diff --git a/.openldap.metadata b/.openldap.metadata
new file mode 100644
index 0000000..80bf8dc
--- /dev/null
+++ b/.openldap.metadata
@@ -0,0 +1,2 @@
+db02243150b050baac6a8ea4145ad73a1f6d2266 SOURCES/openldap-2.4.35.tgz
+444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/ldap.conf b/SOURCES/ldap.conf
new file mode 100644
index 0000000..661a259
--- /dev/null
+++ b/SOURCES/ldap.conf
@@ -0,0 +1,18 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE dc=example,dc=com
+#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT 12
+#TIMELIMIT 15
+#DEREF never
+
+TLS_CACERTDIR /etc/openldap/certs
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON on
\ No newline at end of file
diff --git a/SOURCES/libexec-check-config.sh b/SOURCES/libexec-check-config.sh
new file mode 100755
index 0000000..87e377f
--- /dev/null
+++ b/SOURCES/libexec-check-config.sh
@@ -0,0 +1,91 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function check_config_syntax()
+{
+ retcode=0
+ tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
+ run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
+ if [ $? -ne 0 ]; then
+ error "Checking configuration file failed:"
+ cat $tmp_slaptest >&2
+ retcode=1
+ fi
+ rm $tmp_slaptest
+ return $retcode
+}
+
+function check_certs_perms()
+{
+ retcode=0
+ for cert in `certificates`; do
+ run_as_ldap "/usr/bin/test -e \"$cert\""
+ if [ $? -ne 0 ]; then
+ error "TLS certificate/key/DB '%s' was not found." "$cert"
+ retcoder=1
+ continue
+ fi
+ run_as_ldap "/usr/bin/test -r \"$cert\""
+ if [ $? -ne 0 ]; then
+ error "TLS certificate/key/DB '%s' is not readable." "$cert"
+ retcode=1
+ fi
+ done
+ return $retcode
+}
+
+function check_db_perms()
+{
+ retcode=0
+ for dbdir in `databases`; do
+ [ -d "$dbdir" ] || continue
+ for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
+ run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
+ if [ $? -ne 0 ]; then
+ error "Read/write permissions for DB file '%s' are required." "$dbfile"
+ retcode=1
+ fi
+ done
+ done
+ return $retcode
+}
+
+function check_everything()
+{
+ retcode=0
+ check_config_syntax || retcode=1
+ # TODO: need support for Mozilla NSS, disabling temporarily
+ #check_certs_perms || retcode=1
+ check_db_perms || retcode=1
+ return $retcode
+}
+
+if [ `id -u` -ne 0 ]; then
+ error "You have to be root to run this script."
+ exit 4
+fi
+
+load_sysconfig
+
+if [ -n "$SLAPD_CONFIG_DIR" ]; then
+ if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
+ error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
+ else
+ check_everything
+ exit $?
+ fi
+fi
+
+if [ -n "$SLAPD_CONFIG_FILE" ]; then
+ if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+ error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
+ else
+ error "Warning: Usage of a configuration file is obsolete!"
+ check_everything
+ exit $?
+ fi
+fi
+
+exit 1
diff --git a/SOURCES/libexec-convert-config.sh b/SOURCES/libexec-convert-config.sh
new file mode 100755
index 0000000..ca9884f
--- /dev/null
+++ b/SOURCES/libexec-convert-config.sh
@@ -0,0 +1,79 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function help()
+{
+ error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`"
+ exit 2
+}
+
+load_sysconfig
+
+while getopts :f:F: opt; do
+ case "$opt" in
+ f)
+ SLAPD_CONFIG_FILE="$OPTARG"
+ ;;
+ F)
+ SLAPD_CONFIG_DIR="$OPTARG"
+ ;;
+ *)
+ help
+ ;;
+ esac
+done
+shift $((OPTIND-1))
+[ -n "$1" ] && help
+
+# check source, target
+
+if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+ error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE"
+ exit 1
+fi
+
+if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then
+ SLAPD_CONFIG_FILE_FORMAT=ldif
+else
+ SLAPD_CONFIG_FILE_FORMAT=conf
+fi
+
+if [ -d "$SLAPD_CONFIG_DIR" ]; then
+ if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then
+ error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR"
+ exit 1
+ fi
+fi
+
+# perform the conversion
+
+tmp_convert=`mktemp --tmpdir=/var/run/openldap`
+
+if [ `id -u` -eq 0 ]; then
+ install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
+ run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert
+ else
+ run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert
+ fi
+ retcode=$?
+else
+ error "You are not root! Permission will not be set."
+ install -d --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+ if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
+ /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert
+ else
+ /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+ fi
+ retcode=$?
+fi
+
+if [ $retcode -ne 0 ]; then
+ error "Configuration conversion failed:"
+ cat $tmp_convert >&2
+fi
+
+rm $tmp_convert
+exit $retcode
diff --git a/SOURCES/libexec-create-certdb.sh b/SOURCES/libexec-create-certdb.sh
new file mode 100755
index 0000000..2377fdd
--- /dev/null
+++ b/SOURCES/libexec-create-certdb.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+set -e
+
+# default options
+
+CERTDB_DIR=/etc/openldap/certs
+
+# internals
+
+MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
+RANDOM_SOURCE=/dev/urandom
+PASSWORD_BYTES=32
+
+# parse arguments
+
+usage() {
+ printf "usage: create-certdb.sh [-d certdb]\n" >&2
+ exit 1
+}
+
+while getopts "d:" opt; do
+ case "$opt" in
+ d)
+ CERTDB_DIR="$OPTARG"
+ ;;
+ \?)
+ usage
+ ;;
+ esac
+done
+
+[ "$OPTIND" -le "$#" ] && usage
+
+# verify target location
+
+if [ ! -d "$CERTDB_DIR" ]; then
+ printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
+ exit 1
+fi
+
+if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
+ printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
+ exit 1
+fi
+
+# create the database
+
+printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
+
+PASSWORD_FILE="$CERTDB_DIR/password"
+OLD_UMASK="$(umask)"
+umask 0377
+dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
+umask "$OLD_UMASK"
+
+certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
+
+# load module with builtin CA certificates
+
+echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
+
+# tune permissions
+
+for dbfile in "$CERTDB_DIR"/*.db; do
+ chmod 0644 "$dbfile"
+done
+
+exit 0
diff --git a/SOURCES/libexec-functions b/SOURCES/libexec-functions
new file mode 100644
index 0000000..990d2b8
--- /dev/null
+++ b/SOURCES/libexec-functions
@@ -0,0 +1,134 @@
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+SLAPD_USER=
+SLAPD_CONFIG_FILE=
+SLAPD_CONFIG_DIR=
+SLAPD_CONFIG_CUSTOM=
+SLAPD_GLOBAL_OPTIONS=
+SLAPD_SYSCONFIG_FILE=
+
+function default_config()
+{
+ SLAPD_USER=ldap
+ SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
+ SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
+ SLAPD_CONFIG_CUSTOM=
+ SLAPD_GLOBAL_OPTIONS=
+ SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
+}
+
+function parse_config_options()
+{
+ user=
+ config_file=
+ config_dir=
+ while getopts :u:f:F: opt; do
+ case "$opt" in
+ u)
+ user="$OPTARG"
+ ;;
+ f)
+ config_file="$OPTARG"
+ ;;
+ F)
+ config_dir="$OPTARG"
+ ;;
+ esac
+ done
+
+ if [ -n "$user" ]; then
+ SLAPD_USER="$user"
+ fi
+
+ if [ -n "$config_dir" ]; then
+ SLAPD_CONFIG_DIR="$config_dir"
+ SLAPD_CONFIG_FILE=
+ SLAPD_CONFIG_CUSTOM=1
+ SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
+ elif [ -n "$config_file" ]; then
+ SLAPD_CONFIG_DIR=
+ SLAPD_CONFIG_FILE="$config_file"
+ SLAPD_CONFIG_CUSTOM=1
+ SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
+ fi
+}
+
+function uses_new_config()
+{
+ [ -n "$SLAPD_CONFIG_DIR" ]
+ return $?
+}
+
+function run_as_ldap()
+{
+ /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
+ return $?
+}
+
+function ldif_unbreak()
+{
+ sed ':a;N;s/\n //;ta;P;D'
+}
+
+function ldif_value()
+{
+ sed 's/^[^:]*: //'
+}
+
+function databases_new()
+{
+ slapcat $SLAPD_GLOBAL_OPTIONS -c \
+ -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
+ ldif_unbreak | \
+ grep '^olcDbDirectory: ' | \
+ ldif_value
+}
+
+function databases_old()
+{
+ awk 'begin { database="" }
+ $1 == "database" { database=$2 }
+ $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
+ "$SLAPD_CONFIG_FILE"
+}
+
+function certificates_new()
+{
+ slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
+ ldif_unbreak | \
+ grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
+ ldif_value
+}
+
+function certificates_old()
+{
+ awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
+ "$SLAPD_CONFIG_FILE"
+}
+
+function certificates()
+{
+ uses_new_config && certificates_new || certificates_old
+}
+
+function databases()
+{
+ uses_new_config && databases_new || databases_old
+}
+
+
+function error()
+{
+ format="$1\n"; shift
+ printf "$format" $@ >&2
+}
+
+function load_sysconfig()
+{
+ [ -r "$SLAPD_SYSCONFIG_FILE" ] || return
+
+ . "$SLAPD_SYSCONFIG_FILE"
+ [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
+}
+
+default_config
diff --git a/SOURCES/libexec-generate-server-cert.sh b/SOURCES/libexec-generate-server-cert.sh
new file mode 100755
index 0000000..1a66b8c
--- /dev/null
+++ b/SOURCES/libexec-generate-server-cert.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+set -e
+
+# default options
+
+CERTDB_DIR=/etc/openldap/certs
+CERT_NAME="OpenLDAP Server"
+PASSWORD_FILE=
+HOSTNAME_FQDN="$(hostname --fqdn)"
+ALT_NAMES=
+ONCE=0
+
+# internals
+
+RANDOM_SOURCE=/dev/urandom
+CERT_RANDOM_BYTES=256
+CERT_KEY_TYPE=rsa
+CERT_KEY_SIZE=1024
+CERT_VALID_MONTHS=12
+
+# parse arguments
+
+usage() {
+ printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
+ printf " [-p password-file] [-h hostnames]\n" >&2
+ pritnf " [-a dns-alt-names] [-o]\n" >&2
+ exit 1
+}
+
+while getopts "d:n:p:h:a:o" opt; do
+ case "$opt" in
+ d)
+ CERTDB_DIR="$OPTARG"
+ ;;
+ n)
+ CERT_NAME="$OPTARG"
+ ;;
+ p)
+ PASSWORD_FILE="$OPTARG"
+ ;;
+ h)
+ HOSTNAME_FQDN="$OPTARG"
+ ;;
+ a)
+ ALT_NAMES="$OPTARG"
+ ;;
+ o)
+ ONCE=1
+ ;;
+ \?)
+ usage
+ ;;
+ esac
+done
+
+[ "$OPTIND" -le "$#" ] && usage
+
+# generated options
+
+ONCE_FILE="$CERTDB_DIR/.slapd-leave"
+PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
+ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
+
+# verify target location
+
+if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
+ printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
+ exit 0
+fi
+
+if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
+ printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
+ exit 1
+fi
+
+printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
+
+if [ ! -r "$PASSWORD_FILE" ]; then
+ printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
+ exit 1
+fi
+
+if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
+ printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
+ exit 1
+fi
+
+# generate server certificate (self signed)
+
+
+CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
+dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
+
+certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
+ -S -x -n "$CERT_NAME" \
+ -s "CN=$HOSTNAME_FQDN" \
+ -t TC,, \
+ -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
+ -v $CERT_VALID_MONTHS \
+ -8 "$ALT_NAMES" \
+ &>/dev/null
+
+rm -f $RANDOM_DATA
+
+# tune permissions
+
+if [ "$(id -u)" -eq 0 ]; then
+ chgrp ldap "$PASSWORD_FILE"
+ chmod g+r "$PASSWORD_FILE"
+else
+ printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
+ printf " load it's private key from the certificate database.\n" >&2
+fi
+
+touch "$ONCE_FILE"
+exit 0
diff --git a/SOURCES/libexec-upgrade-db.sh b/SOURCES/libexec-upgrade-db.sh
new file mode 100755
index 0000000..1543c80
--- /dev/null
+++ b/SOURCES/libexec-upgrade-db.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+if [ `id -u` -ne 0 ]; then
+ error "You have to be root to run this command."
+ exit 4
+fi
+
+load_sysconfig
+retcode=0
+
+for dbdir in `databases`; do
+ upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
+ bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
+
+ # skip uninitialized database
+ [ -z "$bdb_files"] || continue
+
+ printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
+
+ # perform the update
+ for command in \
+ "/usr/bin/db_recover -v -h \"$dbdir\"" \
+ "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
+ "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
+ ; do
+ printf "Executing: %s\n" "$command" &>>$upgrade_log
+ run_as_ldap "$command" &>>$upgrade_log
+ result=$?
+ printf "Exit code: %d\n" $result >>"$upgrade_log"
+ if [ $result -ne 0 ]; then
+ printf "Upgrade failed: %d\n" $result
+ retcode=1
+ fi
+ done
+done
+
+exit $retcode
diff --git a/SOURCES/openldap-ai-addrconfig.patch b/SOURCES/openldap-ai-addrconfig.patch
new file mode 100644
index 0000000..0858fac
--- /dev/null
+++ b/SOURCES/openldap-ai-addrconfig.patch
@@ -0,0 +1,20 @@
+use AI_ADDRCONFIG if defined in the environment
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7326
+Resolves: #835013
+
+diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
+index b31e05d..fa361ab 100644
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
+
+ #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
+ memset( &hints, '\0', sizeof(hints) );
+-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
+- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */
++#ifdef AI_ADDRCONFIG
+ hints.ai_flags = AI_ADDRCONFIG;
+ #endif
+ hints.ai_family = ldap_int_inet4or6;
diff --git a/SOURCES/openldap-autoconf-pkgconfig-nss.patch b/SOURCES/openldap-autoconf-pkgconfig-nss.patch
new file mode 100644
index 0000000..8b4bb19
--- /dev/null
+++ b/SOURCES/openldap-autoconf-pkgconfig-nss.patch
@@ -0,0 +1,49 @@
+Use pkg-config for Mozilla NSS library detection
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+
+---
+ configure.in | 22 +++++-----------------
+ 1 file changed, 5 insertions(+), 17 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index ecffe30..2a9cfb4 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then
+ fi
+ fi
+
+-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
+-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
+-dnl are not in the default system location
+ if test $ol_link_tls = no ; then
+ if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
+- have_moznss=no
+- AC_CHECK_HEADERS([nssutil.h])
+- if test "$ac_cv_header_nssutil_h" = yes ; then
+- AC_CHECK_LIB([nss3], [NSS_Initialize],
+- [ have_moznss=yes ], [ have_moznss=no ])
+- fi
++ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no])
+
+- if test "$have_moznss" = yes ; then
++ if test $have_moznss = yes ; then
+ ol_with_tls=moznss
+ ol_link_tls=yes
+- AC_DEFINE(HAVE_MOZNSS, 1,
+- [define if you have MozNSS])
+- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
+- else
+- if test $ol_with_tls = moznss ; then
+- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
+- fi
++ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
++ TLS_LIBS="$MOZNSS_LIBS"
++ CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
+ fi
+ fi
+ fi
+--
+1.7.11.7
+
diff --git a/SOURCES/openldap-cldap.patch b/SOURCES/openldap-cldap.patch
new file mode 100644
index 0000000..834b74f
--- /dev/null
+++ b/SOURCES/openldap-cldap.patch
@@ -0,0 +1,270 @@
+This is a 3-part patch that fixes connectionless ldap when used with IPv6.
+================================================================================
+Don't try to parse the result of a CLDAP bind request. Since these are
+faked, no message is actually returned.
