From bdd351382c54249f3423aabf9b890bfc3a4a062d Mon Sep 17 00:00:00 2001 From: CentOS Buildsys Date: Oct 22 2013 14:34:58 +0000 Subject: import nss-pam-ldapd-0.8.13-4.el7.src.rpm --- diff --git a/.nss-pam-ldapd.metadata b/.nss-pam-ldapd.metadata new file mode 100644 index 0000000..0a46864 --- /dev/null +++ b/.nss-pam-ldapd.metadata @@ -0,0 +1,2 @@ +b5dca96c989b991884f8e90ef5283f0cf066ffde SOURCES/nss-pam-ldapd-0.8.13.tar.gz.sig +0567cfea104defabeacd88a3a3200b311b8071ec SOURCES/nss-pam-ldapd-0.8.13.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/nslcd.init b/SOURCES/nslcd.init new file mode 100644 index 0000000..1f5fe11 --- /dev/null +++ b/SOURCES/nslcd.init @@ -0,0 +1,86 @@ +#!/bin/sh +# +# chkconfig: - 12 88 +# description: Provides naming services using a directory server. +# processname: /usr/sbin/nslcd +# config: /etc/nslcd.conf +# pidfile: /var/run/nslcd/nslcd.pid +# + +### BEGIN INIT INFO +# Provides: nslcd +# Required-Start: $network +# Required-Stop: +# Default-Start: +# Default-Stop: +# Short-Description: naming services LDAP client daemon +# Description: Provides naming services using a directory server. +### END INIT INFO + +program=/usr/sbin/nslcd +prog=${program##*/} +pidfile=/var/run/nslcd/nslcd.pid + +if [ -f /etc/rc.d/init.d/functions ]; then + . /etc/rc.d/init.d/functions +fi + +RETVAL=0 + +start() { + echo -n $"Starting $prog: " + daemon $program + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog + return $RETVAL +} + +stop() { + echo -n $"Stopping $prog: " + killproc $program + RETVAL=$? + echo + if [ $RETVAL -eq 0 ]; then + rm -f /var/lock/subsys/$prog + fi +} + +restart() { + stop + start +} + +# See how we were called. +case "$1" in + start) + [ -f /var/lock/subsys/$prog ] && exit 0 + $1 + ;; + stop) + [ -f /var/lock/subsys/$prog ] || exit 0 + $1 + ;; + restart) + $1 + ;; + status) + status -p $pidfile $program + RETVAL=$? + ;; + condrestart|try-restart) + [ -f /var/lock/subsys/$prog ] && restart || : + ;; + reload) + echo "can't reload configuration, you have to restart it" + RETVAL=3 + ;; + force-reload) + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 1 + ;; +esac +exit $RETVAL diff --git a/SOURCES/nslcd.service b/SOURCES/nslcd.service new file mode 100644 index 0000000..a490f4a --- /dev/null +++ b/SOURCES/nslcd.service @@ -0,0 +1,11 @@ +[Unit] +Description=Naming services LDAP client daemon. +After=syslog.target network.target named.service dirsrv.target slapd.service + +[Service] +Type=forking +PIDFile=/var/run/nslcd/nslcd.pid +ExecStart=/usr/sbin/nslcd + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/nslcd.tmpfiles b/SOURCES/nslcd.tmpfiles new file mode 100644 index 0000000..2230173 --- /dev/null +++ b/SOURCES/nslcd.tmpfiles @@ -0,0 +1,2 @@ +# nslcd needs a directory in /var/run to store its pid file and socket +d /var/run/nslcd 0755 nslcd root diff --git a/SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch b/SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch new file mode 100644 index 0000000..ff84f94 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch @@ -0,0 +1,30 @@ +From ec2ac2cc7eaa945f3d07d2528ddd4b8d9b8d38e1 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 6 Oct 2013 14:14:39 +0000 +Subject: [PATCH 3/3] in nslcd, log EPIPE only on debug level (4897033 from + 0.9) + +git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2032 ef36b2f9-881f-0410-afb5-c4e39611909c +--- + nslcd/common.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/nslcd/common.h b/nslcd/common.h +index 736d7c09c9cd6d333fc4caa0a15144cc83eb9ecd..c48decb58df5262f459e0862f677960c31e20df7 100644 +--- a/nslcd/common.h ++++ b/nslcd/common.h +@@ -43,7 +43,10 @@ + stream */ + + #define ERROR_OUT_WRITEERROR(fp) \ +- log_log(LOG_WARNING,"error writing to client: %s",strerror(errno)); \ ++ if (errno==EPIPE) \ ++ log_log(LOG_DEBUG, "error writing to client: %s", strerror(errno)); \ ++ else \ ++ log_log(LOG_WARNING, "error writing to client: %s", strerror(errno)); \ + return -1; + + #define ERROR_OUT_READERROR(fp) \ +-- +1.8.3.1 + diff --git a/SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch