diff --git a/SOURCES/check-password-loglevels.patch b/SOURCES/check-password-loglevels.patch
new file mode 100644
index 0000000..e8ddea7
--- /dev/null
+++ b/SOURCES/check-password-loglevels.patch
@@ -0,0 +1,124 @@
+Correct log levels in check_password module.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1356158
+
+diff --git a/check_password.c b/check_password.c
+--- a/check_password.c
++++ b/check_password.c
+@@ -108,7 +108,7 @@ char* chomp(char *s)
+ static int set_quality (char *value)
+ {
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value);
++ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value);
+ #endif
+
+ /* No need to require more quality than we can check for. */
+@@ -120,7 +120,7 @@ static int set_quality (char *value)
+ static int set_cracklib (char *value)
+ {
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", value);
++ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value);
+ #endif
+
+
+@@ -131,7 +131,7 @@ static int set_cracklib (char *value)
+ static int set_digit (char *value)
+ {
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value);
++ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value);
+ #endif
+ if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0;
+ return (int) (value[0] - '0');
+@@ -152,14 +152,14 @@ static validator valid_word (char *word)
+ int index = 0;
+
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word);
++ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word);
+ #endif
+
+ while (list[index].parameter != NULL) {
+ if (strlen(word) == strlen(list[index].parameter) &&
+ strcmp(list[index].parameter, word) == 0) {
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Parameter accepted.");
++ syslog(LOG_DEBUG, "check_password: Parameter accepted.");
+ #endif
+ return list[index].dealer;
+ }
+@@ -167,7 +167,7 @@ static validator valid_word (char *word)
+ }
+
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Parameter rejected.");
++ syslog(LOG_DEBUG, "check_password: Parameter rejected.");
+ #endif
+
+ return NULL;
+@@ -203,7 +203,7 @@ static int read_config_file ()
+
+ #if defined(DEBUG)
+ /* Debug traces to syslog. */
+- syslog(LOG_NOTICE, "check_password: Got line |%s|", line);
++ syslog(LOG_DEBUG, "check_password: Got line |%s|", line);
+ #endif
+
+ while (isspace(*start) && isascii(*start)) start++;
+@@ -212,7 +212,7 @@ static int read_config_file ()
+ if ( ispunct(*start)) {
+ #if defined(DEBUG)
+ /* Debug traces to syslog. */
+- syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
++ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line);
+ #endif
+ continue;
+ }
+@@ -227,7 +227,7 @@ static int read_config_file ()
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
+
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
++ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value);
+ #endif
+
+ centry[i].value = chomp(value);
+@@ -319,7 +319,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ if ( !nLower && (minLower < 1)) {
+ nLower = 1; nQuality++;
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality);
++ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality);
+ #endif
+ }
+ continue;
+@@ -330,7 +330,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ if ( !nUpper && (minUpper < 1)) {
+ nUpper = 1; nQuality++;
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality);
++ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality);
+ #endif
+ }
+ continue;
+@@ -341,7 +341,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ if ( !nDigit && (minDigit < 1)) {
+ nDigit = 1; nQuality++;
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality);
++ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality);
+ #endif
+ }
+ continue;
+@@ -352,7 +352,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ if ( !nPunct && (minPunct < 1)) {
+ nPunct = 1; nQuality++;
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality);
++ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality);
+ #endif
+ }
+ continue;
diff --git a/SOURCES/libexec-convert-config.sh b/SOURCES/libexec-convert-config.sh
index ca9884f..824c3b1 100755
--- a/SOURCES/libexec-convert-config.sh
+++ b/SOURCES/libexec-convert-config.sh
@@ -52,7 +52,7 @@ fi
tmp_convert=`mktemp --tmpdir=/var/run/openldap`
if [ `id -u` -eq 0 ]; then
- install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+ install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert
else
@@ -61,7 +61,7 @@ if [ `id -u` -eq 0 ]; then
retcode=$?
else
error "You are not root! Permission will not be set."
