diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7e0ec57
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
+SOURCES/openldap-2.4.57.tgz
diff --git a/.openldap.metadata b/.openldap.metadata
new file mode 100644
index 0000000..efc624d
--- /dev/null
+++ b/.openldap.metadata
@@ -0,0 +1,2 @@
+444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
+1cffa70a3ea8545948041fd113f8f53bc24d6d87 SOURCES/openldap-2.4.57.tgz
diff --git a/SOURCES/check-password-makefile.patch b/SOURCES/check-password-makefile.patch
new file mode 100644
index 0000000..f39ba81
--- /dev/null
+++ b/SOURCES/check-password-makefile.patch
@@ -0,0 +1,41 @@
+--- a/Makefile	2009-10-31 18:59:06.000000000 +0100
++++ b/Makefile	2014-12-17 09:42:37.586079225 +0100
+@@ -13,22 +13,11 @@
+ #
+ CONFIG=/etc/openldap/check_password.conf
+ 
+-OPT=-g -O2 -Wall -fpic 						\
+-	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""	\
+-	-DCONFIG_FILE="\"$(CONFIG)\""					\
++CFLAGS+=-fpic                                                  \
++	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \
++	-DCONFIG_FILE="\"$(CONFIG)\""                          \
+ 	-DDEBUG
+ 
+-# Where to find the OpenLDAP headers.
+-#
+-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
+-	 -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
+-
+-# Where to find the CrackLib headers.
+-#
+-CRACK_INC=
+-
+-INCS=$(LDAP_INC) $(CRACK_INC)
+-
+ LDAP_LIB=-lldap_r -llber
+ 
+ # Comment out this line if you do NOT want to use the cracklib.
+@@ -45,10 +34,10 @@
+ all: 	check_password
+ 
+ check_password.o:
+-	$(CC) $(OPT) -c $(INCS) check_password.c
++	$(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
+ 
+ check_password: clean check_password.o
+-	$(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
++	$(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ 
+ install: check_password
+ 	cp -f check_password.so ../../../usr/lib/openldap/modules/
diff --git a/SOURCES/check-password.patch b/SOURCES/check-password.patch
new file mode 100644
index 0000000..7a79e95
--- /dev/null
+++ b/SOURCES/check-password.patch
@@ -0,0 +1,321 @@
+--- a/check_password.c	2009-10-31 18:59:06.000000000 +0100
++++ b/check_password.c	2014-12-17 12:25:00.148900907 +0100
+@@ -10,7 +10,7 @@
+ #include <slap.h>
+ 
+ #ifdef HAVE_CRACKLIB
+-#include "crack.h"
++#include <crack.h>
+ #endif
+ 
+ #if defined(DEBUG)
+@@ -34,18 +34,77 @@
+ #define PASSWORD_TOO_SHORT_SZ \
+ 	"Password for dn=\"%s\" is too short (%d/6)"
+ #define PASSWORD_QUALITY_SZ \
+-	"Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
++	"Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
+ #define BAD_PASSWORD_SZ \
+ 	"Bad password for dn=\"%s\" because %s"
++#define UNKNOWN_ERROR_SZ \
++	"An unknown error occurred, please see your systems administrator"
+ 
+ typedef int (*validator) (char*);
+-static int read_config_file (char *);
++static int read_config_file ();
+ static validator valid_word (char *);
+ static int set_quality (char *);
+ static int set_cracklib (char *);
+ 
+ int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+ 
++struct config_entry {
++	char* key;
++	char* value;
++	char* def_value;
++} config_entries[] = { { "minPoints", NULL, "3"},
++		       { "useCracklib", NULL, "1"},
++		       { "minUpper", NULL, "0"},
++		       { "minLower", NULL, "0"},
++		       { "minDigit", NULL, "0"},
++		       { "minPunct", NULL, "0"},
++		       { NULL, NULL, NULL }};
++
++int get_config_entry_int(char* entry) {
++	struct config_entry* centry = config_entries;
++
++	int i = 0;