b/SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch new file mode 100644 index 0000000..f5e7067 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch @@ -0,0 +1,111 @@ +From 335f7e085b45556276d2c1f224648a7eed28e4fd Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 6 Oct 2013 14:11:51 +0000 +Subject: [PATCH 2/3] use a timeout when skipping remaining result data + (c9e2f97 from 0.9) + +git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2031 ef36b2f9-881f-0410-afb5-c4e39611909c +--- + common/tio.c | 6 +++--- + common/tio.h | 4 ++-- + nss/common.h | 10 +++++++--- + 3 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/common/tio.c b/common/tio.c +index 9aef80ca91faedad8f75e09b9070d22ed4a0878d..780ea38f175482dfed5e1c754ef75e93ffd83768 100644 +--- a/common/tio.c ++++ b/common/tio.c +@@ -2,7 +2,7 @@ + tio.c - timed io functions + This file is part of the nss-pam-ldapd library. + +- Copyright (C) 2007, 2008, 2010, 2011, 2012 Arthur de Jong ++ Copyright (C) 2007, 2008, 2010, 2011, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -298,7 +298,7 @@ int tio_skip(TFILE *fp, size_t count) + } + + /* Read all available data from the stream and empty the read buffer. */ +-int tio_skipall(TFILE *fp) ++int tio_skipall(TFILE *fp,int skiptimeout) + { + struct pollfd fds[1]; + int rv; +@@ -318,7 +318,7 @@ int tio_skipall(TFILE *fp) + /* see if any data is available */ + fds[0].fd=fp->fd; + fds[0].events=POLLIN; +- rv=poll(fds,1,0); ++ rv=poll(fds,1,skiptimeout); + /* check the poll() result */ + if (rv==0) + return 0; /* no file descriptor ready */ +diff --git a/common/tio.h b/common/tio.h +index cd3f370732e4c54815187bb8012fd5a5ff8972af..b38d458aedd660ff95ff2e57f9df790ffd51ff6d 100644 +--- a/common/tio.h ++++ b/common/tio.h +@@ -2,7 +2,7 @@ + tio.h - timed io functions + This file is part of the nss-pam-ldapd library. + +- Copyright (C) 2007, 2008, 2010, 2012 Arthur de Jong ++ Copyright (C) 2007, 2008, 2010, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -59,7 +59,7 @@ int tio_read(TFILE *fp,void *buf,size_t count); + int tio_skip(TFILE *fp,size_t count); + + /* Read all available data from the stream and empty the read buffer. */ +-int tio_skipall(TFILE *fp); ++int tio_skipall(TFILE *fp,int skiptimeout); + + /* Write the specified buffer to the stream. */ + int tio_write(TFILE *fp,const void *buf,size_t count); +diff --git a/nss/common.h b/nss/common.h +index e8d8e0526499c252f69a558384ddae8504009d26..3f93a4fb4704092dd5b1a41b024d33abf59cba60 100644 +--- a/nss/common.h ++++ b/nss/common.h +@@ -2,7 +2,7 @@ + common.h - common functions for NSS lookups + + Copyright (C) 2006 West Consulting +- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong ++ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -35,6 +35,10 @@ + #include "solnss.h" + #endif /* NSS_FLAVOUR_SOLARIS */ + ++/* skip timeout determines the maximum time to wait when closing the ++ connection and reading whatever data that is available */ ++#define SKIP_TIMEOUT 500 ++ + /* These are macros for handling read and write problems, they are + NSS specific due to the return code so are defined here. They + genrally close the open file, set an error code and return with +@@ -127,7 +131,7 @@ + /* close socket and we're done */ \ + if ((retv==NSS_STATUS_SUCCESS)||(retv==NSS_STATUS_TRYAGAIN)) \ + { \ +- (void)tio_skipall(fp); \ ++ (void)tio_skipall(fp,SKIP_TIMEOUT); \ + (void)tio_close(fp); \ + } \ + return retv; +@@ -203,7 +207,7 @@ + NSS_AVAILCHECK; \ + if (fp!=NULL) \ + { \ +- (void)tio_skipall(fp); \ ++ (void)tio_skipall(fp,SKIP_TIMEOUT); \ + (void)tio_close(fp); \ + fp=NULL; \ + } \ +-- +1.8.3.1 + diff --git a/SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch b/SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch new file mode 100644 index 0000000..6c40f6e --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch @@ -0,0 +1,39 @@ +From 841dd859360ff07d705e869d2a402f6b181a14f9 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 1 Sep 2013 09:47:18 +0000 +Subject: [PATCH 1/3] fix buffer overflow on interrupted read (thanks John + Sullivan) (07a8170 from 0.9) + +git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2029 ef36b2f9-881f-0410-afb5-c4e39611909c +--- + AUTHORS | 1 + + common/tio.