- install -d --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+ install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
/usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert
else
diff --git a/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch b/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch
new file mode 100644
index 0000000..26ece7d
--- /dev/null
+++ b/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch
@@ -0,0 +1,28 @@
+commit aa66d539543de0ad884f1b8e38948ecd946bf47a
+Author: Howard Chu <hyc@openldap.org>
+Date: Mon Dec 15 14:36:55 2014 +0000
+
+ ITS#8003 fix off-by-one in LDIF length
+
+ must account for leading space when counting total number of lines
+
+diff --git a/include/ldif.h b/include/ldif.h
+index f638ef9..69bb0c9 100644
+--- a/include/ldif.h
++++ b/include/ldif.h
+@@ -52,12 +52,12 @@ LDAP_LDIF_V (int) ldif_debug;
+ */
+ #define LDIF_SIZE_NEEDED(nlen,vlen) \
+ ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \
+- + ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / LDIF_LINE_WIDTH * 2 ))
++ + ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (LDIF_LINE_WIDTH-1) * 2 ))
+
+ #define LDIF_SIZE_NEEDED_WRAP(nlen,vlen,wrap) \
+ ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \
+- + ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH ) * 2 ) : \
+- ((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap) * 2 ))))
++ + ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH-1 ) * 2 ) : \
++ ((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap-1) * 2 ))))
+
+ LDAP_LDIF_F( int )
+ ldif_parse_line LDAP_P((
diff --git a/SOURCES/openldap-ITS8329-back_sql-id_query.patch b/SOURCES/openldap-ITS8329-back_sql-id_query.patch
new file mode 100644
index 0000000..cf05c96
--- /dev/null
+++ b/SOURCES/openldap-ITS8329-back_sql-id_query.patch
@@ -0,0 +1,27 @@
+fix: id_query option is not available after rebasing openldap to 2.4.39
+Resolves: rhbz#1311832
+Upstream: ITS#8329
+diff --git a/servers/slapd/back-sql/config.c b/servers/slapd/back-sql/config.c
+--- a/servers/slapd/back-sql/config.c
++++ b/servers/slapd/back-sql/config.c
+@@ -213,6 +213,11 @@ static ConfigTable sqlcfg[] = {
+ ARG_ON_OFF|ARG_MAGIC|SQL_AUTOCOMMIT, (void *)sql_cf_gen,
+ "( OLcfgDbAt:6.45 NAME 'olcSqlAutocommit' "
+ "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
++ { "id_query", "SQL expression", 2, 0, 0, ARG_STRING|ARG_QUOTE|ARG_OFFSET,
++ (void *)offsetof(struct backsql_info, sql_id_query),
++ "( OLcfgDbAt:6.46 NAME 'olcSqlIdQuery' "
++ "DESC 'Query used to collect entryID mapping data' "
++ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { NULL, NULL, 0, 0, 0, ARG_IGNORED,
+ NULL, NULL, NULL, NULL }
+ };
+@@ -233,7 +238,7 @@ static ConfigOCs sqlocs[] = {
+ "olcSqlFailIfNoMapping $ olcSqlAllowOrphans $ olcSqlBaseObject $ "
+ "olcSqlLayer $ olcSqlUseSubtreeShortcut $ olcSqlFetchAllAttrs $ "
+ "olcSqlFetchAttrs $ olcSqlCheckSchema $ olcSqlAliasingKeyword $ "
+- "olcSqlAliasingQuote $ olcSqlAutocommit ) )",
++ "olcSqlAliasingQuote $ olcSqlAutocommit $ olcSqlIdQuery ) )",
+ Cft_Database, sqlcfg },
+ { NULL, Cft_Abstract, NULL }
+ };
diff --git a/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch b/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch
new file mode 100644
index 0000000..76cc3fd
--- /dev/null
+++ b/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch
@@ -0,0 +1,21 @@
+commit 901fe3318f1c4ea7adac45f906d5447d71e43f8a
+Author: Howard Chu <hyc@openldap.org>
+Date: Sat Dec 12 16:14:02 2015 +0000
+
+ ITS#8337 fix missing olcDbChecksum config attr
+
+diff --git a/servers/slapd/back-bdb/config.c b/servers/slapd/back-bdb/config.c
+index e07381f..a5b5888 100644
+--- a/servers/slapd/back-bdb/config.c
++++ b/servers/slapd/back-bdb/config.c
+@@ -163,8 +163,8 @@ static ConfigOCs bdbocs[] = {
+ #endif
+ "SUP olcDatabaseConfig "
+ "MUST olcDbDirectory "
+- "MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ "
+- "olcDbCryptFile $ olcDbCryptKey $ "
++ "MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbChecksum $ "
++ "olcDbConfig $ olcDbCryptFile $ olcDbCryptKey $ "
+ "olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ "
+ "olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ "
+ "olcDbMode $ olcDbSearchStack $ olcDbShmKey $ "
diff --git a/SOURCES/openldap-ITS8428-init-sc_writewait.patch b/SOURCES/openldap-ITS8428-init-sc_writewait.patch
new file mode 100644
index 0000000..a1af400
--- /dev/null
+++ b/SOURCES/openldap-ITS8428-init-sc_writewait.patch
@@ -0,0 +1,21 @@
+Backport upstream fix for a crash in back-relay when doing do_search.
