@redhat.com> 1:2.3.43-3
+- enhancement: build with hardening flags (RELRO)
+- fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013)
+- drop unnecessary patches
+- clean configure flags
+
+* Mon Nov 22 2010 Jan Vcelak <jvcelak@redhat.com> 1:2.3.43-2
+- run ldconfig in post and postun
+- remove rpath
+
+* Thu Nov 11 2010 Jan Vcelak <jvcelak@redhat.com> 1:2.3.43-1
+- split from openldap package