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/AUTHORS b/AUTHORS +index 5debe5f7c2a059e67f47098df8647c66eab85c13..65ee0789cb8c300c59f7b00b75e80b5b51d96ac9 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -119,3 +119,4 @@ Maxim Vetrov + Matthew L. Dailey + Chris Hiestand + Jon Severinsson ++John Sullivan +diff --git a/common/tio.c b/common/tio.c +index 4456198fe84ea72966edb06700c0fff751dd3451..9aef80ca91faedad8f75e09b9070d22ed4a0878d 100644 +--- a/common/tio.c ++++ b/common/tio.c +@@ -283,8 +283,8 @@ int tio_read(TFILE *fp, void *buf, size_t count) + } + else if ((rv<0)&&(errno!=EINTR)&&(errno!=EAGAIN)) + return -1; /* something went wrong with the read */ +- /* skip the read part in the buffer */ +- fp->readbuffer.len=rv; ++ else if (rv>0) ++ fp->readbuffer.len=rv; /* skip the read part in the buffer */ + #ifdef DEBUG_TIO_STATS + fp->bytesread+=rv; + #endif /* DEBUG_TIO_STATS */ +-- +1.8.3.1 + diff --git a/SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch b/SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch new file mode 100644 index 0000000..815e82d --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch @@ -0,0 +1,77 @@ +Always use a function that we know will catch out-of-range values for UIDs and +GIDs, which are currently unsigned 32-bit numbers everywhere, and which won't +produce a result that'll silently be truncated if we store the result in a +uid_t or gid_t. +--- nss-pam-ldapd/nslcd/common.c ++++ nss-pam-ldapd/nslcd/common.c +@@ -273,19 +273,23 @@ long int binsid2id(const char *binsid) + ((((long int)binsid[i+2])&0xff)<<16)|((((long int)binsid[i+3])&0xff)<<24); + } + +-#ifdef WANT_STRTOUI +-/* provide a strtoui() implementation, similar to strtoul() but returning ++/* provide a strtoid() implementation, similar to strtoul() but returning + an range-checked unsigned int instead */ +-unsigned int strtoui(const char *nptr,char **endptr,int base) ++unsigned int strtoid(const char *nptr,char **endptr,int base) + { +- unsigned long val; +- val=strtoul(nptr,endptr,base); +- if (val>UINT_MAX) ++ long long val; ++ /* use the fact that long long is 64-bit, even on 32-bit systems */ ++ val=strtoll(nptr,endptr,base); ++ if (val>UINT32_MAX) + { + errno=ERANGE; +- return UINT_MAX; ++ return UINT32_MAX; + } +- /* If errno was set by strtoul, we'll pass it back as-is */ +- return (unsigned int)val; ++ else if (val < 0) ++ { ++ errno=EINVAL; ++ return UINT32_MAX; ++ } ++ /* If errno was set, we'll pass it back as-is */ ++ return (uint32_t)val; + } +-#endif /* WANT_STRTOUI */ +--- nss-pam-ldapd/nslcd/common.h ++++ nss-pam-ldapd/nslcd/common.h +@@ -139,31 +139,9 @@ int nsswitch_db_uses_ldap(const char *fi + #endif /* _POSIX_HOST_NAME_MAX */ + #endif /* not HOST_NAME_MAX */ + +-/* provide strtouid() function alias */ +-#if SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_INT +-#define strtouid (uid_t)strtoul +-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_LONG_INT +-#define strtouid (uid_t)strtoull +-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_INT +-#define WANT_STRTOUI 1 +-#define strtouid (uid_t)strtoui +-#else +-#error unable to find implementation for strtouid() +-#endif +- +-/* provide strtouid() function alias */ +-#if SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_INT +-#define strtogid (gid_t)strtoul +-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_LONG_INT +-#define strtogid (gid_t)strtoull +-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_INT +-#ifndef WANT_STRTOUI +-#define WANT_STRTOUI 1 +-#endif +-#define strtogid (uid_t)strtoui +-#else +-#error unable to find implementation for strtogid() +-#endif ++uint32_t strtoid(const char *nptr,char **endptr,int base); ++#define strtouid (uid_t)strtoid ++#define strtogid (gid_t)strtoid + + #ifdef WANT_STRTOUI + /* provide a strtoui() if it is needed */ diff --git a/SOURCES/nss-pam-ldapd-0.8.12-validname.patch b/SOURCES/nss-pam-ldapd-0.8.12-validname.patch new file mode 