+RHBZ: #1316450
+
+commit 2e60bf5ed00c1a8794131f53a6c72a78c0766e21
+Author: Howard Chu <hyc@openldap.org>
+Date: Wed May 18 12:30:31 2016 +0100
+
+ ITS#8428 init sc_writewait
+
+diff --git a/servers/slapd/back-relay/op.c b/servers/slapd/back-relay/op.c
+index 4fdc08a..f7c1fee 100644
+--- a/servers/slapd/back-relay/op.c
++++ b/servers/slapd/back-relay/op.c
+@@ -97,6 +97,7 @@ relay_back_response_cb( Operation *op, SlapReply *rs )
+ (rcb)->rcb_sc.sc_next = (op)->o_callback; \
+ (rcb)->rcb_sc.sc_response = relay_back_response_cb; \
+ (rcb)->rcb_sc.sc_cleanup = 0; \
++ (rcb)->rcb_sc.sc_writewait = 0; \
+ (rcb)->rcb_sc.sc_private = (op)->o_bd; \
+ (op)->o_callback = (slap_callback *) (rcb); \
+ }
diff --git a/SOURCES/openldap-allop-overlay.patch b/SOURCES/openldap-allop-overlay.patch
new file mode 100644
index 0000000..8281bd0
--- /dev/null
+++ b/SOURCES/openldap-allop-overlay.patch
@@ -0,0 +1,40 @@
+Compile AllOp together with other overlays.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #990893
+
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
+ translucent.c \
+ unique.c \
+ valsort.c \
+- smbk5pwd.c
++ smbk5pwd.c \
++ allop.c
+ OBJS = statover.o \
+ @SLAPD_STATIC_OVERLAYS@ \
+ overlays.o
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
+
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -125,6 +126,12 @@ unique.la : unique.lo
+ smbk5pwd.la : smbk5pwd.lo
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
++allop.lo : allop.c
++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++allop.la : allop.lo
++ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local: $(PROGRAMS)
+ @if test -n "$?" ; then \
+ $(MKDIR) $(DESTDIR)$(moduledir); \
diff --git a/SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch b/SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch
new file mode 100644
index 0000000..641ecb1
--- /dev/null
+++ b/SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch
@@ -0,0 +1,17 @@
+Correct key pointer usage in bdb_idl_fetch_key.
+
+Author: Shogo Matsumoto
+Resolves: #1356165
+
+diff --git a/servers/slapd/back-bdb/idl.c b/servers/slapd/back-bdb/idl.c
+--- a/servers/slapd/back-bdb/idl.c
++++ b/servers/slapd/back-bdb/idl.c
+@@ -628,7 +628,7 @@ bdb_idl_fetch_key(
+ BDB_DISK2ID( j, i );
+ }
+ }
+- rc = cursor->c_get( cursor, key, &data, flags | DB_NEXT_DUP );
++ rc = cursor->c_get( cursor, kptr, &data, flags | DB_NEXT_DUP );
+ }
+ if ( rc == DB_NOTFOUND ) rc = 0;
+ ids[0] = i - ids;
diff --git a/SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch b/SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch
new file mode 100644
index 0000000..f7ff064
--- /dev/null
+++ b/SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch
@@ -0,0 +1,24 @@
+A mutex lock might not get unlocked when plausible
+
+In the preceding if-statement a mutex may get locked. This is unlocked on
+'done' label, but not called when plausible. Based on the current code logic
+this seems to not be able to happen, but might when code gets changed at
+some point in time. This patch fixes the issue.