+
+Author: Stef Walter <stefw@redhat.com>
+Upstream commit: 5c919894779d67280fa26afdd94d99248fc38099
+ITS: #7695
+Backported-By: Jan Synacek <jsynacek@redhat.com>
+
+--- a/clients/tools/common.c 2013-08-16 20:12:59.000000000 +0200
++++ b/clients/tools/common.c 2013-10-14 09:35:50.817033451 +0200
+@@ -1521,11 +1521,13 @@ tool_bind( LDAP *ld )
+ tool_exit( ld, LDAP_LOCAL_ERROR );
+ }
+
+- rc = ldap_parse_result( ld, result, &err, &matched, &info, &refs,
+- &ctrls, 1 );
+- if ( rc != LDAP_SUCCESS ) {
+- tool_perror( "ldap_bind parse result", rc, NULL, matched, info, refs );
+- tool_exit( ld, LDAP_LOCAL_ERROR );
++ if ( result ) {
++ rc = ldap_parse_result( ld, result, &err, &matched, &info, &refs,
++ &ctrls, 1 );
++ if ( rc != LDAP_SUCCESS ) {
++ tool_perror( "ldap_bind parse result", rc, NULL, matched, info, refs );
++ tool_exit( ld, LDAP_LOCAL_ERROR );
++ }
+ }
+
+ #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
+================================================================================
+commit d51ee964fc5e1f02b035811de0f95eee81c2789f
+Author: Howard Chu <hyc@openldap.org>
+Date: Thu Oct 10 10:48:08 2013 -0700
+
+ ITS#7694 more for IPv6 CLDAP, slapd fix
+
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index e169494..7ed3f63 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -1499,22 +1499,53 @@ connection_input( Connection *conn , conn_readinfo *cri )
+
+ #ifdef LDAP_CONNECTIONLESS
+ if ( conn->c_is_udp ) {
++#if defined(LDAP_PF_INET6)
++ char peername[sizeof("IP=[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]:65535")];
++ char addr[INET6_ADDRSTRLEN];
++#else
+ char peername[sizeof("IP=255.255.255.255:65336")];
++ char addr[INET_ADDRSTRLEN];
++#endif
+ const char *peeraddr_string = NULL;
+
+- len = ber_int_sb_read(conn->c_sb, &peeraddr, sizeof(struct sockaddr));
+- if (len != sizeof(struct sockaddr)) return 1;
++ len = ber_int_sb_read(conn->c_sb, &peeraddr, sizeof(Sockaddr));
++ if (len != sizeof(Sockaddr)) return 1;
+
++#if defined(LDAP_PF_INET6)
++ if (peeraddr.sa_addr.sa_family == AF_INET6) {
++ if ( IN6_IS_ADDR_V4MAPPED(&peeraddr.sa_in6_addr.sin6_addr) ) {
+ #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
+- char addr[INET_ADDRSTRLEN];
+- peeraddr_string = inet_ntop( AF_INET, &peeraddr.sa_in_addr.sin_addr,
++ peeraddr_string = inet_ntop( AF_INET,
++ ((struct in_addr *)&peeraddr.sa_in6_addr.sin6_addr.s6_addr[12]),
++ addr, sizeof(addr) );
++#else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
++ peeraddr_string = inet_ntoa( *((struct in_addr *)
++ &peeraddr.sa_in6_addr.sin6_addr.s6_addr[12]) );
++#endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
++ if ( !peeraddr_string ) peeraddr_string = SLAP_STRING_UNKNOWN;
++ sprintf( peername, "IP=%s:%d", peeraddr_string,
++ (unsigned) ntohs( peeraddr.sa_in6_addr.sin6_port ) );
++ } else {
++ peeraddr_string = inet_ntop( AF_INET6,
++ &peeraddr.sa_in6_addr.sin6_addr,
++ addr, sizeof addr );
++ if ( !peeraddr_string ) peeraddr_string = SLAP_STRING_UNKNOWN;
++ sprintf( peername, "IP=[%s]:%d", peeraddr_string,
++ (unsigned) ntohs( peeraddr.sa_in6_addr.sin6_port ) );
++ }
++ } else
++#endif
++#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
++ {
++ peeraddr_string = inet_ntop( AF_INET, &peeraddr.sa_in_addr.sin_addr,
+ addr, sizeof(addr) );
+ #else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
+- peeraddr_string = inet_ntoa( peeraddr.sa_in_addr.sin_addr );
++ peeraddr_string = inet_ntoa( peeraddr.sa_in_addr.sin_addr );
+ #endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
+- sprintf( peername, "IP=%s:%d",
+- peeraddr_string,
+- (unsigned) ntohs( peeraddr.sa_in_addr.sin_port ) );
++ sprintf( peername, "IP=%s:%d",
++ peeraddr_string,
++ (unsigned) ntohs( peeraddr.sa_in_addr.sin_port ) );
++ }
+ Statslog( LDAP_DEBUG_STATS,
+ "conn=%lu UDP request from %s (%s) accepted.\n",
+ conn->c_connid, peername, conn->c_sock_name.bv_val, 0, 0 );
+================================================================================
+commit 743a9783d57ea6b693e56f6545ac5d68dc9242c7
+Author: Stef Walter <stefw@redhat.com>
+Date: Thu Sep 12 15:49:36 2013 +0200
+
+ ITS#7694 Fix use of IPv6 with LDAP_CONNECTIONLESS
+
+ LDAP_CONNECTIONLESS code assumed that the size of an peer address
+ is equal to or smaller than sizeof (struct sockaddr).
+
+ Fix to use struct sockaddr_storage instead which is intended for
+ this purpose. Use getnameinfo() where appropriate so we don't
+ assume anything about the contents of struct sockaddr
+
+diff --git a/libraries/liblber/sockbuf.c b/libraries/liblber/sockbuf.c
+index d997e92..858c942 100644
+--- a/libraries/liblber/sockbuf.c
++++ b/libraries/liblber/sockbuf.c
+@@ -888,8 +888,8 @@ Sockbuf_IO ber_sockbuf_io_debug = {
+ *
+ * All I/O at this level must be atomic. For ease of use, the sb_readahead
+ * must be used above this module. All data reads and writes are prefixed
+- * with a sockaddr containing the address of the remote entity. Upper levels
+- * must read and write this sockaddr before doing the usual ber_printf/scanf
++ * with a sockaddr_storage containing the address of the remote entity. Upper levels
++ * must read and write this sockaddr_storage before doing the usual ber_printf/scanf
+ * operations on LDAP messages.
+ */
+
+@@ -914,13 +914,13 @@ sb_dgram_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len )
+ assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
+ assert( buf != NULL );
+
+- addrlen = sizeof( struct sockaddr );
++ addrlen = sizeof( struct sockaddr_storage );
+ src = buf;
+ buf = (char *) buf + addrlen;
+ len -= addrlen;
+ rc = recvfrom( sbiod->sbiod_sb->sb_fd, buf, len, 0, src, &addrlen );
+
+- return rc > 0 ? rc+sizeof(struct sockaddr) : rc;
++ return rc > 0 ? rc+sizeof(struct sockaddr_storage) : rc;
+ }
+
+ static ber_slen_t
+@@ -934,11 +934,11 @@ sb_dgram_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len )
+ assert( buf != NULL );
+
+ dst = buf;
+- buf = (char *) buf + sizeof( struct sockaddr );
+- len -= sizeof( struct sockaddr );
++ buf = (char *) buf + sizeof( struct sockaddr_storage );
++ len -= sizeof( struct sockaddr_storage );
+
+ rc = sendto( sbiod->sbiod_sb->sb_fd, buf, len, 0, dst,
+- sizeof( struct sockaddr ) );
++ sizeof( struct sockaddr_storage ) );
+
+ if ( rc < 0 ) return -1;
+
+@@ -949,7 +949,7 @@ sb_dgram_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len )
+ # endif
+ return -1;
+ }
+- rc = len + sizeof(struct sockaddr);
++ rc = len + sizeof(struct sockaddr_storage);
+ return rc;
+ }
+
+diff --git a/libraries/libldap/abandon.c b/libraries/libldap/abandon.c
+index d999b07..8fd9bc2 100644
+--- a/libraries/libldap/abandon.c
++++ b/libraries/libldap/abandon.c
+@@ -209,7 +209,7 @@ start_again:;
+ LDAP_NEXT_MSGID(ld, i);
+ #ifdef LDAP_CONNECTIONLESS
+ if ( LDAP_IS_UDP(ld) ) {
+- struct sockaddr sa = {0};
++ struct sockaddr_storage sa = {0};
+ /* dummy, filled with ldo_peer in request.c */
+ err = ber_write( ber, (char *) &sa, sizeof(sa), 0 );
+ }
+diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
+index 24d8a41..5b2613a 100644
+--- a/libraries/libldap/open.c
++++ b/libraries/libldap/open.c
+@@ -268,6 +268,7 @@ ldap_init_fd(
+ int rc;
+ LDAP *ld;
+ LDAPConn *conn;
++ socklen_t len;
+
+ *ldp = NULL;
+ rc = ldap_create( &ld );
+@@ -308,6 +309,15 @@ ldap_init_fd(
+
+ #ifdef LDAP_CONNECTIONLESS
+ case LDAP_PROTO_UDP:
++ LDAP_IS_UDP(ld) = 1;
++ if( ld->ld_options.ldo_peer )
++ ldap_memfree( ld->ld_options.ldo_peer );
++ ld->ld_options.ldo_peer = ldap_memalloc( sizeof( struct sockaddr_storage ) );
++ len = sizeof( struct sockaddr_storage );
++ if( getpeername ( fd, ld->ld_options.ldo_peer, &len ) < 0) {
++ ldap_unbind_ext( ld, NULL, NULL );
++ return( AC_SOCKET_ERROR );
++ }
+ #ifdef LDAP_DEBUG
+ ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
+ LBER_SBIOD_LEVEL_PROVIDER, (void *)"udp_" );
+diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
+index b31e05d..90b92df 100644
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -422,8 +422,8 @@ ldap_pvt_connect(LDAP *ld, ber_socket_t s,
+ if (LDAP_IS_UDP(ld)) {
+ if (ld->ld_options.ldo_peer)
+ ldap_memfree(ld->ld_options.ldo_peer);
+- ld->ld_options.ldo_peer=ldap_memalloc(sizeof(struct sockaddr));
+- AC_MEMCPY(ld->ld_options.ldo_peer,sin,sizeof(struct sockaddr));
++ ld->ld_options.ldo_peer=ldap_memcalloc(1, sizeof(struct sockaddr_storage));
++ AC_MEMCPY(ld->ld_options.ldo_peer,sin,addrlen);
+ return ( 0 );
+ }
+ #endif
+diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
+index fc2f4d0..4822a63 100644
+--- a/libraries/libldap/request.c
++++ b/libraries/libldap/request.c
+@@ -308,7 +308,7 @@ ldap_send_server_request(
+ ber_rewind( &tmpber );
+ LDAP_MUTEX_LOCK( &ld->ld_options.ldo_mutex );
+ rc = ber_write( &tmpber, ld->ld_options.ldo_peer,
+- sizeof( struct sockaddr ), 0 );
++ sizeof( struct sockaddr_storage ), 0 );
+ LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
+ if ( rc == -1 ) {
+ ld->ld_errno = LDAP_ENCODING_ERROR;
+diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
+index f2a6c7b..d293299 100644
+--- a/libraries/libldap/result.c
++++ b/libraries/libldap/result.c
+@@ -482,8 +482,8 @@ retry:
+ sock_errset(0);
+ #ifdef LDAP_CONNECTIONLESS
+ if ( LDAP_IS_UDP(ld) ) {
+- struct sockaddr from;
+- ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr) );
++ struct sockaddr_storage from;
++ ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) );
+ if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1;
+ }
+ nextresp3:
+diff --git a/libraries/libldap/search.c b/libraries/libldap/search.c
+index 3867b5b..b966d1a 100644
+--- a/libraries/libldap/search.c
++++ b/libraries/libldap/search.c
+@@ -305,7 +305,7 @@ ldap_build_search_req(
+ LDAP_NEXT_MSGID( ld, *idp );
+ #ifdef LDAP_CONNECTIONLESS
+ if ( LDAP_IS_UDP(ld) ) {
+- struct sockaddr sa = {0};
++ struct sockaddr_storage sa = {0};
+ /* dummy, filled with ldo_peer in request.c */
+ err = ber_write( ber, (char *) &sa, sizeof( sa ), 0 );
+ }
diff --git a/SOURCES/openldap-dns-priority.patch b/SOURCES/openldap-dns-priority.patch
new file mode 100644
index 0000000..8dc0923
--- /dev/null
+++ b/SOURCES/openldap-dns-priority.patch
@@ -0,0 +1,192 @@
+Implement priority/weight for DNS SRV records
+
+From RFC 2782:
+
+ A client MUST attempt to contact the target host with the
+ lowest-numbered priority it can reach.
+
+This patch sorts the DNS SRV records by their priority, and
+additionally gives records with a larger weight a higher probability
+of appearing earlier. This way, the DNS SRV records are tried in the
+order of their priority.
+
+Author: James M Leddy <james.leddy@redhat.com>
+Upstream ITS: #7027
+Resolves: #733078
+
+---
+ libraries/libldap/dnssrv.c | 106 ++++++++++++++++++++++++++++++++++----------
+ 1 files changed, 83 insertions(+), 23 deletions(-)
+
+diff --git a/libraries/libldap/dnssrv.c b/libraries/libldap/dnssrv.c
+index 16b1544..40f93b4 100644
+--- a/libraries/libldap/dnssrv.c
++++ b/libraries/libldap/dnssrv.c
+@@ -174,6 +174,46 @@ int ldap_domain2dn(
+ return LDAP_SUCCESS;
+ }
+
++#ifdef HAVE_RES_QUERY
++#define DNSBUFSIZ (64*1024)
++typedef struct srv_record {
++ u_short priority;
++ u_short weight;
++ u_short port;
++ char hostname[DNSBUFSIZ];
++} srv_record;
++
++
++static int srv_cmp(const void *aa, const void *bb){
++ srv_record *a=(srv_record *)aa;
++ srv_record *b=(srv_record *)bb;
++ u_long total;
++
++ if(a->priority < b->priority) {
++ return -1;
++ }
++ if(a->priority > b->priority) {
++ return 1;
++ }
++ if(a->priority == b->priority){
++ /* targets with same priority are in psudeo random order */
++ if (a->weight == 0 && b->weight == 0) {
++ if (rand() % 2) {
++ return -1;
++ } else {
++ return 1;
++ }
++ }
++ total = a->weight + b->weight;
++ if (rand() % total < a->weight) {
++ return -1;
++ } else {
++ return 1;
++ }
++ }
++}
++#endif /* HAVE_RES_QUERY */
++
+ /*
+ * Lookup and return LDAP servers for domain (using the DNS
+ * SRV record _ldap._tcp.domain).
+@@ -183,15 +223,16 @@ int ldap_domain2hostlist(
+ char **list )
+ {
+ #ifdef HAVE_RES_QUERY
+-#define DNSBUFSIZ (64*1024)
+- char *request;
+- char *hostlist = NULL;
++ char *request;
++ char *hostlist = NULL;
++ srv_record *hostent_head=NULL;
++ int i;
+ int rc, len, cur = 0;
+ unsigned char reply[DNSBUFSIZ];
++ int hostent_count=0;
+
+ assert( domain != NULL );
+ assert( list != NULL );
+-
+ if( *domain == '\0' ) {
+ return LDAP_PARAM_ERROR;
+ }
+@@ -223,8 +264,7 @@ int ldap_domain2hostlist(
+ unsigned char *p;
+ char host[DNSBUFSIZ];
+ int status;
+- u_short port;
+- /* int priority, weight; */
++ u_short port, priority, weight;
+
+ /* Parse out query */
+ p = reply;
+@@ -263,40 +303,56 @@ int ldap_domain2hostlist(
+ size = (p[0] << 8) | p[1];
+ p += 2;
+ if (type == T_SRV) {
+- int buflen;
+ status = dn_expand(reply, reply + len, p + 6, host, sizeof(host));
+ if (status < 0) {
+ goto out;
+ }
+- /* ignore priority and weight for now */
+- /* priority = (p[0] << 8) | p[1]; */
+- /* weight = (p[2] << 8) | p[3]; */
++
++ /* Get priority weight and port */
++ priority = (p[0] << 8) | p[1];
++ weight = (p[2] << 8) | p[3];
+ port = (p[4] << 8) | p[5];
+
+ if ( port == 0 || host[ 0 ] == '\0' ) {
+ goto add_size;
+ }
+
+- buflen = strlen(host) + STRLENOF(":65355 ");
+- hostlist = (char *) LDAP_REALLOC(hostlist, cur + buflen + 1);
+- if (hostlist == NULL) {
+- rc = LDAP_NO_MEMORY;
+- goto out;
++ hostent_head = (srv_record *) LDAP_REALLOC(hostent_head, (hostent_count+1)*(sizeof(srv_record)));
++ if(hostent_head==NULL){
++ rc=LDAP_NO_MEMORY;
++ goto out;
++
+ }
+- if (cur > 0) {
+- /* not first time around */
+- hostlist[cur++] = ' ';
+- }
+- cur += sprintf(&hostlist[cur], "%s:%hu", host, port);
++ hostent_head[hostent_count].priority=priority;
++ hostent_head[hostent_count].weight=weight;
++ hostent_head[hostent_count].port=port;
++ strncpy(hostent_head[hostent_count].hostname, host,255);
++ hostent_count=hostent_count+1;
+ }
+ add_size:;
+ p += size;
+ }
+ }
++ qsort(hostent_head, hostent_count, sizeof(srv_record), srv_cmp);
++
++ for(i=0; i<hostent_count; i++){
++ int buflen;
++ buflen = strlen(hostent_head[i].hostname) + STRLENOF(":65355" );
++ hostlist = (char *) LDAP_REALLOC(hostlist, cur+buflen+1);
++ if (hostlist == NULL) {
++ rc = LDAP_NO_MEMORY;
++ goto out;
++ }
++ if(cur>0){
++ hostlist[cur++]=' ';
++ }
++ cur += sprintf(&hostlist[cur], "%s:%hd", hostent_head[i].hostname, hostent_head[i].port);
++ }
++
+ if (hostlist == NULL) {
+- /* No LDAP servers found in DNS. */
+- rc = LDAP_UNAVAILABLE;
+- goto out;
++ /* No LDAP servers found in DNS. */
++ rc = LDAP_UNAVAILABLE;
++ goto out;
+ }
+
+ rc = LDAP_SUCCESS;
+@@ -308,8 +364,12 @@ add_size:;
+ if (request != NULL) {
+ LDAP_FREE(request);
+ }
++ if (hostent_head != NULL) {
++ LDAP_FREE(hostent_head);
++ }
+ if (rc != LDAP_SUCCESS && hostlist != NULL) {
+ LDAP_FREE(hostlist);
++
+ }
+ return rc;
+ #else
+--
+1.7.6
+
diff --git a/SOURCES/openldap-doc1.patch b/SOURCES/openldap-doc1.patch
new file mode 100644
index 0000000..13c4c41
--- /dev/null
+++ b/SOURCES/openldap-doc1.patch
@@ -0,0 +1,36 @@
+Upstream ITS: #7568
+
+From 6be982c000133ccf9da949d39eed23a93bc7bfc5 Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek@redhat.com>
+Date: Tue, 9 Apr 2013 12:41:38 +0200
+Subject: [PATCH 1/2] Fix typos in ldap.conf.5
+
+---
+ doc/man/man5/ldap.conf.5 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index cfde143..8f7fecd 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -297,7 +297,7 @@ Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG)
+ should be used. The default is off.
+ .TP
+ .B GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
+-Specifies if GSSAPI based authentification should try to form the
++Specifies if GSSAPI based authentication should try to form the
+ target principal name out of the ldapServiceName or dnsHostName
+ attribute of the targets RootDSE entry. The default is off.
+ .SH TLS OPTIONS
+@@ -354,7 +354,7 @@ it is of critical importance that the key file is protected carefully.