100644 index 0000000..6f5244f --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-validname.patch @@ -0,0 +1,36 @@ +Defaults changed to allow opening and closing parentheses everywhere. Defaults +changed again to make characters after the first optional, and again to go back +to disallowing names which end with "\". +--- man/nslcd.conf.5.xml ++++ man/nslcd.conf.5.xml +@@ -712,7 +712,7 @@ + characters and the 'i' flag may be appended at the end to indicate + that the match should be case-insensetive. + The default value is +- /^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i ++ /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i + + + +--- nslcd/cfg.c ++++ nslcd/cfg.c +@@ -134,7 +134,7 @@ static void cfg_defaults(struct ldap_con + cfg->ldc_pam_authz_search[i]=NULL; + cfg->ldc_nss_min_uid=0; + parse_validnames_statement(__FILE__,__LINE__,"", +- "/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i",cfg); ++ "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i",cfg); + cfg->pam_password_prohibit_message=NULL; + } + +--- tests/test_common.c ++++ tests/test_common.c +@@ -39,6 +39,8 @@ static void test_isvalidname(void) + assert(!isvalidname("\\foo\\bar")); + assert(!isvalidname("foo\\bar\\")); + assert(isvalidname("me")); /* try short name */ ++ assert(isvalidname("f")); ++ assert(isvalidname("(foo bar)")); + } + + /* the main program... */ diff --git a/SPECS/nss-pam-ldapd.spec b/SPECS/nss-pam-ldapd.spec new file mode 100644 index 0000000..485b826 --- /dev/null +++ b/SPECS/nss-pam-ldapd.spec @@ -0,0 +1,572 @@ +%if 0%{?fedora} > 15 || 0%{?rhel} > 6 +%global systemd 1 +%global sysvinit 0 +%else +%global systemd 0 +%global sysvinit 1 +%endif + +# Fedora had these in F18, but we didn't cut over to use them until after F18 +# was frozen, so pretend it didn't happen until F19. +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +%global systemd_macros 1 +%else +%global systemd_macros 0 +%endif + +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +%global tmpfiles 1 +%else +%global tmpfiles 0 +%endif + +# Fedora had it in F17, but moving things around in already-released versions +# is a bad idea, so pretend it didn't happen until F19. +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +%global separate_usr 0 +%global nssdir %{_libdir} +%global pamdir %{_libdir}/security +%else +%global separate_usr 1 +%global nssdir /%{_lib} +%global pamdir /%{_lib}/security +%endif + +# For distributions that support it, build with RELRO +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7) +%define _hardened_build 1 +%endif + +Name: nss-pam-ldapd +Version: 0.8.13 +Release: 4%{?dist} +Summary: An nsswitch module which uses directory servers +Group: System Environment/Base +License: LGPLv2+ +URL: http://arthurdejong.org/nss-pam-ldapd/ +Source0: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz +Source1: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz.sig +Source2: nslcd.init +Source3: nslcd.tmpfiles +Source4: nslcd.service +Patch1: nss-pam-ldapd-0.8.12-validname.patch +Patch2: nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch +Patch3: nss-pam-ldapd-0.8.12-uid-overflow.patch +Patch4: nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch +Patch5: nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: openldap-devel, krb5-devel +BuildRequires: autoconf, automake +BuildRequires: pam-devel +Obsoletes: nss-ldapd < 0.7 +Provides: nss-ldapd = %{version}-%{release} + +# Obsolete PADL's nss_ldap +Provides: nss_ldap = 265-12 +Obsoletes: nss_ldap < 265-11 + +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +# Obsolete PADL's pam_ldap +Provides: pam_ldap = 185-15 +Obsoletes: pam_ldap < 185-15 +%global build_pam_ldap 1 +%else +# Pull in the pam_ldap module, which is its own package in F14 and later, to +# keep upgrades from removing the module. We used to disable nss-pam-ldapd's +# own pam_ldap.so when it wasn't mature enough. +Requires: pam_ldap%{?