++	char* key = centry[i].key;
++	while (key != NULL) {
++		if ( strncmp(key, entry, strlen(key)) == 0 ) {
++			if ( centry[i].value == NULL ) {
++				return atoi(centry[i].def_value);
++			}
++			else {
++				return atoi(centry[i].value);
++			}
++		}
++		i++;
++		key = centry[i].key;
++	}
++
++	return -1;
++}
++
++void dealloc_config_entries() {
++	struct config_entry* centry = config_entries;
++
++	int i = 0;
++	while (centry[i].key != NULL) {
++		if ( centry[i].value != NULL ) {
++			ber_memfree(centry[i].value);
++		}
++		i++;
++	}
++}
++
++char* chomp(char *s)
++{
++	char* t = ber_memalloc(strlen(s)+1);
++	strncpy (t,s,strlen(s)+1);
++
++	if ( t[strlen(t)-1] == '\n' ) {
++		t[strlen(t)-1] = '\0';
++	}
++
++	return t;
++}
++
+ static int set_quality (char *value)
+ {
+ #if defined(DEBUG)
+@@ -84,12 +143,12 @@
+ 		char * parameter;
+ 		validator dealer;
+ 	} list[] = { { "minPoints", set_quality },
+-		{ "useCracklib", set_cracklib },
+-		{ "minUpper", set_digit },
+-		{ "minLower", set_digit },
+-		{ "minDigit", set_digit },
+-		{ "minPunct", set_digit },
+-		{ NULL, NULL } };
++		     { "useCracklib", set_cracklib },
++		     { "minUpper", set_digit },
++		     { "minLower", set_digit },
++		     { "minDigit", set_digit },
++		     { "minPunct", set_digit },
++		     { NULL, NULL } };
+ 	int index = 0;
+ 
+ #if defined(DEBUG)
+@@ -98,7 +157,7 @@
+ 
+ 	while (list[index].parameter != NULL) {
+ 		if (strlen(word) == strlen(list[index].parameter) &&
+-				strcmp(list[index].parameter, word) == 0) {
++		    strcmp(list[index].parameter, word) == 0) {
+ #if defined(DEBUG)
+ 			syslog(LOG_NOTICE, "check_password: Parameter accepted.");
+ #endif
+@@ -114,13 +173,15 @@
+ 	return NULL;
+ }
+ 
+-static int read_config_file (char *keyWord)
++static int read_config_file ()
+ {
+ 	FILE * config;
+ 	char * line;
+ 	int returnValue =  -1;
+ 
+-	if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
++	line = ber_memcalloc(260, sizeof(char));
++
++	if ( line == NULL ) {
+ 		return returnValue;
+ 	}
+ 
+@@ -133,6 +194,8 @@
+ 		return returnValue;
+ 	}
+ 
++	returnValue = 0;
++
+ 	while (fgets(line, 256, config) != NULL) {
+ 		char *start = line;
+ 		char *word, *value;
+@@ -145,23 +208,40 @@
+ 
+ 		while (isspace(*start) && isascii(*start)) start++;
+ 
+-		if (! isascii(*start))
++		/* If we've got punctuation, just skip the line. */
++		if ( ispunct(*start)) {
++#if defined(DEBUG)
++			/* Debug traces to syslog. */
++			syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
++#endif
+ 			continue;
++		}
+ 
+-		if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
+-			if ((value = strtok(NULL, " \t")) == NULL)
+-				continue;
++		if( isascii(*start)) {
++
++			struct config_entry* centry = config_entries;
++			int i = 0;
++			char* keyWord = centry[i].key;
++			if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
++				while ( keyWord != NULL ) {
++					if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
+ 
+ #if defined(DEBUG)
+-			syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
++						syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ #endif
+ 
+-			returnValue = (*dealer)(value);
++						centry[i].value = chomp(value);
++						break;
++					}
++					i++;
++					keyWord = centry[i].key;
++				}
++			}
+ 		}
+ 	}
+-
+ 	fclose(config);
+ 	ber_memfree(line);
++
+ 	return returnValue;
+ }
+ 
+@@ -170,7 +250,7 @@
+ 	if (curlen < nextlen + MEMORY_MARGIN) {
+ #if defined(DEBUG)
+ 		syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