+ When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
+ the password for the key for the certificate specified with TLS_CERT. The
+ modutil command can be used to turn off password protection for the cert/key
+-database. For example, if TLS_CACERTDIR specifes /home/scarter/.moznss as
++database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as
+ the location of the cert/key database, use modutil to change the password
+ to the empty string:
+ .nf
+--
+1.8.1.4
+
diff --git a/SOURCES/openldap-doc2.patch b/SOURCES/openldap-doc2.patch
new file mode 100644
index 0000000..47b1c13
--- /dev/null
+++ b/SOURCES/openldap-doc2.patch
@@ -0,0 +1,27 @@
+Upstream ITS: #7568
+
+From 05c726c62785b2c307f9c5343a253d43ec7322c6 Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek@redhat.com>
+Date: Tue, 9 Apr 2013 12:42:31 +0200
+Subject: [PATCH 2/2] Add -Q to slaptest's help
+
+---
+ servers/slapd/slapcommon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
+index 714e2bc..153310f 100644
+--- a/servers/slapd/slapcommon.c
++++ b/servers/slapd/slapcommon.c
+@@ -92,7 +92,7 @@ usage( int tool, const char *progname )
+ break;
+
+ case SLAPTEST:
+- options = " [-n databasenumber] [-u]\n";
++ options = " [-n databasenumber] [-u] [-Q]\n";
+ break;
+
+ case SLAPSCHEMA:
+--
+1.8.1.4
+
diff --git a/SOURCES/openldap-doc3.patch b/SOURCES/openldap-doc3.patch
new file mode 100644
index 0000000..d0e7821
--- /dev/null
+++ b/SOURCES/openldap-doc3.patch
@@ -0,0 +1,39 @@
+From 128a8c486e86b8e8c8d34f0eb9fdc0b580212e5b Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek@redhat.com>
+Date: Tue, 3 Sep 2013 14:09:37 +0200
+Subject: [PATCH] Fix typos in manpages.
+
+---
+ doc/man/man1/ldapsearch.1 | 2 +-
+ doc/man/man5/slapd-passwd.5 | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
+index 82ddddb..150f064 100644
+--- a/doc/man/man1/ldapsearch.1
++++ b/doc/man/man1/ldapsearch.1
+@@ -456,7 +456,7 @@ This command:
+ .fi
+ .LP
+ will perform a one-level search at the c=US level for all entries
+-whose organization name (o) begins begins with \fBUniversity\fP.
++whose organization name (o) begins with \fBUniversity\fP.
+ The organization name and description attribute values will be retrieved
+ and printed to standard output, resulting in output similar to this:
+ .LP
+diff --git a/doc/man/man5/slapd-passwd.5 b/doc/man/man5/slapd-passwd.5
+index fbd30f2..2dc5c5d 100644
+--- a/doc/man/man5/slapd-passwd.5
++++ b/doc/man/man5/slapd-passwd.5
+@@ -13,7 +13,7 @@ serves up the user account information listed in the system
+ .BR passwd (5)
+ file. This backend is provided for demonstration purposes only.
+ The DN of each entry is "uid=<username>,<suffix>".
+-Note that non-base searches scan the the entire passwd file, and
++Note that non-base searches scan the entire passwd file, and
+ are best suited for hosts with small passwd files.
+ .SH CONFIGURATION
+ This
+--
+1.8.3.1
+
diff --git a/SOURCES/openldap-fedora-systemd.patch b/SOURCES/openldap-fedora-systemd.patch
new file mode 100644
index 0000000..fa59ca2
--- /dev/null
+++ b/SOURCES/openldap-fedora-systemd.patch
@@ -0,0 +1,23 @@
+Skip any empty parameters when parsing command line options.
+This is required because systemd does not expand variables the same way as shell does,
+we need it because of an empty SLAPD_OPTIONS in environment file.
+
+Fedora specific patch.
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+
+diff --git a/servers/slapd/main.c b/servers/slapd/main.c
+index dac4864..83614f4 100644
+--- a/servers/slapd/main.c
++++ b/servers/slapd/main.c
+@@ -685,6 +685,10 @@ unhandled_option:;
+ }
+ }
+
++ /* skip empty parameters */
++ while ( optind < argc && *argv[optind] == '\0' )
++ optind += 1;
++
+ if ( optind != argc )
+ goto unhandled_option;
+
diff --git a/SOURCES/openldap-ldapi-sasl.patch b/SOURCES/openldap-ldapi-sasl.patch
new file mode 100644
index 0000000..058cc1c
--- /dev/null
+++ b/SOURCES/openldap-ldapi-sasl.patch
@@ -0,0 +1,55 @@
+From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 7 May 2013 17:02:57 +0200
+Subject: [PATCH] LDAPI SASL fix
+
+Resolves: #960222
+---
+ libraries/libldap/cyrus.c | 19 ++++++++++++++++---
+ 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
+
+diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
+index 28c241b..a9acf36 100644
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
+ struct berval ccred = BER_BVNULL;
+ int saslrc, rc;
+ unsigned credlen;
++ char my_hostname[HOST_NAME_MAX + 1];
++ int free_saslhost = 0;
+
+ Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
+ mechs ? mechs : "<null>", 0, 0 );
+@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
+
+ /* If we don't need to canonicalize just use the host
+ * from the LDAP URI.
++ * Always use the result of gethostname() for LDAPI.
+ */
+- if ( nocanon )
++ if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
++ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
++ rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
++ if (rc == 0) {
++ saslhost = my_hostname;
++ } else {
++ saslhost = "localhost";
++ }
++ } else if ( nocanon )
+ saslhost = ld->ld_defconn->lconn_server->lud_host;
+- else
++ else {
+ saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
+ "localhost" );
++ free_saslhost = 1;
++ }
+ rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
+- if ( !nocanon )
++ if ( free_saslhost )
+ LDAP_FREE( saslhost );
+ }
+
+--
+1.7.11.7
+
diff --git a/SOURCES/openldap-ldaprc-currentdir.patch b/SOURCES/openldap-ldaprc-currentdir.patch
new file mode 100644
index 0000000..420c1f9
--- /dev/null
+++ b/SOURCES/openldap-ldaprc-currentdir.patch
@@ -0,0 +1,20 @@
+Disables opening of ldaprc file in current directory.
+
+Resolves: #38402
+Upstream: ITS #1131
+Author: Henning Schmiedehausen <hps@intermeta.de>
+
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 8617527..e6b17b4 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -352,9 +352,6 @@ static void openldap_ldap_init_w_userconf(const char *file)
+ if(path != NULL) {
+ LDAP_FREE(path);
+ }
+-
+- /* try file */
+- openldap_ldap_init_w_conf(file, 1);
+ }
+
+ static void openldap_ldap_init_w_env(
diff --git a/SOURCES/openldap-loglevel2bvarray.patch b/SOURCES/openldap-loglevel2bvarray.patch
new file mode 100644
index 0000000..1a0e766
--- /dev/null
+++ b/SOURCES/openldap-loglevel2bvarray.patch
@@ -0,0 +1,27 @@
+From 4313b91b0bc2fe6585656cd69a03f9755b5af3c4 Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek@redhat.com>
+Date: Wed, 29 May 2013 10:21:40 +0200
+Subject: [PATCH] Fix loglevel2bvarray
+
+---
+ servers/slapd/bconfig.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
+index 4e1f1b5..def6daf 100644
+--- a/servers/slapd/bconfig.c
++++ b/servers/slapd/bconfig.c
+@@ -3622,6 +3622,10 @@ loglevel2bvarray( int l, BerVarray *bva )
+ loglevel_init();
+ }
+
++ if ( l == 0 ) {
++ return value_add_one( bva, ber_bvstr( "0" ) );
++ }
++
+ return mask_to_verbs( loglevel_ops, l, bva );
+ }
+
+--
+1.8.1.4
+
diff --git a/SOURCES/openldap-man-sasl-nocanon.patch b/SOURCES/openldap-man-sasl-nocanon.patch
new file mode 100644
index 0000000..c4a9e39
--- /dev/null
+++ b/SOURCES/openldap-man-sasl-nocanon.patch
@@ -0,0 +1,23 @@
+fix: SASL_NOCANON option missing in ldap.conf manual page
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7177
+Resolves: #732915
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index 51f774f..5f17122 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -284,6 +284,9 @@ description). The default is
+ specifies the maximum security layer receive buffer
+ size allowed. 0 disables security layers. The default is 65536.
+ .RE
++.TP
++.B SASL_NOCANON <on/true/yes/off/false/no>
++Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off.
+ .SH GSSAPI OPTIONS
+ If OpenLDAP is built with Generic Security Services Application Programming Interface support,
+ there are more options you can specify.
+--
+1.7.6.5
+
diff --git a/SOURCES/openldap-manpages.patch b/SOURCES/openldap-manpages.patch
new file mode 100644
index 0000000..1678b38
--- /dev/null
+++ b/SOURCES/openldap-manpages.patch
@@ -0,0 +1,112 @@
+Various manual pages changes:
+* removes LIBEXECDIR from slapd.8
+* removes references to non-existing manpages (bz 624616)
+
+diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
+index 3def6da..466c772 100644
+--- a/doc/man/man1/ldapmodify.1
++++ b/doc/man/man1/ldapmodify.1
+@@ -397,9 +397,7 @@ exit status and a diagnostic message being written to standard error.
+ .BR ldap_add_ext (3),
+ .BR ldap_delete_ext (3),
+ .BR ldap_modify_ext (3),
+-.BR ldap_modrdn_ext (3),
+-.BR ldif (5),
+-.BR slapd.replog (5)
++.BR ldif (5)
+ .SH AUTHOR
+ The OpenLDAP Project <http://www.openldap.org/>
+ .SH ACKNOWLEDGEMENTS
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index cfde143..63592cb 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -317,6 +317,7 @@ certificates in separate individual files. The
+ .B TLS_CACERT
+ is always used before
+ .B TLS_CACERTDIR.
++The specified directory must be managed with the OpenSSL c_rehash utility.
+ This parameter is ignored with GnuTLS.
+
+ When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+diff --git a/doc/man/man5/ldif.5 b/doc/man/man5/ldif.5
+index 79615b6..2c06246 100644
+--- a/doc/man/man5/ldif.5
++++ b/doc/man/man5/ldif.5
+@@ -270,8 +270,7 @@ commands.
+ .BR ldapmodify (1),
+ .BR slapadd (8),
+ .BR slapcat (8),
+-.BR slapd\-ldif (5),
+-.BR slapd.replog (5).
++.BR slapd\-ldif (5).
+ .LP
+ "LDAP Data Interchange Format," Good, G., RFC 2849.
+ .SH ACKNOWLEDGEMENTS
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+index 742876a..31643c7 100644
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -2086,7 +2086,6 @@ default slapd configuration directory
+ .BR slapd.conf (5),
+ .BR slapd.overlays (5),
+ .BR slapd.plugin (5),
+-.BR slapd.replog (5),
+ .BR slapd (8),
+ .BR slapacl (8),
+ .BR slapadd (8),
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+index 0a3a955..352cc7e 100644
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -2016,7 +2016,6 @@ default slapd configuration file
+ .BR slapd.backends (5),
+ .BR slapd.overlays (5),
+ .BR slapd.plugin (5),
+-.BR slapd.replog (5),
+ .BR slapd (8),
+ .BR slapacl (8),
+ .BR slapadd (8),
+diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
+index b739f4d..e2a1a00 100644
+--- a/doc/man/man8/slapd.8
++++ b/doc/man/man8/slapd.8
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd
++.B slapd
+ [\c
+ .BR \-4 | \-6 ]
+ [\c
+@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd
++ slapd
+ .ft
+ .fi
+ .LP
+@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++ slapd -f /var/tmp/slapd.conf -d 255
+ .ft
+ .fi
+ .LP
+@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-Tt
++ slapd -Tt
+ .ft
+ .fi
+ .LP
+--
+1.8.1.4
+
diff --git a/SOURCES/openldap-nss-certs-from-certdb-fallback-pem.patch b/SOURCES/openldap-nss-certs-from-certdb-fallback-pem.patch
new file mode 100644
index 0000000..d20e48a
--- /dev/null
+++ b/SOURCES/openldap-nss-certs-from-certdb-fallback-pem.patch
@@ -0,0 +1,86 @@
+MozNSS: load certificates from certdb, fallback to PEM
+
+If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
+certificate database, the backend assumed that the certificate is always
+located in the certificate database. This assumption might be wrong.
+
+This patch makes the library to try to load the certificate from NSS
+database and fallback to PEM file if unsuccessfull.
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7389
+Resolves: #857455
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 6847bea..8339391 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
+ /* prefer unlocked key, then key from opened certdb, then any other */
+ if ( unlocked_key )
+ ctx->tc_private_key = unlocked_key;
+- else if ( ctx->tc_certdb_slot )
++ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
+ ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
+ else
+ ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
+@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg )
+ }
+ return -1;
+ }
+-
+- ctx->tc_using_pem = PR_TRUE;
+ }
+
+ NSS_SetDomesticPolicy();
+@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg )
+
+ /* set up our cert and key, if any */
+ if ( lt->lt_certfile ) {
+- /* if using the PEM module, load the PEM file specified by lt_certfile */
+- /* otherwise, assume this is the name of a cert already in the db */
+- if ( ctx->tc_using_pem ) {
+- /* this sets ctx->tc_certificate to the correct value */
+- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
+- if ( rc ) {
+- return rc;
+- }
+- } else {
++
++ /* first search in certdb (lt_certfile is nickname) */
++ if ( ctx->tc_certdb ) {
+ char *tmp_certname;
+
+ if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
+@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg )
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
+ lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
++ }
++ }
++
++ /* fallback to PEM module (lt_certfile is filename) */
++ if ( !ctx->tc_certificate ) {
++ if ( !pem_module && tlsm_init_pem_module() ) {
++ int pem_errcode = PORT_GetError();
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
++ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
+ return -1;
+ }
++
++ /* this sets ctx->tc_certificate to the correct value */
++ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
++ ctx->tc_using_pem = PR_TRUE;
++ }
++ }
++
++ if ( ctx->tc_certificate ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
++ ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
++ } else {
++ return -1;
+ }
+ }
+
diff --git a/SOURCES/openldap-nss-ignore-certdb-type-prefix.patch b/SOURCES/openldap-nss-ignore-certdb-type-prefix.patch
new file mode 100644
index 0000000..2fab916
--- /dev/null
+++ b/SOURCES/openldap-nss-ignore-certdb-type-prefix.patch
@@ -0,0 +1,47 @@
+MozNSS: ignore certdb database type prefix when checking existence of the directory
+
+If the certdb is specified including the database type prefix (e.g.
+sql:, dbm:), the prefix has to be ignored when checking the
+certificate directory existence.
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7388
+Resolves: #857373
+
+---
+ libraries/libldap/tls_m.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 49a3f8f..5ee21a2 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
+ {
+ char sep = PR_GetDirectorySeparator();
+ char *ptr = NULL;
++ char *chkpath = NULL;
+ struct PRFileInfo prfi;
+ PRStatus prc;
+
+@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
+ return;
+ }
+
+- prc = PR_GetFileInfo( certdir, &prfi );
++ /* ignore database type prefix (e.g. sql:, dbm:) if provided */
++ chkpath = strchr( certdir, ':' );
++ if ( chkpath != NULL ) {
++ chkpath += 1;
++ } else {
++ chkpath = certdir;
++ }
++
+ /* if certdir exists (file or directory) then it cannot specify a prefix */
++ prc = PR_GetFileInfo( chkpath, &prfi );
+ if ( prc == PR_SUCCESS ) {
+ return;
+ }
+--
+1.7.11.7
+
diff --git a/SOURCES/openldap-nss-pk11-freeslot.patch b/SOURCES/openldap-nss-pk11-freeslot.patch
new file mode 100644
index 0000000..9ac541d
--- /dev/null
+++ b/SOURCES/openldap-nss-pk11-freeslot.patch
@@ -0,0 +1,27 @@
+Resolves: #929357
+
+From 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Thu, 28 Mar 2013 19:05:02 -0600
+Subject: [PATCH] must call PK11_FreeSlot after SECMOD_CloseUserDB to remove ref to slot
+
+---
+ libraries/libldap/tls_m.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 072d41d..c59d303 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -2063,6 +2063,8 @@ tlsm_ctx_free ( tls_ctx *ctx )
+ "TLS: could not close certdb slot - error %d:%s.\n",
+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
+ }
++ PK11_FreeSlot( c->tc_certdb_slot );
++ c->tc_certdb_slot = NULL;
+ }
+ PL_strfree( c->tc_pin_file );
+ c->tc_pin_file = NULL;
+--
+1.7.1
+
diff --git a/SOURCES/openldap-nss-regex-search-hashed-cacert-dir.patch b/SOURCES/openldap-nss-regex-search-hashed-cacert-dir.patch
new file mode 100644
index 0000000..03493db
--- /dev/null
+++ b/SOURCES/openldap-nss-regex-search-hashed-cacert-dir.patch
@@ -0,0 +1,91 @@
+MozNSS: better file name matching for hashed CA certificate directory
+
+CA certificate files in OpenSSL compatible CACERTDIR were loaded if the file extension was '.0'. However the file name
+should be 8 letters long certificate hash of the certificate subject name, followed by a numeric suffix which is used
+to differentiate between two certificates with the same subject name.
+
+Wit this patch, certificate file names are matched correctly (using regular expressions).