_isa} +%global build_pam_ldap 0 +%endif + +# Pull in nscd, which is recommended. +Requires: nscd +%if %{sysvinit} +Requires(post): /sbin/ldconfig, chkconfig, grep, sed +Requires(preun): chkconfig, initscripts +Requires(postun): /sbin/ldconfig, initscripts +%endif +%if %{systemd} +BuildRequires: systemd-units +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +Requires(post): systemd-sysv +%endif + +%description +The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name +service information (users, groups, etc.) on behalf of a lightweight +nsswitch module. + +%prep +%setup -q +%patch1 -p0 -b .validname +%patch2 -p1 -b .epipe +%patch3 -p1 -b .overflow +%patch4 -p1 -b .skiptimeout +%patch5 -p1 -b .readall +autoreconf -f -i + +%build +CFLAGS="$RPM_OPT_FLAGS -fPIC" ; export CFLAGS +%configure --libdir=%{nssdir} \ +%if %{build_pam_ldap} + --with-pam-seclib-dir=%{pamdir} +%else + --disable-pam +%endif +make %{?_smp_mflags} + +%check +make check + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/{%{_initddir},%{_libdir},%{_unitdir}} +%if %{sysvinit} +install -p -m755 %{SOURCE2} $RPM_BUILD_ROOT/%{_initddir}/nslcd +%endif +%if %{systemd} +install -p -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/ +%endif + +%if 0%{?fedora} > 13 || 0%{?rhel} > 5 +%if %{separate_usr} +# Follow glibc's convention and provide a .so symlink so that people who know +# what to expect can link directly with the module. +if test %{_libdir} != /%{_lib} ; then + touch $RPM_BUILD_ROOT/rootfile + relroot=.. + while ! test -r $RPM_BUILD_ROOT/%{_libdir}/$relroot/rootfile ; do + relroot=../$relroot + done + ln -s $relroot/%{_lib}/libnss_ldap.so.2 \ + $RPM_BUILD_ROOT/%{_libdir}/libnss_ldap.so + rm $RPM_BUILD_ROOT/rootfile +fi +%else +ln -s libnss_ldap.so.2 $RPM_BUILD_ROOT/%{nssdir}/libnss_ldap.so +%endif +%endif + +sed -i -e 's,^uid.*,uid nslcd,g' -e 's,^gid.*,gid ldap,g' \ +$RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf +touch -r nslcd.conf $RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf +mkdir -p -m 0755 $RPM_BUILD_ROOT/var/run/nslcd +%if %{tmpfiles} +mkdir -p -m 0755 $RPM_BUILD_ROOT/etc/tmpfiles.d +install -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/tmpfiles.d/%{name}.conf +%endif + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root) +%doc AUTHORS ChangeLog COPYING HACKING NEWS README TODO +%{_sbindir}/* +%{nssdir}/*.so.* +%if %{build_pam_ldap} +%{pamdir}/pam_ldap.so +%endif +%{_mandir}/*/* +%attr(0600,root,root) %config(noreplace) %verify(not md5 size mtime) /etc/nslcd.conf +%if %{tmpfiles} +%attr(0644,root,root) %config(noreplace) /etc/tmpfiles.d/%{name}.conf +%endif +%if %{sysvinit} +%attr(0755,root,root) %{_initddir}/nslcd +%endif +%if %{systemd} +%config(noreplace) %{_unitdir}/* +%endif +%attr(0755,nslcd,root) /var/run/nslcd +%if 0%{?fedora} > 13 || 0%{?rhel} > 5 +# This would be the only thing in the -devel subpackage, so we include it. It +# will conflict with nss_ldap, so only include it for releases where pam_ldap is +# its own package. +/%{_libdir}/*.so +%endif + +%pre +getent group ldap > /dev/null || \ +/usr/sbin/groupadd -r -g 55 ldap +getent passwd nslcd > /dev/null || \ +/usr/sbin/useradd -r -g ldap -c 'LDAP Client User' \ + -u 65 -d / -s /sbin/nologin nslcd 2> /dev/null || : + +%post +# The usual stuff. +%if %{sysvinit} +/sbin/chkconfig --add nslcd +%endif +%if %{systemd} +%if %{systemd_macros} +%systemd_post nslcd.service +%else +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%endif +%endif +/sbin/ldconfig +# Import important non-default settings from nss_ldap or pam_ldap configuration +# files, but only the first time this package is installed. +comment="This comment prevents repeated auto-migration of settings." +if test -s /etc/nss-ldapd.conf ; then + source=/etc/nss-ldapd.conf +elif test -s /etc/nss_ldap.conf ; then + source=/etc/nss_ldap.conf +elif test -s /etc/pam_ldap.conf ; then + source=/etc/pam_ldap.conf +else + source=/etc/ldap.conf +fi +target=/etc/nslcd.conf +if test "$1" -eq "1" && ! grep -q -F "# $comment" $target 2> /dev/null ; then + # Try to make sure we only do this the first time. + echo "# $comment" >> $target + if grep -E -q '^uri[[:blank:]]' $source 2> /dev/null ; then + # Comment out the packaged default host/uri and replace it... + sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target + # ... with the uri. + grep -E '^uri[[:blank:]]' $source >> $target + elif grep -E -q '^host[[:blank:]]' $source 2> /dev/null ; then + # Comment out the packaged default host/uri and replace it... + sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target + # ... with the "host" reformatted as a URI. + scheme=ldap + # check for 'ssl on', which means we want to use ldaps:// + if grep -E -q '^ssl[[:blank:]]+on$' $source 2> /dev/null ; then + scheme=ldaps + fi + grep -E '^host[[:blank:]]' $source |\ + sed -r -e "s,^host[[:blank:]](.