+
+The issue was found by Coverity scan
+http://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/11054/38577/
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1261003
+
+--- a/servers/slapd/overlays/accesslog.c
++++ b/servers/slapd/overlays/accesslog.c
+@@ -1519,7 +1519,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
+
+ /* ignore these internal reads */
+ if (( lo->mask & LOG_OP_READS ) && op->o_do_not_cache ) {
+- return SLAP_CB_CONTINUE;
++ goto done;
+ }
+
+ if ( li->li_success && rs->sr_err != LDAP_SUCCESS )
diff --git a/SOURCES/openldap-module-passwd-sha2.patch b/SOURCES/openldap-module-passwd-sha2.patch
new file mode 100644
index 0000000..864607d
--- /dev/null
+++ b/SOURCES/openldap-module-passwd-sha2.patch
@@ -0,0 +1,42 @@
+Include sha2 module
+
+Author: Matus Honek <mhonek@redhat.com>
+
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -35,7 +35,8 @@ SRCS = overlays.c \
+ unique.c \
+ valsort.c \
+ smbk5pwd.c \
+- allop.c
++ allop.c \
++ sha2.c slapd-sha2.c
+ OBJS = statover.o \
+ @SLAPD_STATIC_OVERLAYS@ \
+ overlays.o
+@@ -55,7 +56,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la
+
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -139,6 +140,15 @@ allop.lo : allop.c
+ allop.la : allop.lo
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
++sha2.lo : sha2.c
++ $(LTCOMPILE_MOD) $<
++
++slapd-sha2.lo : slapd-sha2.c
++ $(LTCOMPILE_MOD) $<
++
++pw-sha2.la : sha2.lo slapd-sha2.lo
++ $(LTLINK_MOD) -module -o $@ $? version.lo $(LINK_LIBS)
++
+ install-local: $(PROGRAMS)
+ @if test -n "$?" ; then \
+ $(MKDIR) $(DESTDIR)$(moduledir); \
diff --git a/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch
index 247085c..75832da 100644
--- a/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch
+++ b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch
@@ -82,17 +82,18 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
break;
}
-@@ -654,7 +665,9 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -654,7 +665,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
}
} else {
int mask = 0;
+ int multi_mask = 0;
++ int negative_mask = 0;
int strength = 0;
+ int multi_strength = 0;
int protocol = 0;
char *c;
-@@ -665,16 +678,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -665,16 +678,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
*c++ = '\0';
}
@@ -100,11 +101,9 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
- mask |= SSL_RSA;
+ if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) {
+ mask |= SSL_kRSA;
-+ } if (!strcmp(cipher, "aRSA")) {
-+ if (!(mask & SSL_kECDH)) //kECDH means no aRSA
-+ mask |= SSL_aRSA;
-+ else if (mask & SSL_kECDHE) //kECDH and aRSA means kECDHE
-+ mask |= SSL_kECDHE|SSL_aRSA;
++ } else if (!strcmp(cipher, "aRSA")) {
++ mask |= SSL_aRSA;
++ negative_mask |= SSL_kECDH;
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
mask |= SSL_eNULL;
} else if (!strcmp(cipher, "AES128")) {
@@ -119,7 +118,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
} else if (!strcmp(cipher, "3DES")) {
mask |= SSL_3DES;
} else if (!strcmp(cipher, "DES")) {
-@@ -685,27 +705,42 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -685,28 +705,43 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RC2;
} else if (!strcmp(cipher, "MD5")) {
mask |= SSL_MD5;
@@ -131,7 +130,8 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+ mask |= SSL_SHA384;
+ } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
+ mask |= SSL_SHA1;
- } else if (!strcmp(cipher, "EDH")) {
+- } else if (!strcmp(cipher, "EDH")) {
++ } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) {
mask |= SSL_kEDH;
- } else if (!strcmp(cipher, "DSS")) {
+ } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) {
@@ -151,8 +151,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+ } else if (!strcmp(cipher, "kECDHr")) {
+ mask |= SSL_kECDH|SSL_aRSA;
+ } else if (!strcmp(cipher, "kECDH")) {
-+ if (!(mask & SSL_aRSA)) //kECDH does not use aRSA
-+ mask |= SSL_kECDH;
++ mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "aECDH")) {
mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "EECDH")) {