+-				curlen, nextlen + MEMORY_MARGIN);
++		       curlen, nextlen + MEMORY_MARGIN);
+ #endif
+ 		ber_memfree(*target);
+ 		curlen = nextlen + MEMORY_MARGIN;
+@@ -180,7 +260,7 @@
+ 	return curlen;
+ }
+ 
+-	int
++int
+ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ {
+ 
+@@ -210,20 +290,22 @@
+ 	nLen = strlen (pPasswd);
+ 	if ( nLen < 6) {
+ 		mem_len = realloc_error_message(&szErrStr, mem_len,
+-				strlen(PASSWORD_TOO_SHORT_SZ) +
+-				strlen(pEntry->e_name.bv_val) + 1);
++						strlen(PASSWORD_TOO_SHORT_SZ) +
++						strlen(pEntry->e_name.bv_val) + 1);
+ 		sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
+ 		goto fail;
+ 	}
+ 
+-	/* Read config file */
+-	minQuality = read_config_file("minPoints");
++	if (read_config_file() == -1) {
++		syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
++	}
+ 
+-	useCracklib = read_config_file("useCracklib");
+-	minUpper = read_config_file("minUpper");
+-	minLower = read_config_file("minLower");
+-	minDigit = read_config_file("minDigit");
+-	minPunct = read_config_file("minPunct");
++	minQuality = get_config_entry_int("minPoints");
++	useCracklib = get_config_entry_int("useCracklib");
++	minUpper = get_config_entry_int("minUpper");
++	minLower = get_config_entry_int("minLower");
++	minDigit = get_config_entry_int("minDigit");
++	minPunct = get_config_entry_int("minPunct");
+ 
+ 	/** The password must have at least minQuality strength points with one
+ 	 * point for the first occurrance of a lower, upper, digit and
+@@ -232,8 +314,6 @@
+ 
+ 	for ( i = 0; i < nLen; i++ ) {
+ 
+-		if ( nQuality >= minQuality ) break;
+-
+ 		if ( islower (pPasswd[i]) ) {
+ 			minLower--;
+ 			if ( !nLower && (minLower < 1)) {
+@@ -279,12 +359,23 @@
+ 		}
+ 	}
+ 
+-	if ( nQuality < minQuality ) {
++	/*
++	 * If you have a required field, then it should be required in the strength
++	 * checks.
++	 */
++
++	if (
++		(minLower > 0 ) ||
++		(minUpper > 0 ) ||
++		(minDigit > 0 ) ||
++		(minPunct > 0 ) ||
++		(nQuality < minQuality)
++		) {
+ 		mem_len = realloc_error_message(&szErrStr, mem_len,
+-				strlen(PASSWORD_QUALITY_SZ) +
+-				strlen(pEntry->e_name.bv_val) + 2);
++						strlen(PASSWORD_QUALITY_SZ) +
++						strlen(pEntry->e_name.bv_val) + 2);
+ 		sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
+-				nQuality, minQuality);
++			 nQuality, minQuality);
+ 		goto fail;
+ 	}
+ 
+@@ -306,7 +397,7 @@
+ 		for ( j = 0; j < 3; j++ ) {
+ 
+ 			snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
+-					CRACKLIB_DICTPATH, ext[j]);
++				  CRACKLIB_DICTPATH, ext[j]);
+ 
+ 			if (( fp = fopen ( filename, "r")) == NULL ) {
+ 
+@@ -326,9 +417,9 @@
+ 			r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
+ 			if ( r != NULL ) {
+ 				mem_len = realloc_error_message(&szErrStr, mem_len,
+-						strlen(BAD_PASSWORD_SZ) +
+-						strlen(pEntry->e_name.bv_val) +
+-						strlen(r));
++								strlen(BAD_PASSWORD_SZ) +
++								strlen(pEntry->e_name.bv_val) +
++								strlen(r));
+ 				sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
+ 				goto fail;
+ 			}
+@@ -342,15 +433,15 @@
+ 	}
+ 
+ #endif
+-
++	dealloc_config_entries();
+ 	*ppErrStr = strdup ("");
+ 	ber_memfree(szErrStr);
+ 	return (LDAP_SUCCESS);
+ 
+ fail:
++	dealloc_config_entries();
+ 	*ppErrStr = strdup (szErrStr);
+ 	ber_memfree(szErrStr);
+ 	return (EXIT_FAILURE);
+ 
+ }
+-
diff --git a/SOURCES/ldap.conf b/SOURCES/ldap.conf
new file mode 100644
index 0000000..02c595f
--- /dev/null
+++ b/SOURCES/ldap.conf
@@ -0,0 +1,28 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT	/etc/pki/tls/cert.pem