*),uri ${scheme}://\1/,g" >> $target + fi + # Base doesn't require any special logic. + if grep -E -q '^base[[:blank:]]' $source 2> /dev/null ; then + # Comment out the packaged default base and replace it. + sed -i -r -e 's,^(base[[:blank:]].*),# \1,g' $target + grep -E '^base[[:blank:]]' $source >> $target + fi + # Pull in these settings, if they're set, directly. + grep -E '^(binddn|bindpw|port|scope|ssl|pagesize)[[:blank:]]' $source 2> /dev/null >> $target + grep -E '^(tls_)' $source 2> /dev/null >> $target + grep -E '^(timelimit|bind_timelimit|idle_timelimit)[[:blank:]]' $source 2> /dev/null >> $target +fi +# If this is the first time we're being installed, and the system is already +# configured to use LDAP as a naming service, enable the daemon, but don't +# start it since we can never know if that's a safe thing to do. If this +# is an upgrade, leave the user's runlevel selections alone. +if [ "$1" -eq "1" ]; then + if grep -E -q '^USELDAP=yes$' /etc/sysconfig/authconfig 2> /dev/null ; then +%if %{sysvinit} + /sbin/chkconfig nslcd on +%endif +%if %{systemd} + /bin/systemctl --no-reload enable nslcd.service >/dev/null 2>&1 ||: +%endif + fi +fi +# Earlier versions of 0.7.6 of this package would have included both 'gid +# nslcd' (a group which doesn't exist) and 'gid ldap' (which we ensure exists). +# If we detect both, fix the configuration. +if grep -q '^gid nslcd' $target ; then + if grep -q '^gid ldap' $target ; then + sed -i -e 's,^gid nslcd$,# gid nslcd,g' $target + fi +fi +# In 0.8.4, the name of the attribute which was expected to contain the DNs of +# a group's members changed from "uniqueMember" to "member". Change any +# instances of "map group uniqueMember ..." to "map group member ...", unless +# "member" is already being mapped, in which case attempting this would +# probably just confuse things further. +if grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]]" $target ; then + if ! grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+member[[:blank:]]" $target ; then + sed -i -r -e "s,^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]](.*),map group member \1,g" $target + fi +fi +# Create the daemon's /var/run directory if it isn't there. +if ! test -d /var/run/nslcd ; then + mkdir -p -m 0755 /var/run/nslcd +fi +exit 0 + +%preun +if [ "$1" -eq "0" ]; then +%if %{sysvinit} + /sbin/service nslcd stop >/dev/null 2>&1 + /sbin/chkconfig --del nslcd +%endif +%if %{systemd} +%if %{systemd_macros} +%systemd_preun nslcd.service +%else + /bin/systemctl --no-reload disable nslcd.service > /dev/null 2>&1 || : + /bin/systemctl stop nslcd.service > /dev/null 2>&1 || : +%endif +%endif +fi +exit 0 + +%postun +/sbin/ldconfig +%if %{sysvinit} +if [ "$1" -ge "1" ]; then + /etc/rc.d/init.d/nslcd condrestart >/dev/null 2>&1 +fi +%endif +%if %{systemd} +%if %{systemd_macros} +%systemd_postun_with_restart nslcd.service +%else +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ]; then + /bin/systemctl try-restart nslcd.service >/dev/null 2>&1 +fi +%endif +%endif +exit 0 + +%if %{systemd} +%triggerun -- nss-pam-ldapd < 0.7.13-6 +# Save the current service runlevel info, in case the user wants to apply +# the enabled status manually later, by running +# "systemd-sysv-convert --apply nslcd". +%{_bindir}/systemd-sysv-convert --save nslcd >/dev/null 2>&1 ||: +# Do this because the old package's %%postun doesn't know we need to do it. +/sbin/chkconfig --del nslcd >/dev/null 2>&1 || : +# Do this because the old package's %%postun wouldn't