@@ -166,8 +165,10 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+ multi_mask |= SSL_ECDH;
+ } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) {
mask |= SSL_aECDSA;
++ negative_mask |= SSL_kECDH;
} else if (!strcmp(cipher, "SSLv2")) {
protocol |= SSL2;
+ } else if (!strcmp(cipher, "SSLv3")) {
@@ -721,12 +756,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
strength |= SSL_MEDIUM;
} else if (!strcmp(cipher, "LOW")) {
@@ -183,7 +184,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
}
if (c)
-@@ -734,23 +769,37 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -734,23 +769,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
} /* while */
@@ -196,7 +197,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+ * if more than one mask is provided then AND logic applies (to match openssl)
*/
- if (mask || strength || protocol) {
-+ if (mask || multi_mask || strength || multi_strength || protocol) {
++ if (mask || negative_mask || multi_mask || strength || multi_strength || protocol) {
for (i=0; i<ciphernum; i++) {
- if (((ciphers_def[i].attr & mask) ||
- (ciphers_def[i].strength & strength) ||
@@ -230,6 +231,8 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+ if ((multi_strength & SSL_EXPORT) &&
+ !(ciphers_def[i].strength & (SSL_EXPORT40|SSL_EXPORT56)))
+ continue;
++ if ( negative_mask & ciphers_def[i].attr )
++ continue;
+ cipher_list[i] = action;
}
} else {
diff --git a/SOURCES/openldap-nss-protocol-version-new-api.patch b/SOURCES/openldap-nss-protocol-version-new-api.patch
new file mode 100644
index 0000000..b2de8f1
--- /dev/null
+++ b/SOURCES/openldap-nss-protocol-version-new-api.patch
@@ -0,0 +1,88 @@
+Implement new API for setting TLS protocol version.
+
+The code being deleted has been misplaced and it's effect has been
+mangled by a code later on. This patch puts the code at the correct
+place and introduces some more logging and error checking.
+
+Author: Matus Honek <mhonek@redhat.com>
+RHBZ: #1249093
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg )
+ }
+ }
+
+- /*
+- * Set the SSL version range. MozNSS SSL versions are the same as openldap's:
+- *
+- * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+- */
+- SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
+- range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
+- variant = ssl_variant_stream;
+- SSL_VersionRangeSetDefault(variant, &range);
+-
+ NSS_SetDomesticPolicy();
+
+ PK11_SetPasswordFunc( tlsm_pin_prompt );
+@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg )
+ 0, 0, 0 );
+ return -1;
+ }
++ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) {
++ SSLVersionRange supported_range, default_range, selected_range;
++ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n",
++ 0, 0, 0 );
++ return -1;
++ } else {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n",
++ supported_range.min, supported_range.max, 0);
++ }
++ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n",
++ 0, 0, 0 );
++ return -1;
++ } else {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n",
++ default_range.min, default_range.max, 0);
++ }
++ selected_range.min = lt->lt_protocol_min;
++ selected_range.max = supported_range.max;
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: info: TLS configured protocol minimal version is %#04x.\n",
++ selected_range.min, selected_range.max, 0);
++ if ( (selected_range.min > supported_range.max) ||
++ (selected_range.max < supported_range.min) ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: error: selected protocol version range out of NSS-supported version range.\n",
++ 0, 0, 0);
++ return -1;
++ } else {
++ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n",
++ 0, 0, 0);
++ return -1;
++ }
++ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n",
++ 0, 0, 0);
++ return -1;
++ } else {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n",
++ selected_range.min, selected_range.max, 0);
++ }
++ }
++ }
+
+ if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) {
+ Debug( LDAP_DEBUG_ANY,