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7374
+Resolves: #852786
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 5e49fc5..61d71d4 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -38,6 +38,7 @@
+ #include <ac/unistd.h>
+ #include <ac/param.h>
+ #include <ac/dirent.h>
++#include <ac/regex.h>
+
+ #include "ldap-int.h"
+ #include "ldap-tls.h"
+@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
+
+ #define PEM_LIBRARY "nsspem"
+ #define PEM_MODULE "PEM"
+-/* hash files for use with cacertdir have this file name suffix */
+-#define PEM_CA_HASH_FILE_SUFFIX ".0"
+-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
++#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
+
+ static SECMODModule *pem_module;
+
+@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
+ PRDir *dir;
+ PRDirEntry *entry;
+ PRStatus fistatus = PR_FAILURE;
++ regex_t hashfile_re;
+
+ memset( &fi, 0, sizeof(fi) );
+ fistatus = PR_GetFileInfo( cacertdir, &fi );
+@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
+ goto done;
+ }
+
++ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) {
++ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
++ goto done;
++ }
++
+ do {
+ entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
+ if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
+ char *fullpath = NULL;
+- char *ptr;
++ int match;
+
+- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
+- if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
++ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
++ if ( match == REG_NOMATCH ) {
+ Debug( LDAP_DEBUG_TRACE,
+- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
+- "directory file with a properly hashed file name - skipping.\n",
+- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
++ "TLS: skipping '%s' - filename does not have expected format "
++ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
++ continue;
++ } else if ( match != 0 ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: cannot execute regex for CA hash file matching (%d).\n",
++ match, 0, 0 );
+ continue;
+ }
++
+ fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
+ if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
+ Debug( LDAP_DEBUG_TRACE,
+@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
+ PR_smprintf_free( fullpath );
+ }
+ } while ( NULL != entry );
++ regfree ( &hashfile_re );
+ PR_CloseDir( dir );
+ }
+ done:
+--
+1.7.11.4
+
diff --git a/SOURCES/openldap-nss-update-list-of-ciphers.patch b/SOURCES/openldap-nss-update-list-of-ciphers.patch
new file mode 100644
index 0000000..d5986c0
--- /dev/null
+++ b/SOURCES/openldap-nss-update-list-of-ciphers.patch
@@ -0,0 +1,193 @@
+MozNSS: update list of supported cipher suites
+
+The updated list includes all ciphers implemented in Mozilla NSS 3.13.15
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7374
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 1422ce2..5e49fc5 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -211,27 +211,34 @@ typedef struct {
+ int num; /* The cipher id */
+ int attr; /* cipher attributes: algorithms, etc */
+ int version; /* protocol version valid for this cipher */
+- int bits; /* bits of strength */
+- int alg_bits; /* bits of the algorithm */
+ int strength; /* LOW, MEDIUM, HIGH */
+ int enabled; /* Enabled by default? */
+ } cipher_properties;
+
+ /* cipher attributes */
+-#define SSL_kRSA 0x00000001L
+-#define SSL_aRSA 0x00000002L
+-#define SSL_aDSS 0x00000004L
+-#define SSL_DSS SSL_aDSS
+-#define SSL_eNULL 0x00000008L
+-#define SSL_DES 0x00000010L
+-#define SSL_3DES 0x00000020L
+-#define SSL_RC4 0x00000040L
+-#define SSL_RC2 0x00000080L
+-#define SSL_AES 0x00000100L
+-#define SSL_MD5 0x00000200L
+-#define SSL_SHA1 0x00000400L
+-#define SSL_SHA SSL_SHA1
+-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
++#define SSL_kRSA 0x00000001L
++#define SSL_aRSA 0x00000002L
++#define SSL_RSA (SSL_kRSA|SSL_aRSA)
++#define SSL_aDSA 0x00000004L
++#define SSL_DSA SSL_aDSA
++#define SSL_eNULL 0x00000008L
++#define SSL_DES 0x00000010L
++#define SSL_3DES 0x00000020L
++#define SSL_RC4 0x00000040L
++#define SSL_RC2 0x00000080L
++#define SSL_AES128 0x00000100L
++#define SSL_AES256 0x00000200L
++#define SSL_AES (SSL_AES128|SSL_AES256)
++#define SSL_MD5 0x00000400L
++#define SSL_SHA1 0x00000800L
++#define SSL_kEDH 0x00001000L
++#define SSL_CAMELLIA128 0x00002000L
++#define SSL_CAMELLIA256 0x00004000L
++#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
++#define SSL_SEED 0x00008000L
++#define SSL_kECDH 0x00010000L
++#define SSL_kECDHE 0x00020000L
++#define SSL_aECDSA 0x00040000L
+
+ /* cipher strength */
+ #define SSL_NULL 0x00000001L
+@@ -248,29 +255,70 @@ typedef struct {
+
+ /* Cipher translation */
+ static cipher_properties ciphers_def[] = {
+- /* SSL 2 ciphers */
+- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
+- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
+- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
+- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
+-
+- /* SSL3 ciphers */
+- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
+- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
+- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
+- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
+- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
+- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
++
++ /*
++ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
++ */
++
++ /* SSLv2 ciphers */
++ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED},
++ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED},
++ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
++ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
++ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
++ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
++
++ /* SSLv3 ciphers */
++ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
++ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
++ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
++ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
++ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED},
++ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED},
++ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
++ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
++ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
++ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
++ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
++ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
+
+ /* TLSv1 ciphers */
+- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
+- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
+- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
+- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
++ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
++ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
++ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
++ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
++ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
++ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
++ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
++ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
++ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
++ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
++ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
++ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
++ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
++ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ };
+
+ #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
+@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ mask |= SSL_RSA;
+ } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
+ mask |= SSL_eNULL;
++ } else if (!strcmp(cipher, "AES128")) {
++ mask |= SSL_AES128;
++ } else if (!strcmp(cipher, "AES256")) {
++ mask |= SSL_AES256;
+ } else if (!strcmp(cipher, "AES")) {
+ mask |= SSL_AES;
+ } else if (!strcmp(cipher, "3DES")) {
+@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ mask |= SSL_MD5;
+ } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
+ mask |= SSL_SHA1;
++ } else if (!strcmp(cipher, "EDH")) {
++ mask |= SSL_kEDH;
++ } else if (!strcmp(cipher, "DSS")) {
++ mask |= SSL_aDSA;
++ } else if (!strcmp(cipher, "CAMELLIA128")) {
++ mask |= SSL_CAMELLIA128;
++ } else if (!strcmp(cipher, "CAMELLIA256")) {
++ mask |= SSL_CAMELLIA256;
++ } else if (!strcmp(cipher, "CAMELLIA")) {
++ mask |= SSL_CAMELLIA;
++ } else if (!strcmp(cipher, "SEED")) {
++ mask |= SSL_SEED;
++ } else if (!strcmp(cipher, "ECDH")) {
++ mask |= SSL_kECDH;
++ } else if (!strcmp(cipher, "ECDHE")) {
++ mask |= SSL_kECDHE;
++ } else if (!strcmp(cipher, "ECDSA")) {
++ mask |= SSL_aECDSA;
+ } else if (!strcmp(cipher, "SSLv2")) {
+ protocol |= SSL2;
+ } else if (!strcmp(cipher, "SSLv3")) {
+--
+1.7.11.4
+
diff --git a/SOURCES/openldap-reentrant-gethostby.patch b/SOURCES/openldap-reentrant-gethostby.patch
new file mode 100644
index 0000000..140b6e3
--- /dev/null
+++ b/SOURCES/openldap-reentrant-gethostby.patch
@@ -0,0 +1,33 @@
+The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
+example if libldap needs to be initialized from within gethostbyXXXX() (which
+actually happens if nss_ldap is used for hostname resolution and earlier
+modules can't resolve the local host name), so use the reentrant versions of
+the functions, even if we're not being compiled for use in libldap_r
+
+Resolves: #179730
+Author: Jeffery Layton <jlayton@redhat.com>
+
+diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
+index 373c81c..a012062 100644
+--- a/libraries/libldap/util-int.c
++++ b/libraries/libldap/util-int.c
+@@ -52,8 +52,8 @@ extern int h_errno;
+ #ifndef LDAP_R_COMPILE
+ # undef HAVE_REENTRANT_FUNCTIONS
+ # undef HAVE_CTIME_R
+-# undef HAVE_GETHOSTBYNAME_R
+-# undef HAVE_GETHOSTBYADDR_R
++/* # undef HAVE_GETHOSTBYNAME_R */
++/* # undef HAVE_GETHOSTBYADDR_R */
+
+ #else
+ # include <ldap_pvt_thread.h>
+@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
+ #define BUFSTART (1024-32)
+ #define BUFMAX (32*1024-32)
+
+-#if defined(LDAP_R_COMPILE)
++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
+ static char *safe_realloc( char **buf, int len );
+
+ #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))
diff --git a/SOURCES/openldap-security-pie.patch b/SOURCES/openldap-security-pie.patch
new file mode 100644
index 0000000..025c3d4
--- /dev/null
+++ b/SOURCES/openldap-security-pie.patch
@@ -0,0 +1,16 @@
+Build slapd as position-independent executable (PIE) to take an advantage of
+address space layout randomization (ASLD).
+
+Author: Thomas Woerner <twoerner@redhat.com>
+
+--- a/servers/slapd/Makefile.in
++++ b/servers/slapd/Makefile.in
+@@ -263,7 +263,7 @@ slapi/libslapi.la: FORCE
+ (cd slapi; $(MAKE) $(MFLAGS) all)
+
+ slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
+- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \
++ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \
+ $(WRAP_LIBS)
+ $(RM) $(SLAPTOOLS)
+ for i in $(SLAPTOOLS); do \
diff --git a/SOURCES/openldap-smbk5pwd-overlay.patch b/SOURCES/openldap-smbk5pwd-overlay.patch
new file mode 100644
index 0000000..38936cf
--- /dev/null
+++ b/SOURCES/openldap-smbk5pwd-overlay.patch
@@ -0,0 +1,62 @@
+Compile smbk5pwd together with other overlays.
+
+Author: Jan Šafránek <jsafrane@redhat.com>
+Resolves: #550895
+
+Update to link against OpenSSL
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Resolves: #841560
+
+diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
+index f20ad94..b6433ff 100644
+--- a/contrib/slapd-modules/smbk5pwd/README
++++ b/contrib/slapd-modules/smbk5pwd/README
+@@ -1,3 +1,8 @@
++******************************************************************************
++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
++******************************************************************************
++
+ This directory contains a slapd overlay, smbk5pwd, that extends the
+ PasswordModify Extended Operation to update Kerberos keys and Samba
+ password hashes for an LDAP user.
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index 3af20e8..ef73663 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
+ syncprov.c \
+ translucent.c \
+ unique.c \
+- valsort.c
++ valsort.c \
++ smbk5pwd.c
+ OBJS = statover.o \
+ @SLAPD_STATIC_OVERLAYS@ \
+ overlays.o
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -125,6 +126,12 @@ unique.la : unique.lo
+ valsort.la : valsort.lo
+ $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+
++smbk5pwd.lo : smbk5pwd.c
++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++smbk5pwd.la : smbk5pwd.lo
++ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local: $(PROGRAMS)
+ @if test -n "$?" ; then \
+ $(MKDIR) $(DESTDIR)$(moduledir); \
+--
+1.7.10.4
+
diff --git a/SOURCES/openldap-sql-linking.patch b/SOURCES/openldap-sql-linking.patch
new file mode 100644
index 0000000..c7edf8c
--- /dev/null
+++ b/SOURCES/openldap-sql-linking.patch
@@ -0,0 +1,14 @@
+Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package
+independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.)
+
+--- openldap-2.4.24.orig/build/top.mk
++++ openldap-2.4.24/build/top.mk
+@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@
+ SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@
+ SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@
+
+-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
++SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
+
+ # Our Defaults
+ CC = $(AC_CC)
diff --git a/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
new file mode 100644
index 0000000..ed4f2ad
--- /dev/null
+++ b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
@@ -0,0 +1,41 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
+
+Proof of concept for fixing http://bugs.debian.org/327585
+(patch ported from freeradius bug http://bugs.debian.org/416266)
+
+Resolves: #960048
+---
+--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200
++++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200
+@@ -117,6 +117,20 @@
+ return -1; /* not found */
+ }
+
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++ lt_dlhandle handle = 0;
++ lt_dladvise advise;
++
++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++ && !lt_dladvise_global (&advise))
++ handle = lt_dlopenadvise (filename, advise);
++
++ lt_dladvise_destroy (&advise);
++
++ return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ module_loaded_t *module;
+@@ -180,7 +194,7 @@
+ * to calling Debug. This is because Debug is a macro that expands
+ * into multiple function calls.
+ */
+- if ((module->lib = lt_dlopenext(file)) == NULL) {
++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ strcpy( ebuf, error );
diff --git a/SOURCES/openldap-syncrepl-unset-tls-options.patch b/SOURCES/openldap-syncrepl-unset-tls-options.patch
new file mode 100644
index 0000000..156971a
--- /dev/null
+++ b/SOURCES/openldap-syncrepl-unset-tls-options.patch
@@ -0,0 +1,62 @@
+allow unsetting of tls_* syncrepl options
+
+Author: Patrick Monnerat <pm@datasphere.ch>
+Upstream ITS: #7042
+Resolves: #734187
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 654a4bf..10b993b 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -735,27 +735,27 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+ return 0;
+ case LDAP_OPT_X_TLS_CACERTFILE:
+ if ( lo->ldo_tls_cacertfile ) LDAP_FREE( lo->ldo_tls_cacertfile );
+- lo->ldo_tls_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ lo->ldo_tls_cacertfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
+ case LDAP_OPT_X_TLS_CACERTDIR:
+ if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir );
+- lo->ldo_tls_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ lo->ldo_tls_cacertdir = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
+ case LDAP_OPT_X_TLS_CERTFILE:
+ if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile );
+- lo->ldo_tls_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ lo->ldo_tls_certfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
+ case LDAP_OPT_X_TLS_KEYFILE:
+ if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile );
+- lo->ldo_tls_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ lo->ldo_tls_keyfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
+ case LDAP_OPT_X_TLS_DHFILE:
+ if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
+- lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
+ case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
+ if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
+- lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
+ case LDAP_OPT_X_TLS_REQUIRE_CERT:
+ if ( !arg ) return -1;
+@@ -783,7 +783,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+ #endif
+ case LDAP_OPT_X_TLS_CIPHER_SUITE:
+ if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite );
+- lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ lo->ldo_tls_ciphersuite = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
+
+ case LDAP_OPT_X_TLS_PROTOCOL_MIN:
+@@ -794,7 +794,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+ if ( ld != NULL )
+ return -1;
+ if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile );
+- lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ lo->ldo_tls_randfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+ break;
+ case LDAP_OPT_X_TLS_NEWCTX:
+ if ( !arg ) return -1;
diff --git a/SOURCES/openldap-tls-no-reuse-of-tls_session.patch b/SOURCES/openldap-tls-no-reuse-of-tls_session.patch
new file mode 100644
index 0000000..5c397d1
--- /dev/null
+++ b/SOURCES/openldap-tls-no-reuse-of-tls_session.patch
@@ -0,0 +1,92 @@
+TLS: do not reuse tls_session if hostname check fails
+
+If multiple servers are specified, the connection to the first one succeeds, and the hostname verification fails,
+*tls_session is not dropped, but reused when connecting to the second server.
+
+This is a problem with Mozilla NSS backend because another handshake cannot be performed on the same file descriptor.
+From this reason, hostname checking was moved into ldap_int_tls_connect() before connection error handling.
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7373
+Resolves: #852476
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 10b993b..a3cd590 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -320,7 +320,7 @@ update_flags( Sockbuf *sb, tls_session * ssl, int rc )
+ */
+
+ static int
+-ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
++ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
+ {
+ Sockbuf *sb = conn->lconn_sb;
+ int err;
+@@ -365,6 +365,10 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
+ errno = WSAGetLastError();
+ #endif
+
++ if ( err == 0 ) {
++ err = ldap_pvt_tls_check_hostname( ld, ssl, host );
++ }
++
+ if ( err < 0 )
+ {
+ char buf[256], *msg;
+@@ -495,7 +499,15 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
+ {
+ tls_session *session = s;
+
+- return tls_imp->ti_session_chkhost( ld, session, name_in );
++ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
++ ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
++ ld->ld_errno = tls_imp->ti_session_chkhost( ld, session, name_in );
++ if (ld->ld_errno != LDAP_SUCCESS) {
++ return ld->ld_errno;
++ }
++ }
++
++ return LDAP_SUCCESS;
+ }
+
+ int
+@@ -857,7 +869,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ #endif /* LDAP_USE_NON_BLOCKING_TLS */
+
+ ld->ld_errno = LDAP_SUCCESS;
+- ret = ldap_int_tls_connect( ld, conn );
++ ret = ldap_int_tls_connect( ld, conn, host );
+
+ #ifdef LDAP_USE_NON_BLOCKING_TLS
+ while ( ret > 0 ) { /* this should only happen for non-blocking io */
+@@ -878,7 +890,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ } else {
+ /* ldap_int_poll called ldap_pvt_ndelay_off */
+ ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb );
+- ret = ldap_int_tls_connect( ld, conn );
++ ret = ldap_int_tls_connect( ld, conn, host );
+ if ( ret > 0 ) { /* need to call tls_connect once more */
+ struct timeval curr_time_tv, delta_tv;
+
+@@ -935,20 +947,6 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ return (ld->ld_errno);
+ }
+
+- ssl = ldap_pvt_tls_sb_ctx( sb );
+- assert( ssl != NULL );
+-
+- /*
+- * compare host with name(s) in certificate
+- */
+- if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
+- ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
+- ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
+- if (ld->ld_errno != LDAP_SUCCESS) {
+- return ld->ld_errno;
+- }
+- }
+-
+ return LDAP_SUCCESS;
+ }
+
diff --git a/SOURCES/openldap-userconfig-setgid.patch b/SOURCES/openldap-userconfig-setgid.patch
new file mode 100644
index 0000000..70f0d28
--- /dev/null
+++ b/SOURCES/openldap-userconfig-setgid.patch
@@ -0,0 +1,18 @@
+Normally, skips reading of user configuration file when running with different effective UID.
+This patch adds the same behavior for GID.