have tried. +/bin/systemctl try-restart nslcd.service >/dev/null 2>&1 || : +exit 0 +%endif + +%changelog +* Fri Oct 18 2013 Nalin Dahyabhai 0.8.13-4 +- compile nslcd/log.c with -fPIC instead of the current hardened-build default + of -fPIE, which doesn't seem to avoid relocations for its thread-local + variables on s390x (#1002834) + +* Sat Oct 05 2013 Jakub Hrozek 0.8.13-3 +- Suppress Broken Pipe messages when requesting a large groupo +- Resolves: rhbz#1002829 + +* Wed Jul 31 2013 Jakub Hrozek 0.8.13-2 +- Build with _hardened_build macro + +* Mon May 6 2013 Nalin Dahyabhai 0.8.13-1 +- update to 0.8.13 +- correct a syntax error in the fix that was added for #832706 + +* Tue Apr 30 2013 Nalin Dahyabhai 0.8.12-4 +- in %%post, attempt to rewrite any instances of "map group uniqueMember ..." + to be "map group member ..." in nslcd.conf, as the attribute name changed + in 0.8.4 (via freeipa ticket #3589) + +* Thu Feb 14 2013 Fedora Release Engineering - 0.8.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Nalin Dahyabhai 0.8.12-2 +- drop local patch to make the client flush some more read buffers + +* Fri Jan 18 2013 Nalin Dahyabhai 0.8.12-1 +- update to 0.8.12 (#846793) +- make building pam_ldap conditional on the targeted release +- add "After=named.service dirsrv.target slapd.service" to nslcd.service, + to make sure that nslcd is started after them if they're to be started + on the local system (#832706) +- alter the versioned Obsoletes: on pam_ldap to include the F18 package +- use %%{_unitdir} when deciding where to put systemd configuration, based + on patch from Václav Pavlín (#850232) +- use new systemd macros for scriptlet hooks, when available, based on + patch from Václav Pavlín (#850232) + +* Sun Sep 09 2012 Jakub Hrozek 0.7.17-1 +- new upstream release 0.7.17 + +* Sun Aug 05 2012 Jakub Hrozek - 0.7.16-5 +- Obsolete PADL's nss_ldap + +* Sat Aug 04 2012 Jakub Hrozek - 0.7.16-4 +- Build the PAM module, obsoletes PADL's pam-ldap (#856006) + +* Fri Jul 20 2012 Fedora Release Engineering - 0.7.16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon May 14 2012 Jakub Hrozek 0.7.16-2 +- backport upstream revision r1659 related to broken pipe when + requesting a large group +- use grep -E instead of egrep to avoid rpmlint warnings + +* Sat Apr 28 2012 Jakub Hrozek 0.7.16-1 +- new upstream release 0.7.16 + +* Thu Mar 15 2012 Jakub Hrozek 0.7.15-2 +- Do not print "Broken Pipe" error message when requesting a large group + +* Fri Mar 9 2012 Jakub Hrozek 0.7.15-1 +- new upstream release 0.7.15 + +* Fri Jan 13 2012 Fedora Release Engineering - 0.7.14-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 16 2011 Jakub Hrozek 0.7.14-2 +- Do not overflow large UID/GID values on 32bit architectures + +* Mon Nov 28 2011 Nalin Dahyabhai +- use the same conditional test for deciding when to create the .so symlink as + we do later on for deciding when to include it in the package (#757004) + +* Fri Sep 23 2011 Jakub Hrozek 0.7.14-1 +- new upstream release 0.7.14 +- obsoletes nss-pam-ldapd-0.7.x-buffers.patch + +* Wed Aug 24 2011 Nalin Dahyabhai 0.7.13-8 +- include backported enhancement to take URIs in the form "dns:DOMAIN" in + addition to the already-implemented "dns" (#730309) + +* Thu Jul 14 2011 Nalin Dahyabhai 0.7.13-7 +- switch to only munging the contents of /etc/nslcd.conf on the very first + install (#706454) +- make sure that we have enough space to parse any valid GID value when + parsing a user's primary GID (#716822) +- backport support for the "validnames" option from SVN and use it to allow + parentheses characters by modifying the default setting (#690870), then + modify the default again to also allow shorter and shorter names to pass + muster (#706860) + +* Wed Jul 13 2011 Nalin Dahyabhai 0.7.13-6 +- convert to systemd-native startup (#716997) + +* Mon Jun 13 2011 Nalin Dahyabhai 0.7.13-5 +- change the file path Requires: we have for pam_ldap into a package name + Requires: (#601931) + +* Wed Mar 30 2011 Nalin Dahyabhai 0.7.13-4 +- tag nslcd.conf with %%verify(not md5 size mtime), since we always tweak + it in %%post (#692225) + +* Tue Mar 1 2011 Nalin Dahyabhai 0.7.13-3 +- add a tmpfiles configuration to ensure that /var/run/nslcd is created when + /var/run is completely empty at boot (#656643) + +* Tue Feb 08 2011 Fedora Release Engineering - 0.7.