+
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON	on
+
diff --git a/SOURCES/libexec-check-config.sh b/SOURCES/libexec-check-config.sh
new file mode 100755
index 0000000..87e377f
--- /dev/null
+++ b/SOURCES/libexec-check-config.sh
@@ -0,0 +1,91 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function check_config_syntax()
+{
+	retcode=0
+	tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
+	run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
+	if [ $? -ne 0 ]; then
+		error "Checking configuration file failed:"
+		cat $tmp_slaptest >&2
+		retcode=1
+	fi
+	rm $tmp_slaptest
+	return $retcode
+}
+
+function check_certs_perms()
+{
+	retcode=0
+	for cert in `certificates`; do
+		run_as_ldap "/usr/bin/test -e \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' was not found." "$cert"
+			retcoder=1
+			continue
+		fi
+		run_as_ldap "/usr/bin/test -r \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' is not readable." "$cert"
+			retcode=1
+		fi
+	done
+	return $retcode
+}
+
+function check_db_perms()
+{
+	retcode=0
+	for dbdir in `databases`; do
+		[ -d "$dbdir" ] || continue
+		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
+			run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
+			if [ $? -ne 0 ]; then
+				error "Read/write permissions for DB file '%s' are required." "$dbfile"
+				retcode=1
+			fi
+		done
+	done
+	return $retcode
+}
+
+function check_everything()
+{
+	retcode=0
+	check_config_syntax || retcode=1
+	# TODO: need support for Mozilla NSS, disabling temporarily
+	#check_certs_perms || retcode=1
+	check_db_perms || retcode=1
+	return $retcode
+}
+
+if [ `id -u` -ne 0 ]; then
+	error "You have to be root to run this script."
+	exit 4
+fi
+
+load_sysconfig
+
+if [ -n "$SLAPD_CONFIG_DIR" ]; then
+	if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
+		error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
+	else
+		check_everything
+		exit $?
+	fi
+fi
+
+if [ -n "$SLAPD_CONFIG_FILE" ]; then
+	if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+		error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
+	else
+		error "Warning: Usage of a configuration file is obsolete!"
+		check_everything
+		exit $?
+	fi
+fi
+
+exit 1
diff --git a/SOURCES/libexec-functions b/SOURCES/libexec-functions
new file mode 100644
index 0000000..990d2b8
--- /dev/null
+++ b/SOURCES/libexec-functions
@@ -0,0 +1,134 @@
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+SLAPD_USER=
+SLAPD_CONFIG_FILE=
+SLAPD_CONFIG_DIR=
+SLAPD_CONFIG_CUSTOM=
+SLAPD_GLOBAL_OPTIONS=
+SLAPD_SYSCONFIG_FILE=
+
+function default_config()
+{
+	SLAPD_USER=ldap
+	SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
+	SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
+	SLAPD_CONFIG_CUSTOM=
+	SLAPD_GLOBAL_OPTIONS=
+	SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
+}
+
+function parse_config_options()
+{
+	user=
+	config_file=
+	config_dir=
+	while getopts :u:f:F: opt; do
+		case "$opt" in
+		u)
+			user="$OPTARG"
+			;;
+		f)
+			config_file="$OPTARG"
+			;;
+		F)
+			config_dir="$OPTARG"
+			;;
+		esac
+	done
+
+	if [ -n "$user" ]; then
+		SLAPD_USER="$user"
+	fi
+
+	if [ -n "$config_dir" ]; then
+		SLAPD_CONFIG_DIR="$config_dir"
+		SLAPD_CONFIG_FILE=
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
+	elif [ -n "$config_file" ]; then
+		SLAPD_CONFIG_DIR=
+		SLAPD_CONFIG_FILE="$config_file"
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
+	fi
+}
+
+function uses_new_config()
+{
+	[ -n "$SLAPD_CONFIG_DIR" ]
+	return $?