+
+Author: Nalin Dahyabhai <nalin@redhat.com>
+
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index e6b17b4..fbf4829 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -678,7 +678,7 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl )
+ openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
+
+ #ifdef HAVE_GETEUID
+- if ( geteuid() != getuid() )
++ if ( geteuid() != getuid() || getegid() != getgid() )
+ return;
+ #endif
+
diff --git a/SOURCES/slapd.ldif b/SOURCES/slapd.ldif
new file mode 100644
index 0000000..9ce13ea
--- /dev/null
+++ b/SOURCES/slapd.ldif
@@ -0,0 +1,147 @@
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: /var/run/openldap/slapd.args
+olcPidFile: /var/run/openldap/slapd.pid
+#
+# TLS settings
+#
+olcTLSCACertificatePath: /etc/openldap/certs
+olcTLSCertificateFile: "OpenLDAP Server"
+olcTLSCertificateKeyFile: /etc/openldap/certs/password
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+# Require integrity protection (prevent hijacking)
+# Require 112-bit (3DES or better) encryption for updates
+# Require 64-bit encryption for simple bind
+#
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+# - modulepath is architecture dependent value (32/64-bit system)
+# - back_sql.la backend requires openldap-servers-sql package
+# - dyngroup.la and dynlist.la cannot be used at the same time
+#
+
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath: /usr/lib/openldap
+#olcModulepath: /usr/lib64/openldap
+#olcModuleload: accesslog.la
+#olcModuleload: auditlog.la
+#olcModuleload: back_dnssrv.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_mdb.la
+#olcModuleload: back_meta.la
+#olcModuleload: back_null.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_relay.la
+#olcModuleload: back_shell.la
+#olcModuleload: back_sock.la
+#olcModuleload: collect.la
+#olcModuleload: constraint.la
+#olcModuleload: dds.la
+#olcModuleload: deref.la
+#olcModuleload: dyngroup.la
+#olcModuleload: dynlist.la
+#olcModuleload: memberof.la
+#olcModuleload: pcache.la
+#olcModuleload: ppolicy.la
+#olcModuleload: refint.la
+#olcModuleload: retcode.la
+#olcModuleload: rwm.la
+#olcModuleload: seqmod.la
+#olcModuleload: smbk5pwd.la
+#olcModuleload: sssvlv.la
+#olcModuleload: syncprov.la
+#olcModuleload: translucent.la
+#olcModuleload: unique.la
+#olcModuleload: valsort.la
+
+
+#
+# Schema settings
+#
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+
+#
+# Frontend settings
+#
+
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+# Root DSE: allow anyone to read it
+# Subschema (sub)entry DSE: allow anyone to read it
+# Other DSEs:
+# Allow self write access
+# Allow authenticated users read access
+# Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+# by self write
+# by users read
+# by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn. (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+#
+# Configuration database
+#
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+
+#
+# Server status monitoring
+#
+
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
+
+#
+# Backend database definitions
+#
+
+dn: olcDatabase=hdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcHdbConfig
+olcDatabase: hdb
+olcSuffix: dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+olcDbDirectory: /var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service
new file mode 100644
index 0000000..7e0589c
--- /dev/null
+++ b/SOURCES/slapd.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenLDAP Server Daemon
+After=syslog.target network.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/openldap/slapd.pid
+Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
+EnvironmentFile=/etc/sysconfig/slapd
+ExecStartPre=/usr/libexec/openldap/check-config.sh
+ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/slapd.sysconfig b/SOURCES/slapd.sysconfig
new file mode 100644
index 0000000..68091a5
--- /dev/null
+++ b/SOURCES/slapd.sysconfig
@@ -0,0 +1,15 @@
+# OpenLDAP server configuration
+# see 'man slapd' for additional information
+
+# Where the server will run (-h option)
+# - ldapi:/// is required for on-the-fly configuration using client tools
+# (use SASL with EXTERNAL mechanism for authentication)
+# - default: ldapi:/// ldap:///
+# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
+SLAPD_URLS="ldapi:/// ldap:///"
+
+# Any custom options
+#SLAPD_OPTIONS=""
+
+# Keytab location for GSSAPI Kerberos authentication
+#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
diff --git a/SOURCES/slapd.tmpfiles b/SOURCES/slapd.tmpfiles
new file mode 100644
index 0000000..56aa32e
--- /dev/null
+++ b/SOURCES/slapd.tmpfiles
@@ -0,0 +1,2 @@
+# openldap runtime directory for slapd.arg and slapd.pid
+d /var/run/openldap 0755 ldap ldap -
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
new file mode 100644
index 0000000..470c05a
--- /dev/null
+++ b/SPECS/openldap.spec
@@ -0,0 +1,1970 @@
+%global _hardened_build 1
+
+%global systemctl_bin /usr/bin/systemctl
+%global check_password_version 1.1
+
+Name: openldap
+Version: 2.4.35
+Release: 7%{?dist}
+Summary: LDAP support libraries
+Group: System Environment/Daemons
+License: OpenLDAP
+URL: http://www.openldap.org/
+Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
+Source1: slapd.service
+Source2: slapd.sysconfig
+Source3: slapd.tmpfiles
+Source4: slapd.ldif
+Source5: ldap.conf
+Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz
+Source50: libexec-functions
+Source51: libexec-convert-config.sh
+Source52: libexec-check-config.sh
+Source53: libexec-upgrade-db.sh
+Source54: libexec-create-certdb.sh
+Source55: libexec-generate-server-cert.sh
+
+# patches for 2.4
+Patch0: openldap-manpages.patch
+Patch1: openldap-security-pie.patch
+Patch2: openldap-sql-linking.patch
+Patch3: openldap-reentrant-gethostby.patch
+Patch4: openldap-smbk5pwd-overlay.patch
+Patch5: openldap-ldaprc-currentdir.patch
+Patch6: openldap-userconfig-setgid.patch
+Patch7: openldap-dns-priority.patch
+Patch8: openldap-syncrepl-unset-tls-options.patch
+Patch9: openldap-man-sasl-nocanon.patch
+Patch10: openldap-ai-addrconfig.patch
+Patch11: openldap-nss-update-list-of-ciphers.patch
+Patch12: openldap-tls-no-reuse-of-tls_session.patch
+Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
+Patch14: openldap-nss-ignore-certdb-type-prefix.patch
+Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
+Patch16: openldap-nss-pk11-freeslot.patch
+# documentation patches, already included upstream
+Patch17: openldap-doc1.patch
+Patch18: openldap-doc2.patch
+# fix back_perl problems with lt_dlopen()
+# might cause crashes because of symbol collisions
+# the proper fix is to link all perl modules against libperl
+# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
+Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
+# ldapi sasl fix pending upstream inclusion
+Patch20: openldap-ldapi-sasl.patch
+# already included upstream
+Patch21: openldap-loglevel2bvarray.patch
+# more documentation fixes, upstreamed
+Patch22: openldap-doc3.patch
+# cldap fixes, upstreamed
+Patch23: openldap-cldap.patch
+
+# Fedora specific patches
+Patch100: openldap-autoconf-pkgconfig-nss.patch
+Patch102: openldap-fedora-systemd.patch
+
+BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
+BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed)
+# smbk5pwd overlay:
+BuildRequires: openssl-devel
+Requires: nss-tools
+
+%description
+OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. The openldap package contains configuration files,
+libraries, and documentation for OpenLDAP.
+
+%package devel
+Summary: LDAP development libraries and header files
+Group: Development/Libraries
+Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa}
+
+%description devel
+The openldap-devel package includes the development libraries and
+header files needed for compiling applications that use LDAP
+(Lightweight Directory Access Protocol) internals. LDAP is a set of
+protocols for enabling directory services over the Internet. Install
+this package only if you plan to develop or will need to compile
+customized LDAP clients.
+
+%package servers
+Summary: LDAP server
+License: OpenLDAP
+Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils
+Requires(pre): shadow-utils
+Requires(post): systemd, systemd-sysv, chkconfig
+Requires(preun): systemd
+Requires(postun): systemd
+BuildRequires: libdb-devel
+BuildRequires: systemd-units
+BuildRequires: cracklib-devel
+Group: System Environment/Daemons
+# migrationtools (slapadd functionality):
+Provides: ldif2ldbm
+
+%description servers
+OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. This package contains the slapd server and related files.
+
+%package servers-sql
+Summary: SQL support module for OpenLDAP server
+Requires: openldap-servers%{?_isa} = %{version}-%{release}
+Group: System Environment/Daemons
+
+%description servers-sql
+OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. This package contains a loadable module which the
+slapd server can use to read data from an RDBMS.
+
+%package clients
+Summary: LDAP client utilities
+Requires: openldap%{?_isa} = %{version}-%{release}
+Group: Applications/Internet
+
+%description clients
+OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. The openldap-clients package contains the client
+programs needed for accessing and modifying OpenLDAP directories.
+
+%prep
+%setup -q -c -a 0 -a 10
+
+pushd openldap-%{version}
+
+# use pkg-config for Mozilla NSS library
+%patch100 -p1
+
+# alternative include paths for Mozilla NSS
+ln -s %{_includedir}/nss3 include/nss
+ln -s %{_includedir}/nspr4 include/nspr
+
+AUTOMAKE=%{_bindir}/true autoreconf -fi
+
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+
+%patch102 -p1
+
+# build smbk5pwd with other overlays
+ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
+mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
+
+mv servers/slapd/back-perl/README{,.back_perl}
+
+# fix documentation encoding
+for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do
+ iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8"
+ mv "$filename.utf8" "$filename"
+done
+
+popd
+
+%build
+
+# avoid stray dependencies (linker flag --as-needed)
+# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
+export CFLAGS="%{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS"
+
+pushd openldap-%{version}
+%configure \
+ --enable-debug \
+ --enable-dynamic \
+ --enable-syslog \
+ --enable-proctitle \
+ --enable-ipv6 \
+ --enable-local \
+ \
+ --enable-slapd \
+ --enable-dynacl \
+ --enable-aci \
+ --enable-cleartext \
+ --enable-crypt \
+ --enable-lmpasswd \
+ --enable-spasswd \
+ --enable-modules \
+ --enable-rewrite \
+ --enable-rlookups \
+ --enable-slapi \
+ --disable-slp \
+ --enable-wrappers \
+ \
+ --enable-backends=mod \
+ --enable-bdb=yes \
+ --enable-hdb=yes \
+ --enable-monitor=yes \
+ --disable-ndb \
+ \
+ --enable-overlays=mod \
+ \
+ --disable-static \
+ --enable-shared \
+ \
+ --with-cyrus-sasl \
+ --without-fetch \
+ --with-threads \
+ --with-pic \
+ --with-tls=moznss \
+ --with-gnu-ld \
+ \
+ --libexecdir=%{_libdir}
+
+make %{_smp_mflags}
+popd
+
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+make LDAP_INC="-I../openldap-%{version}/include \
+ -I../openldap-%{version}/servers/slapd \
+ -I../openldap-%{version}/build-servers/include"
+popd
+
+%install
+
+mkdir -p %{buildroot}%{_libdir}/
+
+pushd openldap-%{version}
+make install DESTDIR=%{buildroot} STRIP=""
+popd
+
+# install check_password module
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+install -m 755 check_password.so %{buildroot}%{_libdir}/openldap/
+# install -m 644 README %{buildroot}%{_libdir}/openldap
+install -d -m 755 %{buildroot}%{_sysconfdir}/openldap
+cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf <<EOF
+# OpenLDAP pwdChecker library configuration
+
+#useCracklib 1
+#minPoints 3
+#minUpper 0
+#minLower 0
+#minDigit 0
+#minPunct 0
+EOF
+sed -i -e 's/check_password\.so/check_password.so.%{check_password_version}/' README
+mv README{,.check_pwd}
+popd
+# rename the library
+mv %{buildroot}%{_libdir}/openldap/check_password.so{,.%{check_password_version}}
+
+# setup directories for TLS certificates
+mkdir -p %{buildroot}%{_sysconfdir}/openldap/certs
+
+# setup data and runtime directories
+mkdir -p %{buildroot}%{_sharedstatedir}
+mkdir -p %{buildroot}%{_localstatedir}
+install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap
+install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap
+
+# setup autocreation of runtime directories on tmpfs
+mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
+install -m 0644 %SOURCE3 %{buildroot}%{_sysconfdir}/tmpfiles.d/slapd.conf
+
+# install default ldap.conf (customized)
+rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
+install -m 0644 %SOURCE5 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
+
+# setup maintainance scripts
+mkdir -p %{buildroot}%{_libexecdir}
+install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
+install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
+install -m 0755 %SOURCE51 %{buildroot}%{_libexecdir}/openldap/convert-config.sh
+install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
+install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
+install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh
+install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh
+
+# remove build root from config files and manual pages
+perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
+perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*
+
+# we don't need the default files -- RPM handles changes
+rm -f %{buildroot}%{_sysconfdir}/openldap/*.default
+rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default
+
+# install an init script for the servers
+mkdir -p %{buildroot}%{_unitdir}
+install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service
+
+# install syconfig/ldap
+mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
+install -m 644 %SOURCE2 %{buildroot}%{_sysconfdir}/sysconfig/slapd
+
+# move slapd out of _libdir
+mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/
+
+# setup tools as symlinks to slapd
+rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
+rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
+for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done
+
+# tweak permissions on the libraries to make sure they're correct
+chmod 0755 %{buildroot}%{_libdir}/lib*.so*
+chmod 0644 %{buildroot}%{_libdir}/lib*.*a
+
+# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
+# new configuration will be generated in %%post
+mkdir -p %{buildroot}%{_datadir}
+install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
+install -m 0644 %SOURCE4 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
+install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
+rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf
+rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif
+
+# move doc files out of _sysconfdir
+mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
+mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
+chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh
+chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
+
+# remove files which we don't want packaged
+rm -f %{buildroot}%{_libdir}/*.la
+rm -f %{buildroot}%{_libdir}/openldap/*.so
+
+rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
+rmdir %{buildroot}%{_localstatedir}/openldap-data
+
+%post
+
+/sbin/ldconfig
+
+# create certificate database
+%{_libexecdir}/openldap/create-certdb.sh >&/dev/null || :
+
+%postun -p /sbin/ldconfig
+
+%pre servers
+
+# create ldap user and group
+getent group ldap &>/dev/null || groupadd -r -g 55 ldap
+getent passwd ldap &>/dev/null || \
+ useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap
+
+if [ $1 -eq 2 ]; then
+ # package upgrade
+
+ old_version=$(rpm -q --qf=%%{version} openldap-servers)
+ new_version=%{version}
+
+ if [ "$old_version" != "$new_version" ]; then
+ touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null
+ fi
+fi
+
+exit 0
+
+
+%post servers
+
+/sbin/ldconfig
+%systemd_post slapd.service
+
+# generate sample TLS certificate for server (will not replace)
+%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || :
+
+# generate/upgrade configuration
+if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
+ if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
+ %{_libexecdir}/openldap/convert-config.sh &>/dev/null
+ mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
+ else
+ %{_libexecdir}/openldap/convert-config.sh -f %{_datadir}/openldap-servers/slapd.ldif &>/dev/null
+ fi
+fi
+
+start_slapd=0
+
+# upgrade the database
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
+ if %{systemctl_bin} --quiet is-active slapd.service; then
+ %{systemctl_bin} stop slapd.service
+ start_slapd=1
+ fi
+
+ %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
+ rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
+fi
+
+# conversion from /etc/sysconfig/ldap to /etc/sysconfig/slapd
+if [ $1 -eq 2 ]; then
+ # we expect that 'ldap' will be renamed to 'ldap.rpmsave' after removing the old package
+ [ -r %{_sysconfdir}/sysconfig/ldap ] || exit 0
+ source %{_sysconfdir}/sysconfig/ldap &>/dev/null
+
+ new_urls=
+ [ "$SLAPD_LDAP" != "no" ] && new_urls="$new_urls ldap:///"
+ [ "$SLAPD_LDAPI" != "no" ] && new_urls="$new_urls ldapi:///"
+ [ "$SLAPD_LDAPS" == "yes" ] && new_urls="$new_urls ldaps:///"
+ [ -n "$SLAPD_URLS" ] && new_urls="$new_urls $SLAPD_URLS"
+
+ failure=0
+ cp -f %{_sysconfdir}/sysconfig/slapd %{_sysconfdir}/sysconfig/slapd.rpmconvert
+ sed -i '/^#\?SLAPD_URLS=/s@.*@SLAPD_URLS="'"$new_urls"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1
+ [ -n "$SLAPD_OPTIONS" ] && \
+ sed -i '/^#\?SLAPD_OPTIONS=/s@.*$@SLAPD_OPTIONS="'"$SLAPD_OPTIONS"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1
+
+ if [ $failure -eq 0 ]; then
+ mv -f %{_sysconfdir}/sysconfig/slapd.rpmconvert %{_sysconfdir}/sysconfig/slapd
+ else
+ rm -f %{_sysconfdir}/sysconfig/slapd.rpmconvert
+ fi
+fi
+
+# restart after upgrade
+if [ $1 -ge 1 ]; then
+ if [ $start_slapd -eq 1 ]; then
+ %{systemctl_bin} start slapd.service &>/dev/null || :
+ else
+ %{systemctl_bin} condrestart slapd.service &>/dev/null || :
+ fi
+fi
+
+exit 0
+
+%preun servers
+
+%systemd_preun slapd.service
+
+
+%postun servers
+
+/sbin/ldconfig
+%systemd_postun_with_restart slapd.service
+
+
+%triggerun servers -- openldap-servers < 2.4.26-6
+
+# migration from SysV to systemd
+/usr/bin/systemd-sysv-convert --save slapd &>/dev/null || :
+/usr/sbin/chkconfig --del slapd &>/dev/null || :
+%{systemctl_bin} try-restart slapd.service &>/dev/null || :
+
+
+%triggerin servers -- libdb
+
+# libdb upgrade (setup for %%triggerun)
+if [ $2 -eq 2 ]; then
+ # we are interested in minor version changes (both versions of libdb are installed at this moment)
+ if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
+ touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+ else
+ rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+ fi
+fi
+
+exit 0
+
+
+%triggerun servers -- libdb
+
+# libdb upgrade (finish %%triggerin)
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then
+ if %{systemctl_bin} --quiet is-active slapd.service; then
+ %{systemctl_bin} stop slapd.service
+ start=1
+ else
+ start=0
+ fi
+
+ %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
+ rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+
+ [ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null
+fi
+