diff --git a/SOURCES/openldap-nss-update-list-of-ciphers.patch b/SOURCES/openldap-nss-update-list-of-ciphers.patch
index 7b8510c..d0d7ae6 100644
--- a/SOURCES/openldap-nss-update-list-of-ciphers.patch
+++ b/SOURCES/openldap-nss-update-list-of-ciphers.patch
@@ -201,7 +201,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
-+ //{"DHE-DSS-AES128-GCM-SHA384", TLS_DHE_DSS_WITH_AES_128_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
++ {"DHE-DSS-AES256-GCM-SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
diff --git a/SOURCES/openldap-ppolicy-loglevels.patch b/SOURCES/openldap-ppolicy-loglevels.patch
new file mode 100644
index 0000000..4e17409
--- /dev/null
+++ b/SOURCES/openldap-ppolicy-loglevels.patch
@@ -0,0 +1,35 @@
+Correct log levels in ppolicy overlay.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1356158
+
+diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
+--- a/servers/slapd/overlays/ppolicy.c
++++ b/servers/slapd/overlays/ppolicy.c
+@@ -643,7 +643,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE
+ if ((mod = lt_dlopen( pp->pwdCheckModule )) == NULL) {
+ err = lt_dlerror();
+
+- Debug(LDAP_DEBUG_ANY,
++ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING,
+ "check_password_quality: lt_dlopen failed: (%s) %s.\n",
+ pp->pwdCheckModule, err, 0 );
+ ok = LDAP_OTHER; /* internal error */
+@@ -658,7 +658,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE
+ if ((prog = lt_dlsym( mod, "check_password" )) == NULL) {
+ err = lt_dlerror();
+
+- Debug(LDAP_DEBUG_ANY,
++ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING,
+ "check_password_quality: lt_dlsym failed: (%s) %s.\n",
+ pp->pwdCheckModule, err, 0 );
+ ok = LDAP_OTHER;
+@@ -667,7 +667,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE
+ ok = prog( ptr, txt, e );
+ ldap_pvt_thread_mutex_unlock( &chk_syntax_mutex );
+ if (ok != LDAP_SUCCESS) {
+- Debug(LDAP_DEBUG_ANY,
++ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING,
+ "check_password_quality: module error: (%s) %s.[%d]\n",
+ pp->pwdCheckModule, *txt ? *txt : "", ok );
+ }
diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service
index 4a76c2f..8a3a722 100644
--- a/SOURCES/slapd.service
+++ b/SOURCES/slapd.service
@@ -1,6 +1,6 @@
[Unit]
Description=OpenLDAP Server Daemon
-After=syslog.target NetworkManager-wait-online.service
+After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
index fd4c622..f1bbe23 100644
--- a/SPECS/openldap.spec
+++ b/SPECS/openldap.spec
@@ -5,7 +5,7 @@
Name: openldap
Version: 2.4.40
-Release: 9%{?dist}
+Release: 13%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@@ -26,11 +26,13 @@ Source55: libexec-generate-server-cert.sh
# patches for 2.4
Patch0: openldap-manpages.patch
+Patch1: openldap-ppolicy-loglevels.patch
Patch2: openldap-sql-linking.patch
Patch3: openldap-reentrant-gethostby.patch
Patch4: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ldaprc-currentdir.patch
Patch6: openldap-userconfig-setgid.patch
+Patch7: openldap-allop-overlay.patch
Patch8: openldap-syncrepl-unset-tls-options.patch
Patch9: openldap-man-sasl-nocanon.patch
Patch10: openldap-ai-addrconfig.patch
@@ -49,8 +51,11 @@ Patch18: openldap-ssl-deadlock-revert.patch
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# ldapi sasl fix pending upstream inclusion
Patch20: openldap-ldapi-sasl.patch
+# coverity - missin_unlock in servers/slapd/overlays/accesslog.c
+Patch21: openldap-missing-unlock-in-accesslog-overlay.patch
# upstreamed, ITS #7979
Patch22: openldap-support-tlsv1-and-later.patch
+Patch23: openldap-module-passwd-sha2.patch
# pending upstream inclusion, ITS #7744
Patch24: openldap-man-tls-reqcert.patch
# already in upstream, see ITS #8105, incorporated by commits 25bbf11 and fb1bf1c
@@ -63,10 +68,20 @@ Patch28: openldap-nss-ciphers-use-nss-defaults.patch
Patch29: openldap-ITS8240-remove-obsolete-assert.patch
# this is a temporary fix for #1294385, it should be solved properly, backported from #1144294
Patch30: openldap-temporary-ssl-thr-init-race.patch
+# already in upstream (2.4.41), see ITS#8003
+Patch31: openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch
+# already in upstream, see ITS#8337