+}
+
+function run_as_ldap()
+{
+	/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
+	return $?
+}
+
+function ldif_unbreak()
+{
+	sed ':a;N;s/\n //;ta;P;D'
+}
+
+function ldif_value()
+{
+	sed 's/^[^:]*: //'
+}
+
+function databases_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c \
+	-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcDbDirectory: ' | \
+		ldif_value
+}
+
+function databases_old()
+{
+	awk	'begin { database="" }
+		$1 == "database" { database=$2 }
+		$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
+		"$SLAPD_CONFIG_FILE"
+}
+
+function certificates_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
+		ldif_value
+}
+
+function certificates_old()
+{
+	awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
+		"$SLAPD_CONFIG_FILE"
+}
+
+function certificates()
+{
+	uses_new_config && certificates_new || certificates_old
+}
+
+function databases()
+{
+	uses_new_config && databases_new || databases_old
+}
+
+
+function error()
+{
+	format="$1\n"; shift
+	printf "$format" $@ >&2
+}
+
+function load_sysconfig()
+{
+	[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
+
+	. "$SLAPD_SYSCONFIG_FILE"
+	[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
+}
+
+default_config
diff --git a/SOURCES/libexec-upgrade-db.sh b/SOURCES/libexec-upgrade-db.sh
new file mode 100755
index 0000000..1543c80
--- /dev/null
+++ b/SOURCES/libexec-upgrade-db.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+if [ `id -u` -ne 0 ]; then
+	error "You have to be root to run this command."
+	exit 4
+fi
+
+load_sysconfig
+retcode=0
+
+for dbdir in `databases`; do
+	upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
+	bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
+
+	# skip uninitialized database
+	[ -z "$bdb_files"]  || continue
+
+	printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
+
+	# perform the update
+	for command in \
+		"/usr/bin/db_recover -v -h \"$dbdir\"" \
+		"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
+		"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
+	; do
+		printf "Executing: %s\n" "$command" &>>$upgrade_log
+		run_as_ldap "$command" &>>$upgrade_log
+		result=$?
+		printf "Exit code: %d\n" $result >>"$upgrade_log"
+		if [ $result -ne 0 ]; then
+			printf "Upgrade failed: %d\n" $result
+			retcode=1
+		fi
+	done
+done
+
+exit $retcode
diff --git a/SOURCES/openldap-ai-addrconfig.patch b/SOURCES/openldap-ai-addrconfig.patch
new file mode 100644
index 0000000..0858fac
--- /dev/null
+++ b/SOURCES/openldap-ai-addrconfig.patch
@@ -0,0 +1,20 @@
+use AI_ADDRCONFIG if defined in the environment
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7326
+Resolves: #835013
+
+diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
+index b31e05d..fa361ab 100644
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
+ 
+ #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
+ 	memset( &hints, '\0', sizeof(hints) );
+-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
+-	/* Use AI_ADDRCONFIG only on systems where its known to be needed. */
++#ifdef AI_ADDRCONFIG
+ 	hints.ai_flags = AI_ADDRCONFIG;
+ #endif
+ 	hints.ai_family = ldap_int_inet4or6;
diff --git a/SOURCES/openldap-allop-overlay.patch b/SOURCES/openldap-allop-overlay.patch
new file mode 100644
index 0000000..608ee44
--- /dev/null
+++ b/SOURCES/openldap-allop-overlay.patch
@@ -0,0 +1,40 @@
+Compile AllOp together with other overlays.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1319782
+
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
+ 	translucent.c \
+ 	unique.c \
+ 	valsort.c \
+-	smbk5pwd.c
++	smbk5pwd.c \
++	allop.c
+ OBJS = statover.o \
+ 	@SLAPD_STATIC_OVERLAYS@ \
+ 	overlays.o
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ 
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
+ 
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -125,6 +126,12 @@ unique.la : unique.lo
+ smbk5pwd.la : smbk5pwd.lo
+ 	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+ 
++allop.lo : allop.c
++	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++allop.la : allop.lo
++	$(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local:	$(PROGRAMS)
+ 	@if test -n "$?" ; then \
+ 		$(MKDIR) $(DESTDIR)$(moduledir); \
diff --git a/SOURCES/openldap-cbinding-Add-channel-binding-support.patch b/SOURCES/openldap-cbinding-Add-channel-binding-support.patch
new file mode 100644
index 0000000..42efaee
--- /dev/null
+++ b/SOURCES/openldap-cbinding-Add-channel-binding-support.patch
@@ -0,0 +1,291 @@
+From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 26 Aug 2013 23:31:48 -0700
+Subject: [PATCH] Add channel binding support
+
+Currently only implemented for OpenSSL.