+exit 0
+
+
+%files
+%doc openldap-%{version}/ANNOUNCEMENT
+%doc openldap-%{version}/CHANGES
+%doc openldap-%{version}/COPYRIGHT
+%doc openldap-%{version}/LICENSE
+%doc openldap-%{version}/README
+%dir %{_sysconfdir}/openldap
+%dir %{_sysconfdir}/openldap/certs
+%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
+%dir %{_libexecdir}/openldap/
+%{_libexecdir}/openldap/create-certdb.sh
+%{_libdir}/liblber-2.4*.so.*
+%{_libdir}/libldap-2.4*.so.*
+%{_libdir}/libldap_r-2.4*.so.*
+%{_libdir}/libslapi-2.4*.so.*
+%{_mandir}/man5/ldif.5*
+%{_mandir}/man5/ldap.conf.5*
+
+%files servers
+%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd
+%doc openldap-%{version}/doc/guide/admin/*.html
+%doc openldap-%{version}/doc/guide/admin/*.png
+%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm
+%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
+%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
+%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd
+%doc README.schema
+%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
+%config(noreplace) %{_sysconfdir}/openldap/schema
+%config(noreplace) %{_sysconfdir}/sysconfig/slapd
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/slapd.conf
+%config(noreplace) %{_sysconfdir}/openldap/check_password.conf
+%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
+%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
+%{_unitdir}/slapd.service
+%{_datadir}/openldap-servers/
+%{_libdir}/openldap/accesslog*
+%{_libdir}/openldap/auditlog*
+%{_libdir}/openldap/back_dnssrv*
+%{_libdir}/openldap/back_ldap*
+%{_libdir}/openldap/back_mdb*
+%{_libdir}/openldap/back_meta*
+%{_libdir}/openldap/back_null*
+%{_libdir}/openldap/back_passwd*
+%{_libdir}/openldap/back_relay*
+%{_libdir}/openldap/back_shell*
+%{_libdir}/openldap/back_sock*
+%{_libdir}/openldap/back_perl*
+%{_libdir}/openldap/collect*
+%{_libdir}/openldap/constraint*
+%{_libdir}/openldap/dds*
+%{_libdir}/openldap/deref*
+%{_libdir}/openldap/dyngroup*
+%{_libdir}/openldap/dynlist*
+%{_libdir}/openldap/memberof*
+%{_libdir}/openldap/pcache*
+%{_libdir}/openldap/ppolicy*
+%{_libdir}/openldap/refint*
+%{_libdir}/openldap/retcode*
+%{_libdir}/openldap/rwm*
+%{_libdir}/openldap/seqmod*
+%{_libdir}/openldap/smbk5pwd*
+%{_libdir}/openldap/sssvlv*
+%{_libdir}/openldap/syncprov*
+%{_libdir}/openldap/translucent*
+%{_libdir}/openldap/unique*
+%{_libdir}/openldap/valsort*
+%{_libdir}/openldap/check_password*
+%{_libexecdir}/openldap/functions
+%{_libexecdir}/openldap/convert-config.sh
+%{_libexecdir}/openldap/check-config.sh
+%{_libexecdir}/openldap/upgrade-db.sh
+%{_libexecdir}/openldap/generate-server-cert.sh
+%{_sbindir}/sl*
+%{_mandir}/man8/*
+%{_mandir}/man5/slapd*.5*
+%{_mandir}/man5/slapo-*.5*
+# obsolete configuration
+%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
+%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak
+
+%files servers-sql
+%doc openldap-%{version}/servers/slapd/back-sql/docs/*
+%doc openldap-%{version}/servers/slapd/back-sql/rdbms_depend
+%{_libdir}/openldap/back_sql*
+
+%files clients
+%{_bindir}/*
+%{_mandir}/man1/*
+
+%files devel
+%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc
+%{_libdir}/lib*.so
+%{_includedir}/*
+%{_mandir}/man3/*
+
+%changelog
+* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-7
+- fix: CLDAP is broken for IPv6 (#1007421)
+
+* Wed Sep 4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-6
+- fix: typos in manpages (#948562)
+
+* Fri Jun 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-5
+- fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0"
+
+* Thu May 09 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-4
+- do not needlessly run ldconfig after installing openldap-devel
+- fix: LDAPI with GSSAPI does not work if SASL_NOCANON=on (#960222)
+- fix: lt_dlopen() with back_perl (#960048)
+
+* Tue Apr 09 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-3
+- fix: minor documentation fixes
+- set SASL_NOCANON to on by default (#949864)
+- remove trailing spaces
+
+* Fri Apr 05 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-2
+- drop the evolution patch
+
+* Tue Apr 02 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-1
+- new upstream release (#947235)
+- fix: slapd.service should ensure that network is up before starting (#946921)
+- fix: NSS related resource leak (#929357)
+
+* Mon Mar 18 2013 Jan Synáček <jsynacek@redhat.com> 2.4.34-2
+- fix: syncrepl push DELETE operation does not recover (#920482)
+- run autoreconf every build, drop autoreconf patch (#926280)
+
+* Mon Mar 11 2013 Jan Synáček <jsynacek@redhat.com> 2.4.34-1
+- enable perl backend (#820547)
+- package ppolicy-check-password (#829749)
+- add perl specific BuildRequires
+- fix bogus dates
+
+* Wed Mar 06 2013 Jan Vcelak <jvcelak@fedoraproject.org> 2.4.34-1
+- new upstream release (#917603)
+- fix: slapcat segfaults if cn=config.ldif not present (#872784)
+- use systemd-rpm macros in spec file (#850247)
+
+* Thu Jan 31 2013 Jan Synáček <jsynacek@redhat.com> 2.4.33-4
+- rebuild against new cyrus-sasl
+
+* Wed Oct 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-3
+- fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)
+
+* Fri Oct 12 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-2
+- fix: slapd with rwm overlay segfault following ldapmodify (#865685)
+
+* Thu Oct 11 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-1
+- new upstream release:
+ + slapd: ACLs, syncrepl
+ + backends: locking and memory management in MDB
+ + manpages: slapo-refint
+- patch update: MozNSS certificate database in SQL format cannot be used (#860317)
+- fix: slapd.service should not use /tmp (#859019)
+
+* Fri Sep 14 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-3
+- fix: some TLS ciphers cannot be enabled (#852338)
+- fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476)
+- fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded (#852786)
+- fix: MozNSS certificate database in SQL format cannot be used (#857373)
+- fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)
+
+* Mon Aug 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-2
+- enhancement: TLS, prefer private keys from authenticated slots
+- enhancement: TLS, allow certificate specification including token name
+- resolve TLS failures in replication in 389 Directory Server
+
+* Wed Aug 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-1
+- new upstream release
+ + library: double free, SASL handling
+ + tools: read SASL_NOCANON from config file
+ + slapd: config index renumbering, duplicate error response
+ + backends: various fixes in mdb, bdb/hdb, ldap
+ + accesslog, syncprov: fix memory leaks in with replication
+ + sha2: portability, thread safety, support SSHA256,384,512
+ + documentation fixes
+
+* Sat Jul 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-7
+- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)
+
+* Fri Jul 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-6
+- multilib fix: move libslapi from openldap-servers to openldap package
+
+* Thu Jul 19 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-5
+- fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013)
+- fix: smbk5pwd module computes invalid LM hashes (#841560)
+
+* Wed Jul 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-4
+- modify the package build process
+ + fix autoconfig files to detect Mozilla NSS library using pkg-config
+ + remove compiler flags which are not needed currently
+ + build server, client and library together
+ + avoid stray dependencies by using --as-needed linker flag
+ + enable SLAPI interface in slapd
+
+* Wed Jun 27 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-3
+- update fix: count constraint broken when using multiple modifications (#795766)
+- fix: invalid order of TLS shutdown operations (#808464)
+- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
+- fix: reading pin from file can make all TLS connections hang (#829317)
+- CVE-2012-2668: cipher suite selection by name can be ignored (#825875)
+- fix: slapd fails to start on reboot (#829272)
+- fix: default cipher suite is always selected (#828790)
+- fix: less influence between individual TLS contexts:
+ - replication with TLS does not work (#795763)
+ - possibly others
+
+* Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2
+- fix: nss-tools package is required by the base package, not the server subpackage
+- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536)
+
+* Tue Apr 24 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-1
+- new upstream release
+ + library: IPv6 url detection
+ + library: rebinding to failed connections
+ + server: various fixes in mdb backend
+ + server: various fixes in replication
+ + server: various fixes in overlays and minor backends
+ + documentation fixes
+- remove patches which were merged upstream
+
+* Thu Apr 05 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.30-3
+- rebuild due to libdb rebase
+
+* Mon Mar 26 2012 Jan Synáček <jsynacek@redhat.com> 2.4.30-2
+- fix: Re-binding to a failed connection can segfault (#784989)
+
+* Thu Mar 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.30-1
+- new upstream release
+ + server: fixes in mdb backend
+ + server: fixes in manual pages
+ + server: fixes in syncprov, syncrepl, and pcache
+- removed patches which were merged upstream
+
+* Wed Feb 22 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-4
+- fix: missing options in manual pages of client tools (#796232)
+- fix: SASL_NOCANON option missing in ldap.conf manual page (#732915)
+
+* Tue Feb 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-3
+- fix: ldap_result does not succeed for sssd (#771484)
+- Jan Synáček <jsynacek@redhat.com>:
+ + fix: count constraint broken when using multiple modifications (#795766)
+
+* Mon Feb 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-2
+- fix update: provide ldif2ldbm, not ldib2ldbm (#437104)
+- Jan Synáček <jsynacek@redhat.com>:
+ + unify systemctl binary paths throughout the specfile and make them usrmove compliant
+ + make path to chkconfig binary usrmove compliant
+
+* Wed Feb 15 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-1
+- new upstream release
+ + MozNSS fixes
+ + connection handling fixes
+ + server: buxfixes in mdb backend
+ + server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm)
+- openldap-servers now provide ldib2ldbm (#437104)
+- certificates management improvements
+ + create empty Mozilla NSS certificate database during installation
+ + enable builtin Root CA in generated database (#789088)
+ + generate server certificate using Mozilla NSS tools instead of OpenSSL tools
+ + fix: correct path to check-config.sh in service file (Jan Synáček <jsynacek@redhat.com>)
+- temporarily disable certificates checking in check-config.sh script
+- fix: check-config.sh get stuck when executing command as a ldap user
+
+* Tue Jan 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.28-3
+- fix: replication (syncrepl) with TLS causes segfault (#783431)
+- fix: slapd segfaults when PEM certificate is used and key is not set (#772890)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.28-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Nov 30 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.28-1
+- new upstream release
+ + server: support for delta-syncrepl in multi master replication
+ + server: add experimental backend - MDB
+ + server: dynamic configuration for passwd, perl, shell, sock, and sql backends
+ + server: support passwords in APR1
+ + library: support for Wahl (draft)
+ + a lot of bugfixes
+- remove patches which were merged upstream
+- compile backends as modules (except BDB, HDB, and monitor)
+- reload systemd daemon after installation
+
+* Tue Nov 01 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-6
+- package cleanup:
+ + hardened build: switch from LDFLAGS to RPM macros
+ + remove old provides and obsoletes
+ + add new slapd maintainance scripts
+ + drop defattr macros, clean up permissions in specfile
+ + fix rpmlint warnings: macros in comments/changelog
+ + fix rpmlint warnings: non UTF-8 documentation
+ + rename environment file to be more consistent (ldap -> slapd)
+- replace sysv initscript with systemd service file (#
+- new format of environment file due to switch to systemd
+ (automatic conversion is performed)
+- patch OpenLDAP to skip empty command line arguments
+ (arguments expansion in systemd works different than in shell)
+- CVE-2011-4079: one-byte buffer overflow in slapd (#749324)
+
+* Thu Oct 06 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-5
+- rebuild: openldap does not work after libdb rebase (#743824)
+- regression fix: openldap built without tcp_wrappers (#743213)
+
+* Wed Sep 21 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-4
+- new feature update: honor priority/weight with ldap_domain2hostlist (#733078)
+
+* Mon Sep 12 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-3
+- fix: SSL_ForceHandshake function is not thread safe (#701678)
+- fix: allow unsetting of tls_* syncrepl options (#734187)
+
+* Wed Aug 24 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-2
+- security hardening: library needs partial RELRO support added (#733071)
+- fix: NSS_Init* functions are not thread safe (#731112)
+- fix: incorrect behavior of allow/try options of VerifyCert and TLS_REQCERT (#725819)
+- fix: memleak - free the return of tlsm_find_and_verify_cert_key (#725818)
+- fix: conversion of constraint overlay settings to cn=config is incorrect (#733067)
+- fix: DDS overlay tolerance parametr doesn't function and breakes default TTL (#733069)
+- manpage fix: errors in manual page slapo-unique (#733070)
+- fix: matching wildcard hostnames in certificate Subject field does not work (#733073)
+- new feature: honor priority/weight with ldap_domain2hostlist (#733078)
+- manpage fix: wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage (#717722)
+
+* Sun Aug 14 2011 Rex Dieter <rdieter@fedoraproject.org> - 2.4.26-1.1
+- Rebuilt for rpm (#728707)
+
+* Wed Jul 20 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-1
+- rebase to new upstream release
+- fix: memleak in tlsm_auth_cert_handler (#717730)
+
+* Mon Jun 27 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.25-1
+- rebase to new upstream release
+- change default database type from BDB to HDB
+- enable ldapi:/// interface by default
+- set cn=config management ACLs for root user, SASL external schema (#712495)
+- fix: server scriptlets require initscripts package (#716857)
+- fix: connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT
+ is set to 'never' (#716854)
+- fix: segmentation fault caused by double-free in ldapexop (#699683)
+- fix: segmentation fault of client tool when input line in LDIF file
+ is splitted but indented incorrectly (#716855)
+- fix: segmentation fault of client tool when LDIF input file is not terminated
+ by a new line character (#716858)
+
+* Fri Mar 18 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.24-2
+- new: system resource limiting for slapd using ulimit
+- fix update: openldap can't use TLS after a fork() (#636956)
+- fix: possible null pointer dereference in NSS implementation
+- fix: openldap-servers upgrade hangs or do not upgrade the database (#664433)
+
+* Mon Feb 14 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.24-1
+- rebase to 2.4.24
+- BDB backend switch from DB4 to DB5
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.23-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Feb 02 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-8
+- fix update: openldap can't use TLS after a fork() (#636956)
+
+* Tue Jan 25 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-7
+- fix: openldap can't use TLS after a fork() (#636956)
+- fix: openldap-server upgrade gets stuck when the database is damaged (#664433)
+
+* Thu Jan 20 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-6
+- fix: some server certificates refused with inadequate type error (#668899)
+- fix: default encryption strength dropped in switch to using NSS (#669446)
+- systemd compatibility: add configuration file (#656647, #668223)
+
+* Thu Jan 06 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-5
+- initscript: slaptest with '-u' to skip database opening (#667768)
+- removed slurpd options from sysconfig/ldap
+- fix: verification of self issued certificates (#657984)
+
+* Mon Nov 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-4
+- Mozilla NSS - implement full non-blocking semantics
+ ldapsearch -Z hangs server if starttls fails (#652822)
+- updated list of all overlays in slapd.conf (#655899)
+- fix database upgrade process (#656257)
+
+* Thu Nov 18 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-3
+- add support for multiple prefixed Mozilla NSS database files in TLS_CACERTDIR
+- reject non-file keyfiles in TLS_CACERTDIR (#652315)
+- TLS_CACERTDIR precedence over TLS_CACERT (#652304)
+- accept only files in hash.0 format in TLS_CACERTDIR (#650288)
+- improve SSL/TLS trace messages (#652818)
+
+* Mon Nov 01 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-2
+- fix possible infinite loop when checking permissions of TLS files (#641946)
+- removed outdated autofs.schema (#643045)
+- removed outdated README.upgrade
+- removed relics of migrationtools
+
+* Fri Aug 27 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-1
+- rebase to 2.4.23
+- embeded db4 library removed
+- removed bogus links in "SEE ALSO" in several man-pages (#624616)
+
+* Thu Jul 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.22-7
+- Mozilla NSS - delay token auth until needed (#616552)
+- Mozilla NSS - support use of self signed CA certs as server certs (#614545)
+
+* Tue Jul 20 2010 Jan Vcelak <jvcelak@redhat.com> - 2.4.22-6
+- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
+- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)
+- obsolete configuration file moved to /usr/share/openldap-servers (#612602)
+
+* Thu Jul 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-5
+- another shot at previous fix
+
+* Thu Jul 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-4
+- fixed issue with owner of /usr/lib/ldap/__db.* (#609523)
+
+* Thu Jun 3 2010 Rich Megginson <rmeggins@redhat.com> - 2.4.22-3
+- added ldif.h to the public api in the devel package
+- added -lldif to the public api
+- added HAVE_MOZNSS and other flags to use Mozilla NSS for crypto
+
+* Tue May 18 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-2
+- rebuild with connectionless support (#587722)
+- updated autofs schema (#584808)
+
+* Tue May 04 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-1
+- rebased to 2.4.22 (mostly bugfixes, added back-ldif, back-null testing support)
+- due to some possible issues pointed out in last update testing phase, I'm
+ pulling back the last change (slapd can't be moved since it depends on /usr
+ possibly mounted from network)
+
+* Fri Mar 19 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-6
+- moved slapd to start earlier during boot sequence
+
+* Tue Mar 16 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-5
+- minor corrections of init script (#571235, #570057, #573804)
+
+* Wed Feb 24 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-4
+- fixed SIGSEGV when deleting data using hdb (#562227)
+
+* Mon Feb 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-3
+- fixed broken link /usr/sbin/slapschema (#559873)
+
+* Tue Jan 19 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-2