+Patch32: openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch
+# ITS#8329
+Patch33: openldap-ITS8329-back_sql-id_query.patch
+Patch34: openldap-nss-protocol-version-new-api.patch
+Patch35: openldap-ITS8428-init-sc_writewait.patch
+Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch
# check-password module specific patches
Patch90: check-password-makefile.patch
Patch91: check-password.patch
+Patch92: check-password-loglevels.patch
# Fedora specific patches
Patch100: openldap-autoconf-pkgconfig-nss.patch
@@ -167,11 +182,13 @@ ln -s %{_includedir}/nspr4 include/nspr
AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch0 -p1
+%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
@@ -185,7 +202,9 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch18 -p1
%patch19 -p1
%patch20 -p1
+%patch21 -p1
%patch22 -p1
+%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
@@ -193,12 +212,27 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch28 -p1
%patch29 -p1
%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
+%patch35 -p1
+%patch36 -p1
%patch102 -p1
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
+# build allop with other overlays
+ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays
+mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop
+mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5
+# build sha2 with other overlays
+ln -s ../../../contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} \
+ servers/slapd/overlays
+ls servers/slapd/overlays
+mv contrib/slapd-modules/passwd/sha2/README{,.sha2}
mv servers/slapd/back-perl/README{,.back_perl}
@@ -213,6 +247,7 @@ popd
pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
%patch90 -p1
%patch91 -p1
+%patch92 -p1
popd
%build
@@ -368,7 +403,7 @@ chmod 0644 %{buildroot}%{_libdir}/lib*.*a
mkdir -p %{buildroot}%{_datadir}
install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
install -m 0644 %SOURCE4 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
-install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
+install -m 0750 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf
rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif
@@ -578,6 +613,7 @@ exit 0
%{_datadir}/openldap-servers/
%{_libdir}/openldap/accesslog*
%{_libdir}/openldap/auditlog*
+%{_libdir}/openldap/allop*
%{_libdir}/openldap/back_dnssrv*
%{_libdir}/openldap/back_ldap*
%{_libdir}/openldap/back_meta*
@@ -600,6 +636,7 @@ exit 0
%{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm*
%{_libdir}/openldap/seqmod*
+%{_libdir}/openldap/pw-sha2*
%{_libdir}/openldap/smbk5pwd*
%{_libdir}/openldap/sssvlv*
%{_libdir}/openldap/syncprov*
@@ -636,6 +673,30 @@ exit 0
%{_mandir}/man3/*
%changelog
+* Wed Aug 17 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-13
+- fix: Bad log levels in check_password module
+- fix: We can't search expected entries from LDAP server
+- fix: OpenLDAP ciphersuite parsing doesn't match OpenSSL ciphers man page
+ + Add TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 to list of ciphers
+ + Add DH cipher string parsing option
+ + Correct handling kECDH ciphers with aRSA or aECDSA
+
+* Fri Jul 1 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-12
+- fix: slapd crash in do_search (#1316450)
+- fix: Setting olcTLSProtocolMin does not change supported protocols (#1249093)
+
+* Mon May 30 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-11
+- fix: correct inconsistent slapd.d directory permissions (#1255433)
+
+* Mon May 30 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-10
+- fix: slapd fails to start on boot (#1315958)
+- fix: id_query option is not available after rebasing openldap to 2.4.39 (#1311832)
+- Include sha2 module (#1292568)
+- Compile AllOp together with other overlays (#990893)
+- Missing mutex unlock in accesslog overlay (#1261003)
+- ITS#8337 fix missing olcDbChecksum config attr (#1292590)
+- ITS#8003 fix off-by-one in LDIF length (#1292619)
+
* Mon Feb 22 2016 Matúš Honěk <mhonek@redhat.com> - 2.4.40-9
- fix: nslcd segfaults due to incorrect mutex initialization (#1294385)