+Needs an option to set the criticality flag.
+---
+ include/ldap_pvt.h           |  1 +
+ libraries/libldap/cyrus.c    | 22 ++++++++++++++++++++++
+ libraries/libldap/ldap-int.h |  1 +
+ libraries/libldap/ldap-tls.h |  2 ++
+ libraries/libldap/tls2.c     |  7 +++++++
+ libraries/libldap/tls_g.c    |  7 +++++++
+ libraries/libldap/tls_m.c    |  7 +++++++
+ libraries/libldap/tls_o.c    | 16 ++++++++++++++++
+ servers/slapd/connection.c   |  8 ++++++++
+ servers/slapd/sasl.c         | 18 ++++++++++++++++++
+ servers/slapd/slap.h         |  1 +
+ 11 files changed, 90 insertions(+)
+
+diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
+index 716c1a90f..61c620785 100644
+--- a/include/ldap_pvt.h
++++ b/include/ldap_pvt.h
+@@ -420,6 +420,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
+ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
+ 	LDAPDN_rewrite_dummy *func, unsigned flags ));
+ LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
++LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
+ 
+ LDAP_END_DECL
+ 
+diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
+index 4c0089d5d..3171d56a3 100644
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -360,6 +360,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
+ 		lc->lconn_sasl_sockctx = NULL;
+ 		lc->lconn_sasl_authctx = NULL;
+ 	}
++	if( lc->lconn_sasl_cbind ) {
++		ldap_memfree( lc->lconn_sasl_cbind );
++		lc->lconn_sasl_cbind = NULL;
++	}
+ 
+ 	return LDAP_SUCCESS;
+ }
+@@ -492,6 +496,24 @@ ldap_int_sasl_bind(
+ 
+ 			(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
+ 			LDAP_FREE( authid.bv_val );
++#ifdef SASL_CHANNEL_BINDING	/* 2.1.25+ */
++			{
++				char cbinding[64];
++				struct berval cbv = { sizeof(cbinding), cbinding };
++				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
++					sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
++						cbv.bv_len);
++					cb->name = "ldap";
++					cb->critical = 0;
++					cb->data = (char *)(cb+1);
++					cb->len = cbv.bv_len;
++					memcpy( cb->data, cbv.bv_val, cbv.bv_len );
++					sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
++						SASL_CHANNEL_BINDING, cb );
++					ld->ld_defconn->lconn_sasl_cbind = cb;
++				}
++			}
++#endif
+ 		}
+ #endif
+ 
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 98ad4dc05..397894271 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -308,6 +308,7 @@ typedef struct ldap_conn {
+ #ifdef HAVE_CYRUS_SASL
+ 	void		*lconn_sasl_authctx;	/* context for bind */
+ 	void		*lconn_sasl_sockctx;	/* for security layer */
++	void		*lconn_sasl_cbind;		/* for channel binding */
+ #endif
+ #ifdef HAVE_GSSAPI
+ 	void		*lconn_gss_ctx;		/* gss_ctx_id_t */
+diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
+index c8a27112f..0ecf81ab9 100644
+--- a/libraries/libldap/ldap-tls.h
++++ b/libraries/libldap/ldap-tls.h
+@@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len
+ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
+ typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
+ typedef int (TI_session_strength)(tls_session *sess);
++typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
+ 
+ typedef void (TI_thr_init)(void);
+ 
+@@ -64,6 +65,7 @@ typedef struct tls_impl {
+ 	TI_session_dn *ti_session_peer_dn;
+ 	TI_session_chkhost *ti_session_chkhost;
+ 	TI_session_strength *ti_session_strength;
++	TI_session_unique *ti_session_unique;
+ 
+ 	Sockbuf_IO *ti_sbio;
+ 
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 82ca5272c..13d734362 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -1013,6 +1013,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
+ 		rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
+ 	return rc;
+ }