+- removed some static libraries from openldap-devel (#556090)
+
+* Mon Jan 11 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-1
+- rebased openldap to 2.4.21
+- rebased bdb to 4.8.26
+
+* Mon Nov 23 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-3
+- minor corrections in init script
+
+* Mon Nov 16 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-2
+- fixed tls connection accepting when TLSVerifyClient = allow
+- /etc/openldap/ldap.conf removed from files owned by openldap-servers
+- minor changes in spec file to supress warnings
+- some changes in init script, so it would be possible to use it when
+ using old configuration style
+
+* Fri Nov 06 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-1
+- rebased openldap to 2.4.19
+- rebased bdb to 4.8.24
+
+* Wed Oct 07 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-4
+- updated smbk5pwd patch to be linked with libldap (#526500)
+- the last buffer overflow patch replaced with the one from upstream
+- added /etc/openldap/slapd.d and /etc/openldap/slapd.conf.bak
+ to files owned by openldap-servers
+
+* Thu Sep 24 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-3
+- cleanup of previous patch fixing buffer overflow
+
+* Tue Sep 22 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-2
+- changed configuration approach. Instead od slapd.conf slapd
+ is using slapd.d directory now
+- fix of some issues caused by renaming of init script
+- fix of buffer overflow issue in ldif.c pointed out by new glibc
+
+* Fri Sep 18 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-1
+- rebase of openldap to 2.4.18
+
+* Wed Sep 16 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-7
+- updated documentation (hashing the cacert dir)
+
+* Wed Sep 16 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-6
+- updated init script to be LSB-compliant (#523434)
+- init script renamed to slapd
+
+* Thu Aug 27 2009 Tomas Mraz <tmraz@redhat.com> - 2.4.16-5
+- rebuilt with new openssl
+
+* Tue Aug 25 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-4
+- updated %%pre script to correctly install openldap group
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.16-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jul 01 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-1
+- rebase of openldap to 2.4.16
+- fixed minor issue in spec file (output looking interactive
+ when installing servers)
+
+* Tue Jun 09 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.15-4
+- added $SLAPD_URLS variable to init script (#504504)
+
+* Thu Apr 09 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.15-3
+- extended previous patch (#481310) to remove options cfMP
+ from some client tools
+- correction of patch setugid (#494330)
+
+* Thu Mar 26 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.15-2
+- removed -f option from some client tools (#481310)
+
+* Wed Feb 25 2009 Jan Safranek <jsafranek@redhat.com> 2.4.15-1
+- new upstream release
+
+* Tue Feb 17 2009 Jan Safranek <jsafranek@redhat.com> 2.4.14-1
+- new upstream release
+- upgraded to db-4.7.25
+
+* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> 2.4.12-3
+- rebuild with new openssl
+
+* Mon Dec 15 2008 Caolán McNamara <caolanm@redhat.com> 2.4.12-2
+- rebuild for libltdl, i.e. copy config.sub|guess from new location
+
+* Wed Oct 15 2008 Jan Safranek <jsafranek@redhat.com> 2.4.12-1
+- new upstream release
+
+* Mon Oct 13 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-3
+- add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins
+ to set non-default slapd shutdown timeout
+- add checkpoint to default slapd.conf file (#458679)
+
+* Mon Sep 1 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-2
+- provide ldif2ldbm functionality for migrationtools
+- rediff all patches to get rid of patch fuzz
+
+* Mon Jul 21 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-1
+- new upstream release
+- apply official bdb-4.6.21 patches
+
+* Wed Jul 2 2008 Jan Safranek <jsafranek@redhat.com> 2.4.10-2
+- fix CVE-2008-2952 (#453728)
+
+* Thu Jun 12 2008 Jan Safranek <jsafranek@redhat.com> 2.4.10-1
+- new upstream release
+
+* Wed May 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.9-5
+- use /sbin/nologin as shell of ldap user (#447919)
+
+* Tue May 13 2008 Jan Safranek <jsafranek@redhat.com> 2.4.9-4
+- new upstream release
+- removed unnecessary MigrationTools patches
+
+* Thu Apr 10 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-4
+- bdb upgraded to 4.6.21
+- reworked upgrade logic again to run db_upgrade when bdb version
+ changes
+
+* Wed Mar 5 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-3
+- reworked the upgrade logic, slapcat/slapadd of the whole database
+ is needed only if minor version changes (2.3.x -> 2.4.y)
+- do not try to save database in LDIF format, if openldap-servers package
+ is being removed (it's up to the admin to do so manually)
+
+* Thu Feb 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-2
+- migration tools carved out to standalone package "migrationtools"
+ (#236697)
+
+* Fri Feb 22 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-1
+- new upstream release
+
+* Fri Feb 8 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-7
+- fix CVE-2008-0658 (#432014)
+
+* Mon Jan 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-6
+- init script fixes
+
+* Mon Jan 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-5
+- init script made LSB-compliant (#247012)
+
+* Fri Jan 25 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-4
+- fixed rpmlint warnings and errors
+ - /etc/openldap/schema/README moved to /usr/share/doc/openldap
+
+* Tue Jan 22 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-3
+- obsoleting compat-openldap properly again :)
+
+* Tue Jan 22 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-2
+- obsoleting compat-openldap properly (#429591)
+
+* Mon Jan 14 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-1
+- new upstream version (openldap-2.4.7)
+
+* Mon Dec 3 2007 Jan Safranek <jsafranek@redhat.com> 2.4.6-1
+- new upstream version (openldap-2.4)
+- deprecating compat- package
+
+* Mon Nov 5 2007 Jan Safranek <jsafranek@redhat.com> 2.3.39-1
+- new upstream release
+
+* Tue Oct 23 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-4
+- fixed multilib issues - all platform independent files have the
+ same content now (#342791)
+
+* Thu Oct 4 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-3
+- BDB downgraded back to 4.4.20 because 4.6.18 is not supported by
+ openldap (#314821)
+
+* Mon Sep 17 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-2
+- skeleton /etc/sysconfig/ldap added
+- new SLAPD_LDAP option to turn off listening on ldap:/// (#292591)
+- fixed checking of SSL (#292611)
+- fixed upgrade with empty database
+
+* Thu Sep 6 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-1
+- new upstream version
+- added images to the guide.html (#273581)
+
+* Wed Aug 22 2007 Jan Safranek <jsafranek@redhat.com> 2.3.37-3
+- just rebuild
+
+* Thu Aug 2 2007 Jan Safranek <jsafranek@redhat.com> 2.3.37-2
+- do not use specific automake and autoconf
+- do not distinguish between NPTL and non-NPTL platforms, we have NPTL
+ everywhere
+- db-4.6.18 integrated
+- updated openldap-servers License: field to reference BDB license
+
+* Tue Jul 31 2007 Jan Safranek <jsafranek@redhat.com> 2.3.37-1
+- new upstream version
+
+* Fri Jul 20 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-7
+- MigrationTools-47 integrated
+
+* Wed Jul 4 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-6
+- fix compat-slapcat compilation. Now it can be found in
+ /usr/lib/compat-openldap/slapcat, because the tool checks argv[0]
+ (#246581)
+
+* Fri Jun 29 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-5
+- smbk5pwd added (#220895)
+- correctly distribute modules between servers and servers-sql packages
+
+* Mon Jun 25 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-4
+- Fix initscript return codes (#242667)
+- Provide overlays (as modules; #246036, #245896)
+- Add available modules to config file
+
+* Tue May 22 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-3
+- do not create script in /tmp on startup (bz#188298)
+- add compat-slapcat to openldap-compat (bz#179378)
+- do not import ddp services with migrate_services.pl
+ (bz#201183)
+- sort the hosts by adders, preventing duplicities
+ in migrate*nis*.pl (bz#201540)
+- start slupd for each replicated database (bz#210155)
+- add ldconfig to devel post/postun (bz#240253)
+- include misc.schema in default slapd.conf (bz#147805)
+
+* Mon Apr 23 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-2
+- slapadd during package update is now quiet (bz#224581)
+- use _localstatedir instead of var/ during build (bz#220970)
+- bind-libbind-devel removed from BuildRequires (bz#216851)
+- slaptest is now quiet during service ldap start, if
+ there is no error/warning (bz#143697)
+- libldap_r.so now links with pthread (bz#198226)
+- do not strip binaries to produce correct .debuginfo packages
+ (bz#152516)
+
+* Mon Feb 19 2007 Jay Fenlason <fenlason<redhat.com> 2.3.34-1
+- New upstream release
+- Upgrade the scripts for migrating the database so that they might
+ actually work.
+- change bind-libbind-devel to bind-devel in BuildPreReq
+
+* Mon Dec 4 2006 Thomas Woerner <twoerner@redhat.com> 2.3.30-1.1
+- tcp_wrappers has a new devel and libs sub package, therefore changing build
+ requirement for tcp_wrappers to tcp_wrappers-devel
+
+* Wed Nov 15 2006 Jay Fenlason <fenlason@redhat.com> 2.3.30-1
+- New upstream version
+
+* Wed Oct 25 2006 Jay Fenlason <fenlason@redhat.com> 2.3.28-1
+- New upstream version
+
+* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 2.3.27-4
+- rebuilt for unwind info generation, broken in gcc-4.1.1-21
+
+* Mon Sep 18 2006 Jay Fenlason <fenlason@redhat.com> 2.3.27-3
+- Include --enable-multimaster to close
+ bz#185821: adding slapd_multimaster to the configure options
+- Upgade guide.html to the correct one for openladp-2.3.27, closing
+ bz#190383: openldap 2.3 packages contain the administrator's guide for 2.2
+- Remove the quotes from around the slaptestflags in ldap.init
+ This closes one part of
+ bz#204593: service ldap fails after having added entries to ldap
+- include __db.* in the list of files to check ownership of in
+ ldap.init, as suggested in
+ bz#199322: RFE: perform cleanup in ldap.init
+
+* Fri Aug 25 2006 Jay Fenlason <fenlason@redhat.com> 2.3.27-2
+- New upstream release
+- Include the gethostbyname_r patch so that nss_ldap won't hang
+ on recursive attemts to ldap_initialize.
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 2.3.24-2.1
+- rebuild
+
+* Wed Jun 7 2006 Jay Fenlason <fenlason@redhat.com> 2.3.24-2
+- New upstream version
+
+* Thu Apr 27 2006 Jay Fenlason <fenlason@redhat.com> 2.3.21-2
+- Upgrade to 2.3.21
+- Add two upstream patches for db-4.4.20
+
+* Mon Feb 13 2006 Jay Fenlason <fenlason@redhat.com> 2.3.19-4
+- Re-fix ldap.init
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 2.3.19-3.1
+- bump again for double-long bug on ppc(64)
+
+* Thu Feb 9 2006 Jay Fenlason <fenlason@redhat.com> 2.3.19-3
+- Modify the ldap.init script to call runuser correctly.
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 2.3.19-2.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Tue Jan 10 2006 Jay Fenlason <fenlason@redhat.com> 2.3.19-2
+- Upgrade to 2.3.19, which upstream now considers stable
+- Modify the -config.patch, ldap.init, and this spec file to put the
+ pid file and args file in an ldap-owned openldap subdirectory under
+ /var/run.
+- Move back_sql* out of _sbindir/openldap , which requires
+ hand-moving slapd and slurpd to _sbindir, and recreating symlinks
+ by hand.
+- Retire openldap-2.3.11-ads.patch, which went upstream.
+- Update the ldap.init script to run slaptest as the ldap user rather
+ than as root. This solves
+ bz#150172 Startup failure after database problem
+- Add to the servers post and preun scriptlets so that on preun, the
+ database is slapcatted to /var/lib/ldap/upgrade.ldif and the
+ database files are saved to /var/lib/ldap/rpmorig. On post, if
+ /var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that
+ on upgrades from 2.3.16-2 to higher versions, the database files may
+ be automatically upgraded. Unfortunatly, because of the changes to
+ the preun scriptlet, users have to do the slapcat, etc by hand when
+ upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig
+ files need to be removed by hand because automatically removing your
+ emergency fallback files is a bad idea.
+- Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will
+ require that users slapcat their databases into a temp file, move
+ /var/lib/ldap someplace safe, upgrade the openldap rpms, then
+ slapadd the temp file.
+
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Mon Nov 21 2005 Jay Fenlason <fenlason@redhat.com> 2.3.11-3
+- Remove Requires: cyrus-sasl and cyrus-sasl-md5 from openldap- and
+ compat-openldap- to close
+ bz#173313 Remove exlicit 'Requires: cyrus-sasl" + 'Requires: cyrus-sasl-md5'
+
+* Thu Nov 10 2005 Jay Fenlason <fenlason@redhat.com> 2.3.11-2
+- Upgrade to 2.3.11, which upstream now considers stable.
+- Switch compat-openldap to 2.2.29
+- remove references to nss_ldap_build from the spec file
+- remove references to 2.0 and 2.1 from the spec file.
+- reorganize the build() function slightly in the spec file to limit the
+ number of redundant and conflicting options passedto configure.
+- Remove the attempt to hardlink ldapmodify and ldapadd together, since
+ the current make install make ldapadd a symlink to ldapmodify.
+- Include the -ads patches to allow SASL binds to an Active Directory
+ server to work. Nalin <nalin@redhat.com> wrote the patch, based on my
+ broken first attempt.
+
+* Thu Nov 10 2005 Tomas Mraz <tmraz@redhat.com> 2.2.29-3
+- rebuilt against new openssl
+
+* Mon Oct 10 2005 Jay Fenlason <fenlason@redhat.com> 2.2.29-2
+- New upstream version.
+
+* Thu Sep 29 2005 Jay Fenlason <fenlason@redhat.com> 2.2.28-2
+- Upgrade to nev upstream version. This makes the 2.2.*-hop patch obsolete.
+
+* Mon Aug 22 2005 Jay Fenlason <fenlason@redhat.com> 2.2.26-2
+- Move the slapd.pem file to /etc/pki/tls/certs
+ and edit the -config patch to match to close
+ bz#143393 Creates certificates + keys at an insecure/bad place
+- also use _sysconfdir instead of hard-coding /etc
+
+* Thu Aug 11 2005 Jay Fenlason <fenlason@redhat.com>
+- Add the tls-fix-connection-test patch to close
+ bz#161991 openldap password disclosure issue
+- add the hop patches to prevent infinite looping when chasing referrals.
+ OpenLDAP ITS #3578
+
+* Fri Aug 5 2005 Nalin Dahyabhai <nalin@redhat.com>
+- fix typo in ldap.init (call $klist instead of klist, from Charles Lopes)
+
+* Thu May 19 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.26-1
+- run slaptest with the -u flag if no id2entry db files are found, because
+ you can't check for read-write access to a non-existent database (#156787)
+- add _sysconfdir/openldap/cacerts, which authconfig sets as the
+ TLS_CACERTDIR path in /etc/openldap/ldap.conf now
+- use a temporary wrapper script to launch slapd, in case we have arguments
+ with embedded whitespace (#158111)
+
+* Wed May 4 2005 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.2.26 (stable 20050429)
+- enable the lmpasswd scheme
+- print a warning if slaptest fails, slaptest -u succeeds, and one of the
+ directories listed as the storage location for a given suffix in slapd.conf
+ contains a readable file named __db.001 (#118678)
+
+* Tue Apr 26 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.25-1
+- update to 2.2.25 (release)
+
+* Tue Apr 26 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.24-1
+- update to 2.2.24 (stable 20050318)
+- export KRB5_KTNAME in the init script, in case it was set in the sysconfig
+ file but not exported
+
+* Tue Mar 1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-4
+- prefer libresolv to libbind
+
+* Tue Mar 1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-3
+- add bind-libbind-devel and libtool-ltdl-devel buildprereqs
+
+* Tue Mar 1 2005 Tomas Mraz <tmraz@redhat.com> 2.2.23-2
+- rebuild with openssl-0.9.7e
+
+* Mon Jan 31 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-1
+- update to 2.2.23 (stable-20050125)
+- update notes on upgrading from earlier versions
+- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files
+
+* Tue Jan 4 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.20-1
+- update to 2.2.20 (stable-20050103)
+- warn about unreadable krb5 keytab files containing "ldap" keys
+- warn about unreadable TLS-related files
+- own a ref to subdirectories which we create under _libdir/tls
+
+* Tue Nov 2 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.17-0
+- rebuild
+
+* Thu Sep 30 2004 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.2.17 (stable-20040923) (#135188)
+- move nptl libraries into arch-specific subdirectories on x86 boxes
+- require a newer glibc which can provide nptl libpthread on i486/i586
+
+* Tue Aug 24 2004 Nalin Dahyabhai <nalin@redhat.com>
+- move slapd startup to earlier in the boot sequence (#103160)
+- update to 2.2.15 (stable-20040822)
+- change version number on compat-openldap to include the non-compat version
+ from which it's compiled, otherwise would have to start 2.2.15 at release 3
+ so that it upgrades correctly
+
+* Thu Aug 19 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-2
+- build a separate, static set of libraries for openldap-devel with the
+ non-standard ntlm bind patch applied, for use by the evolution-connector
+ package (#125579), and installing them under
+ evolution_connector_prefix)
+- provide openldap-evolution-devel = version-release in openldap-devel
+ so that evolution-connector's source package can require a version of
+ openldap-devel which provides what it wants
+
+* Mon Jul 26 2004 Nalin Dahyabhai <nalin@redhat.com>
+- update administrator guide
+
+* Wed Jun 16 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-1
+- add compat-openldap subpackage
+- default to bdb, as upstream does, gambling that we're only going to be
+ on systems with nptl now
+
+* Tue Jun 15 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-0
+- preliminary 2.2.13 update
+- move ucdata to the -servers subpackage where it belongs
+
+* Tue Jun 15 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.30-1
+- build experimental sql backend as a loadable module
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue May 18 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.30-0
+- update to 2.1.30
+
+* Thu May 13 2004 Thomas Woerner <twoerner@redhat.com> 2.1.29-3
+- removed rpath
+- added pie patch: slapd and slurpd are now pie
+- requires libtool >= 1.5.6-2 (PIC libltdl.a)
+
+* Fri Apr 16 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.29-2
+- move rfc documentation from main to -devel (#121025)
+
+* Wed Apr 14 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.29-1
+- rebuild
+
+* Tue Apr 6 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.29-0
+- update to 2.1.29 (stable 20040329)
+
+* Mon Mar 29 2004 Nalin Dahyabhai <nalin@redhat.com>
+- don't build servers with --with-kpasswd, that option hasn't been recognized
+ since 2.1.23
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> 2.1.25-5.1
+- rebuilt
+
+* Mon Feb 23 2004 Tim Waugh <twaugh@redhat.com> 2.1.25-5
+- Use ':' instead of '.' as separator for chown.