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Dec 13 2010 Nalin Dahyabhai 0.7.13-1 +- update to 0.7.13 + +* Fri Oct 29 2010 Nalin Dahyabhai 0.7.12-1 +- update to 0.7.12 + +* Fri Oct 15 2010 Nalin Dahyabhai 0.7.11-1 +- update to 0.7.11 + +* Wed Sep 29 2010 jkeating - 0.7.10-2 +- Rebuilt for gcc bug 634757 + +* Fri Sep 24 2010 Nalin Dahyabhai 0.7.10-1 +- update to 0.7.10 + +* Thu Sep 23 2010 Nalin Dahyabhai 0.7.9-2 +- when creating /var/run/nslcd in the buildroot, specify that 0755 is a + permissions value and not another directory name (#636880) + +* Mon Aug 30 2010 Nalin Dahyabhai 0.7.9-1 +- update to 0.7.9 + +* Wed Aug 18 2010 Nalin Dahyabhai 0.7.8-1 +- update to 0.7.8 + +* Wed Jul 7 2010 Nalin Dahyabhai 0.7.7-1 +- update to 0.7.7 + +* Mon Jun 28 2010 Nalin Dahyabhai 0.7.6-3 +- don't accidentally set multiple 'gid' settings in nslcd.conf, and try to + clean up after older versions of this package that did (#608314) + +* Thu May 27 2010 Nalin Dahyabhai 0.7.6-2 +- make inclusion of the .so symlink conditional on being on a sufficiently- + new Fedora where pam_ldap isn't part of the nss_ldap package, so having + this package conflict with nss_ldap doesn't require that pam_ldap be + removed (#596691) + +* Thu May 27 2010 Nalin Dahyabhai 0.7.6-1 +- update to 0.7.6 + +* Mon May 17 2010 Nalin Dahyabhai 0.7.5-3 +- switch to the upstream patch for #592411 + +* Fri May 14 2010 Nalin Dahyabhai 0.7.5-2 +- don't return an uninitialized buffer as the value for an optional attribute + that isn't present in the directory server entry (#592411) + +* Fri May 14 2010 Nalin Dahyabhai 0.7.5-1 +- update to 0.7.5 + +* Fri May 14 2010 Nalin Dahyabhai 0.7.4-1 +- update to 0.7.4 +- stop trying to migrate retry timeout parameters from old ldap.conf files +- add an explicit requires: on nscd to make sure it's at least available on + systems that are using nss-pam-ldapd; otherwise it's usually optional + +* Tue Mar 23 2010 Nalin Dahyabhai 0.7.3-1 +- update to 0.7.3 + +* Thu Feb 25 2010 Nalin Dahyabhai 0.7.2-2 +- bump release for post-review commit + +* Thu Feb 25 2010 Nalin Dahyabhai 0.7.2-1 +- add comments about why we have a .so link at all, and not a -devel subpackage + +* Wed Jan 13 2010 Nalin Dahyabhai +- obsolete/provides nss-ldapd +- import configuration from nss-ldapd.conf, too + +* Tue Jan 12 2010 Nalin Dahyabhai +- rename to nss-pam-ldapd +- also check for import settings in /etc/nss_ldap.conf and /etc/pam_ldap.conf + +* Thu Sep 24 2009 Nalin Dahyabhai 0.6.11-2 +- rebuild + +* Wed Sep 16 2009 Nalin Dahyabhai +- apply Mitchell Berger's patch to clean up the init script, use %%{_initddir}, + and correct the %%post so that it only thinks about turning on nslcd when + we're first being installed (#522947) +- tell status() where the pidfile is when the init script is called for that + +* Tue Sep 8 2009 Nalin Dahyabhai +- fix typo in a comment, capitalize the full name for "LDAP Client User" (more + from #516049) + +* Wed Sep 2 2009 Nalin Dahyabhai 0.6.11-1 +- update to 0.6.11 + +* Sat Jul 25 2009 Fedora Release Engineering - 0.6.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jun 18 2009 Nalin Dahyabhai 0.6.10-3 +- update URL: and Source: + +* Mon Jun 15 2009 Nalin Dahyabhai 0.6.10-2 +- add and own /var/run/nslcd +- convert hosts to uri during migration + +* Thu Jun 11 2009 Nalin Dahyabhai 0.6.10-1 +- update to 0.6.10 + +* Fri Apr 17 2009 Nalin Dahyabhai 0.6.8-1 +- bump release number to 1 (part of #491767) +- fix which group we check for during %%pre (part of #491767) + +* Tue Mar 24 2009 Nalin Dahyabhai +- require chkconfig by package rather than path (Jussi Lehtola, part of #491767) + +* Mon Mar 23 2009 Nalin Dahyabhai 0.6.8-0.1 +- update to 0.6.8 + +* Mon Mar 23 2009 Nalin Dahyabhai 0.6.7-0.1 +- start using a dedicated user + +* Wed Mar 18 2009 Nalin Dahyabhai 0.6.7-0.0 +- initial package (#445965)