++
++int
++ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
++{
++	tls_session *session = s;
++	return tls_imp->ti_session_unique( session, buf, is_server );
++}
+ #endif /* HAVE_TLS */
+ 
+ int
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index 3b72cd2a1..b78c12086 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -669,6 +669,12 @@ tlsg_session_strength( tls_session *session )
+ 	return gnutls_cipher_get_key_size( c ) * 8;
+ }
+ 
++static int
++tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
++{
++	return 0;
++}
++
+ /* suites is a string of colon-separated cipher suite names. */
+ static int
+ tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
+@@ -925,6 +931,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsg_session_peer_dn,
+ 	tlsg_session_chkhost,
+ 	tlsg_session_strength,
++	tlsg_session_unique,
+ 
+ 	&tlsg_sbio,
+ 
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 43fbae4bc..c64f4c176 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -2874,6 +2874,12 @@ tlsm_session_strength( tls_session *session )
+ 	return rc ? 0 : keySize;
+ }
+ 
++static int
++tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
++{
++	return 0;
++}
++
+ /*
+  * TLS support for LBER Sockbufs
+  */
+@@ -3302,6 +3308,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsm_session_peer_dn,
+ 	tlsm_session_chkhost,
+ 	tlsm_session_strength,
++	tlsm_session_unique,
+ 
+ 	&tlsm_sbio,
+ 
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index a13f11fb5..f741a461f 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -846,6 +846,21 @@ tlso_session_strength( tls_session *sess )
+ 	return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
+ }
+ 
++static int
++tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
++{
++	tlso_session *s = (tlso_session *)sess;
++
++	/* Usually the client sends the finished msg. But if the
++	 * session was resumed, the server sent the msg.
++	 */
++	if (SSL_session_reused(s) ^ !is_server)
++		buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len);
++	else
++		buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len);
++	return buf->bv_len;
++}
++
+ /*
+  * TLS support for LBER Sockbufs
+  */
+@@ -1363,6 +1378,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlso_session_peer_dn,
+ 	tlso_session_chkhost,
+ 	tlso_session_strength,
++	tlso_session_unique,
+ 
+ 	&tlso_sbio,
+ 
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index 44c3fc63d..0602fdceb 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -406,6 +406,7 @@ Connection * connection_init(
+ 		c->c_sasl_sockctx = NULL;
+ 		c->c_sasl_extra = NULL;
+ 		c->c_sasl_bindop = NULL;
++		c->c_sasl_cbind = NULL;
+ 
+ 		c->c_sb = ber_sockbuf_alloc( );
+ 
+@@ -451,6 +452,7 @@ Connection * connection_init(
+ 	assert( c->c_sasl_sockctx == NULL );
+ 	assert( c->c_sasl_extra == NULL );
+ 	assert( c->c_sasl_bindop == NULL );
++	assert( c->c_sasl_cbind == NULL );
+ 	assert( c->c_currentber == NULL );
+ 	assert( c->c_writewaiter == 0);
+ 	assert( c->c_writers == 0);
+@@ -1428,6 +1430,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
+ 			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
+ 			slap_sasl_external( c, c->c_tls_ssf, &authid );
+ 			if ( authid.bv_val ) free( authid.bv_val );
++			{
++				char cbinding[64];
++				struct berval cbv = { sizeof(cbinding), cbinding };
++				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
++					slap_sasl_cbinding( c, &cbv );
++			}
+ 		} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
+ 			LBER_SB_OPT_NEEDS_WRITE, NULL )) {	/* need to retry */
+ 			slapd_set_write( s, 1 );
+diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
+index 5144170d1..258cd5407 100644