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Feb 10 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-4
+- remove 'reload' from the init script -- it never worked as intended (#115310)
+
+* Wed Feb 4 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-3
+- commit that last fix correctly this time
+
+* Tue Feb 3 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-2
+- fix incorrect use of find when attempting to detect a common permissions
+ error in the init script (#114866)
+
+* Fri Jan 16 2004 Nalin Dahyabhai <nalin@redhat.com>
+- add bug fix patch for DB 4.2.52
+
+* Thu Jan 8 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-1
+- change logging facility used from daemon to local4 (#112730, reversing #11047)
+ BEHAVIOR CHANGE - SHOULD BE MENTIONED IN THE RELEASE NOTES.
+
+* Wed Jan 7 2004 Nalin Dahyabhai <nalin@redhat.com>
+- incorporate fix for logic quasi-bug in slapd's SASL auxprop code (Dave Jones)
+
+* Thu Dec 18 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.25, now marked STABLE
+
+* Thu Dec 11 2003 Jeff Johnson <jbj@jbj.org> 2.1.22-9
+- update to db-4.2.52.
+
+* Thu Oct 23 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-8
+- add another section to the ABI note for the TLS libdb so that it's marked as
+ not needing an executable stack (from Arjan Van de Ven)
+
+* Thu Oct 16 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-7
+- force bundled libdb to not use O_DIRECT by making it forget that we have it
+
+* Wed Oct 15 2003 Nalin Dahyabhai <nalin@redhat.com>
+- build bundled libdb for slapd dynamically to make the package smaller,
+ among other things
+- on tls-capable arches, build libdb both with and without shared posix
+ mutexes, otherwise just without
+- disable posix mutexes unconditionally for db 4.0, which shouldn't need
+ them for the migration cases where it's used
+- update to MigrationTools 45
+
+* Thu Sep 25 2003 Jeff Johnson <jbj@jbj.org> 2.1.22-6.1
+- upgrade db-4.1.25 to db-4.2.42.
+
+* Fri Sep 12 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-6
+- drop rfc822-MailMember.schema, merged into upstream misc.schema at some point
+
+* Wed Aug 27 2003 Nalin Dahyabhai <nalin@redhat.com>
+- actually require newer libtool, as was intended back in 2.1.22-0, noted as
+ missed by Jim Richardson
+
+* Fri Jul 25 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-5
+- enable rlookups, they don't cost anything unless also enabled in slapd's
+ configuration file
+
+* Tue Jul 22 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-4
+- rebuild
+
+* Thu Jul 17 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-3
+- rebuild
+
+* Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-2
+- rebuild
+
+* Tue Jul 15 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-1
+- build
+
+* Mon Jul 14 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-0
+- 2.1.22 now badged stable
+- be more aggressive in what we index by default
+- use/require libtool 1.5
+
+* Mon Jun 30 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.22
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Jun 3 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-1
+- update to 2.1.21
+- enable ldap, meta, monitor, null, rewrite in slapd
+
+* Mon May 19 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-1
+- update to 2.1.20
+
+* Thu May 8 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-1
+- update to 2.1.19
+
+* Mon May 5 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.17-1
+- switch to db with crypto
+
+* Fri May 2 2003 Nalin Dahyabhai <nalin@redhat.com>
+- install the db utils for the bundled libdb as %%{_sbindir}/slapd_db_*
+- install slapcat/slapadd from 2.0.x for migration purposes
+
+* Wed Apr 30 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.17
+- disable the shell backend, not expected to work well with threads
+- drop the kerberosSecurityObject schema, the krbName attribute it
+ contains is only used if slapd is built with v2 kbind support
+
+* Mon Feb 10 2003 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-8
+- back down to db 4.0.x, which 2.0.x can compile with in ldbm-over-db setups
+- tweak SuSE patch to fix a few copy-paste errors and a NULL dereference
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Tue Jan 7 2003 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-6
+- rebuild
+
+* Mon Dec 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-5
+- rebuild
+
+* Fri Dec 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-4
+- check for setgid as well
+
+* Thu Dec 12 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-3
+- rebuild
+
+* Thu Dec 12 2002 Nalin Dahyabhai <nalin@redhat.com>
+- incorporate fixes from SuSE's security audit, except for fixes to ITS 1963,
+ 1936, 2007, 2009, which were included in 2.0.26.
+- add two more patches for db 4.1.24 from sleepycat's updates page
+- use openssl pkgconfig data, if any is available
+
+* Mon Nov 11 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-2
+- add patches for db 4.1.24 from sleepycat's updates page
+
+* Mon Nov 4 2002 Nalin Dahyabhai <nalin@redhat.com>
+- add a sample TLSCACertificateFile directive to the default slapd.conf
+
+* Tue Sep 24 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-1
+- update to 2.0.27
+
+* Fri Sep 20 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.26-1
+- update to 2.0.26, db 4.1.24.NC
+
+* Fri Sep 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.25-2
+- change LD_FLAGS to refer to /usr/kerberos/_libdir instead of
+ /usr/kerberos/lib, which might not be right on some arches
+
+* Mon Aug 26 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.25-1
+- update to 2.0.25 "stable", ldbm-over-gdbm (putting off migration of LDBM
+ slapd databases until we move to 2.1.x)
+- use %%{_smp_mflags} when running make
+- update to MigrationTools 44
+- enable dynamic module support in slapd
+
+* Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-5
+- rebuild in new environment
+
+* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-3
+- use the gdbm backend again
+
+* Mon Feb 18 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-2
+- make slapd.conf read/write by root, read by ldap
+
+* Sun Feb 17 2002 Nalin Dahyabhai <nalin@redhat.com>
+- fix corner case in sendbuf fix
+- 2.0.23 now marked "stable"
+
+* Tue Feb 12 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-1
+- update to 2.0.23
+
+* Fri Feb 8 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.22-2
+- switch to an internalized Berkeley DB as the ldbm back-end (NOTE: this breaks
+ access to existing on-disk directory data)
+- add slapcat/slapadd with gdbm for migration purposes
+- remove Kerberos dependency in client libs (the direct Kerberos dependency
+ is used by the server for checking {kerberos} passwords)
+
+* Fri Feb 1 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.22-1
+- update to 2.0.22
+
+* Sat Jan 26 2002 Florian La Roche <Florian.LaRoche@redhat.de> 2.0.21-5
+- prereq chkconfig for server subpackage
+
+* Fri Jan 25 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.21-4
+- update migration tools to version 40
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.21-3
+- free ride through the build system
+
+* Wed Jan 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.21-2
+- update to 2.0.21, now earmarked as STABLE
+
+* Wed Jan 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.20-2
+- temporarily disable optimizations for ia64 arches
+- specify pthreads at configure-time instead of letting configure guess
+
+* Mon Jan 14 2002 Nalin Dahyabhai <nalin@redhat.com>
+- and one for Raw Hide
+
+* Mon Jan 14 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.20-0.7
+- build for RHL 7/7.1
+
+* Mon Jan 14 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.20-1
+- update to 2.0.20 (security errata)
+
+* Thu Dec 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.19-1
+- update to 2.0.19
+
+* Tue Nov 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.18-2
+- fix the commented-out replication example in slapd.conf
+
+* Fri Oct 26 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.18-1
+- update to 2.0.18
+
+* Mon Oct 15 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.17-1
+- update to 2.0.17
+
+* Wed Oct 10 2001 Nalin Dahyabhai <nalin@redhat.com>
+- disable kbind support (deprecated, and I suspect unused)
+- configure with --with-kerberos=k5only instead of --with-kerberos=k5
+- build slapd with threads
+
+* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.15-2
+- rebuild, 2.0.15 is now designated stable
+
+* Fri Sep 21 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.15-1
+- update to 2.0.15
+
+* Mon Sep 10 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.14-1
+- update to 2.0.14
+
+* Fri Aug 31 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.12-1
+- update to 2.0.12 to pull in fixes for setting of default TLS options, among
+ other things
+- update to migration tools 39
+- drop tls patch, which was fixed better in this release
+
+* Tue Aug 21 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.11-13
+- install saucer correctly
+
+* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- try to fix ldap_set_options not being able to set global options related
+ to TLS correctly
+
+* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
+- don't attempt to create a cert at install-time, it's usually going
+ to get the wrong CN (#51352)
+
+* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add a build-time requirement on pam-devel
+- add a build-time requirement on a sufficiently-new libtool to link
+ shared libraries to other shared libraries (which is needed in order
+ for prelinking to work)
+
+* Fri Aug 3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- require cyrus-sasl-md5 (support for DIGEST-MD5 is required for RFC
+ compliance) by name (follows from #43079, which split cyrus-sasl's
+ cram-md5 and digest-md5 modules out into cyrus-sasl-md5)
+
+* Fri Jul 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- enable passwd back-end (noted by Alan Sparks and Sergio Kessler)
+
+* Wed Jul 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- start to prep for errata release
+
+* Fri Jul 6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- link libldap with liblber
+
+* Wed Jul 4 2001 Than Ngo <than@redhat.com> 2.0.11-6
+- add symlink liblber.so libldap.so and libldap_r.so in /usr/lib
+
+* Tue Jul 3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- move shared libraries to /lib
+- redo init script for better internationalization (#26154)
+- don't use ldaprc files in the current directory (#38402) (patch from
+ hps@intermeta.de)
+- add BuildPrereq on tcp wrappers since we configure with
+ --enable-wrappers (#43707)
+- don't overflow debug buffer in mail500 (#41751)
+- don't call krb5_free_creds instead of krb5_free_cred_contents any
+ more (#43159)
+
+* Mon Jul 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- make config files noreplace (#42831)
+
+* Tue Jun 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- actually change the default config to use the dummy cert
+- update to MigrationTools 38
+
+* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- build dummy certificate in %%post, use it in default config
+- configure-time shenanigans to help a confused configure script
+
+* Wed Jun 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- tweak migrate_automount and friends so that they can be run from anywhere
+
+* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.11
+
+* Wed May 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.10
+
+* Mon May 21 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.9
+
+* Tue May 15 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.8
+- drop patch which came from upstream
+
+* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Thu Feb 8 2001 Nalin Dahyabhai <nalin@redhat.com>
+- back out pidfile patches, which interact weirdly with Linux threads
+- mark non-standard schema as such by moving them to a different directory
+
+* Mon Feb 5 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to MigrationTools 36, adds netgroup support
+
+* Mon Jan 29 2001 Nalin Dahyabhai <nalin@redhat.com>
+- fix thinko in that last patch
+
+* Thu Jan 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- try to work around some buffering problems
+
+* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- gettextize the init script
+
+* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- gettextize the init script
+
+* Fri Jan 12 2001 Nalin Dahyabhai <nalin@redhat.com>
+- move the RFCs to the base package (#21701)
+- update to MigrationTools 34
+
+* Wed Jan 10 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add support for additional OPTIONS, SLAPD_OPTIONS, and SLURPD_OPTIONS in
+ a /etc/sysconfig/ldap file (#23549)
+
+* Fri Dec 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change automount object OID from 1.3.6.1.1.1.2.9 to 1.3.6.1.1.1.2.13,
+ per mail from the ldap-nis mailing list
+
+* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- force -fPIC so that shared libraries don't fall over
+
+* Mon Dec 4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add Norbert Klasen's patch (via Del) to fix searches using ldaps URLs
+ (OpenLDAP ITS #889)
+- add "-h ldaps:///" to server init when TLS is enabled, in order to support
+ ldaps in addition to the regular STARTTLS (suggested by Del)
+
+* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- correct mismatched-dn-cn bug in migrate_automount.pl
+
+* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to the correct OIDs for automount and automountInformation
+- add notes on upgrading
+
+* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.7
+- drop chdir patch (went mainstream)
+
+* Thu Nov 2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change automount object classes from auxiliary to structural
+
+* Tue Oct 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to Migration Tools 27
+- change the sense of the last simple patch
+
+* Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- reorganize the patch list to separate MigrationTools and OpenLDAP patches
+- switch to Luke Howard's rfc822MailMember schema instead of the aliases.schema
+- configure slapd to run as the non-root user "ldap" (#19370)
+- chdir() before chroot() (we don't use chroot, though) (#19369)
+- disable saving of the pid file because the parent thread which saves it and
+ the child thread which listens have different pids
+
+* Wed Oct 11 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add missing required attributes to conversion scripts to comply with schema
+- add schema for mail aliases, autofs, and kerberosSecurityObject rooted in
+ our own OID tree to define attributes and classes migration scripts expect
+- tweak automounter migration script
+
+* Mon Oct 9 2000 Nalin Dahyabhai <nalin@redhat.com>
+- try adding the suffix first when doing online migrations
+- force ldapadd to use simple authentication in migration scripts
+- add indexing of a few attributes to the default configuration
+- add commented-out section on using TLS to default configuration
+
+* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.6
+- add buildprereq on cyrus-sasl-devel, krb5-devel, openssl-devel
+- take the -s flag off of slapadd invocations in migration tools
+- add the cosine.schema to the default server config, needed by inetorgperson
+
+* Wed Oct 4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add the nis.schema and inetorgperson.schema to the default server config
+- make ldapadd a hard link to ldapmodify because they're identical binaries
+
+* Fri Sep 22 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.4
+
+* Fri Sep 15 2000 Nalin Dahyabhai <nalin@redhat.com>
+- remove prereq on /etc/init.d (#17531)
+- update to 2.0.3
+- add saucer to the included clients
+
+* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.1
+
+* Fri Sep 1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.0
+- patch to build against MIT Kerberos 1.1 and later instead of 1.0.x
+
+* Tue Aug 22 2000 Nalin Dahyabhai <nalin@redhat.com>
+- remove that pesky default password
+- change "Copyright:" to "License:"
+
+* Sun Aug 13 2000 Nalin Dahyabhai <nalin@redhat.com>
+- adjust permissions in files lists
+- move libexecdir from %%{_prefix}/sbin to %%{_sbindir}
+
+* Fri Aug 11 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add migrate_automount.pl to the migration scripts set
+
+* Tue Aug 8 2000 Nalin Dahyabhai <nalin@redhat.com>
+- build a semistatic slurpd with threads, everything else without
+- disable reverse lookups, per email on OpenLDAP mailing lists
+- make sure the execute bits are set on the shared libraries
+
+* Mon Jul 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change logging facility used from local4 to daemon (#11047)
+
+* Thu Jul 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- split off clients and servers to shrink down the package and remove the
+ base package's dependency on Perl
+- make certain that the binaries have sane permissions
+
+* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move the init script back
+
+* Thu Jul 13 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak the init script to only source /etc/sysconfig/network if it's found
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Mon Jul 10 2000 Nalin Dahyabhai <nalin@redhat.com>
+- switch to gdbm; I'm getting off the db merry-go-round
+- tweak the init script some more
+- add instdir to @INC in migration scripts
+
+* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak init script to return error codes properly
+- change initscripts dependency to one on /etc/init.d
+
+* Tue Jul 4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- prereq initscripts
+- make migration scripts use mktemp
+
+* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- do condrestart in post and stop in preun
+- move init script to /etc/init.d
+
+* Fri Jun 16 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.2.11
+- add condrestart logic to init script
+- munge migration scripts so that you don't have to be
+ /usr/share/openldap/migration to run them
+- add code to create pid files in /var/run
+
+* Mon Jun 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- FHS tweaks
+- fix for compiling with libdb2
+
+* Thu May 4 2000 Bill Nottingham <notting@redhat.com>
+- minor tweak so it builds on ia64
+
+* Wed May 3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- more minimalistic fix for bug #11111 after consultation with OpenLDAP team
+- backport replacement for the ldapuser patch
+
+* Tue May 2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix segfaults from queries with commas in them in in.xfingerd (bug #11111)
+
+* Tue Apr 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.2.10
+- add revamped version of patch from kos@bastard.net to allow execution as
+ any non-root user
+- remove test suite from %%build because of weirdness in the build system
+
+* Wed Apr 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move the defaults for databases and whatnot to /var/lib/ldap (bug #10714)
+- fix some possible string-handling problems
+
+* Mon Feb 14 2000 Bill Nottingham <notting@redhat.com>
+- start earlier, stop later.
+
+* Thu Feb 3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- auto rebuild in new environment (release 4)
+
+* Tue Feb 1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add -D_REENTRANT to make threaded stuff more stable, even though it looks
+ like the sources define it, too
+- mark *.ph files in migration tools as config files
+
+* Fri Jan 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.2.9
+
+* Mon Sep 13 1999 Bill Nottingham <notting@redhat.com>
+- strip files
+
+* Sat Sep 11 1999 Bill Nottingham <notting@redhat.com>
+- update to 1.2.7
+- fix some bugs from bugzilla (#4885, #4887, #4888, #4967)
+- take include files out of base package
+
+* Fri Aug 27 1999 Jeff Johnson <jbj@redhat.com>
+- missing ;; in init script reload) (#4734).
+
+* Tue Aug 24 1999 Cristian Gafton <gafton@redhat.com>
+- move stuff from /usr/libexec to /usr/sbin
+- relocate config dirs to /etc/openldap
+
+* Mon Aug 16 1999 Bill Nottingham <notting@redhat.com>
+- initscript munging
+
+* Wed Aug 11 1999 Cristian Gafton <gafton@redhat.com>
+- add the migration tools to the package
+
+* Fri Aug 06 1999 Cristian Gafton <gafton@redhat.com>
+- upgrade to 1.2.6
+- add rc.d script
+- split -devel package
+
+* Sun Feb 07 1999 Preston Brown <pbrown@redhat.com>
+- upgrade to latest stable (1.1.4), it now uses configure macro.
+
+* Fri Jan 15 1999 Bill Nottingham <notting@redhat.com>
+- build on arm, glibc2.1
+
+* Wed Oct 28 1998 Preston Brown <pbrown@redhat.com>
+- initial cut.
+- patches for signal handling on the alpha