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1389,6 +1389,21 @@ int slap_sasl_external(
+ 	return LDAP_SUCCESS;
+ }
+ 
++int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
++{
++#ifdef SASL_CHANNEL_BINDING
++	sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
++	cb->name = "ldap";
++	cb->critical = 0;
++	cb->data = (char *)(cb+1);
++	cb->len = cbv->bv_len;
++	memcpy( cb->data, cbv->bv_val, cbv->bv_len );
++	sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
++	conn->c_sasl_cbind = cb;
++#endif
++	return LDAP_SUCCESS;
++}
++
+ int slap_sasl_reset( Connection *conn )
+ {
+ 	return LDAP_SUCCESS;
+@@ -1454,6 +1469,9 @@ int slap_sasl_close( Connection *conn )
+ 	free( conn->c_sasl_extra );
+ 	conn->c_sasl_extra = NULL;
+ 
++	free( conn->c_sasl_cbind );
++	conn->c_sasl_cbind = NULL;
++
+ #elif defined(SLAP_BUILTIN_SASL)
+ 	SASL_CTX *ctx = conn->c_sasl_authctx;
+ 	if( ctx ) {
+diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
+index 7581967be..ad797d752 100644
+--- a/servers/slapd/slap.h
++++ b/servers/slapd/slap.h
+@@ -2910,6 +2910,7 @@ struct Connection {
+ 	void	*c_sasl_authctx;	/* SASL authentication context */
+ 	void	*c_sasl_sockctx;	/* SASL security layer context */
+ 	void	*c_sasl_extra;		/* SASL session extra stuff */
++	void	*c_sasl_cbind;		/* SASL channel binding */
+ 	Operation	*c_sasl_bindop;	/* set to current op if it's a bind */
+ 
+ #ifdef LDAP_X_TXN
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-Convert-test077-to-LDIF-config.patch b/SOURCES/openldap-cbinding-Convert-test077-to-LDIF-config.patch
new file mode 100644
index 0000000..5ca02fb
--- /dev/null
+++ b/SOURCES/openldap-cbinding-Convert-test077-to-LDIF-config.patch
@@ -0,0 +1,236 @@
+From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Mon, 27 Apr 2020 23:24:16 -0700
+Subject: [PATCH] Convert test077 to LDIF config
+
+---
+ tests/data/slapd-sasl-gssapi.conf |  65 ------------------
+ tests/scripts/defines.sh          |   1 -
+ tests/scripts/test077-sasl-gssapi | 108 ++++++++++++++++++++++++++++--
+ 3 files changed, 103 insertions(+), 71 deletions(-)
+ delete mode 100644 tests/data/slapd-sasl-gssapi.conf
+
+diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
+deleted file mode 100644
+index 611fc7097..000000000
+--- a/tests/data/slapd-sasl-gssapi.conf
++++ /dev/null
+@@ -1,65 +0,0 @@
+-# stand-alone slapd config -- for testing (with indexing)
+-# $OpenLDAP$
+-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+-##
+-## Copyright 1998-2020 The OpenLDAP Foundation.
+-## All rights reserved.
+-##
+-## Redistribution and use in source and binary forms, with or without
+-## modification, are permitted only as authorized by the OpenLDAP
+-## Public License.
+-##
+-## A copy of this license is available in the file LICENSE in the
+-## top-level directory of the distribution or, alternatively, at
+-## <http://www.OpenLDAP.org/license.html>.
+-
+-#
+-include		@SCHEMADIR@/core.schema
+-include		@SCHEMADIR@/cosine.schema
+-#
+-include		@SCHEMADIR@/corba.schema
+-include		@SCHEMADIR@/java.schema
+-include		@SCHEMADIR@/inetorgperson.schema
+-include		@SCHEMADIR@/misc.schema
+-include		@SCHEMADIR@/nis.schema
+-include		@SCHEMADIR@/openldap.schema
+-#
+-include		@SCHEMADIR@/duaconf.schema
+-include		@SCHEMADIR@/dyngroup.schema
+-
+-#
+-pidfile		@TESTDIR@/slapd.1.pid
+-argsfile	@TESTDIR@/slapd.1.args
+-
+-# SSL configuration
+-TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
+-TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
+-TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
+-
+-#
+-rootdse 	@DATADIR@/rootdse.ldif
+-
+-#mod#modulepath	../servers/slapd/back-@BACKEND@/
+-#mod#moduleload	back_@BACKEND@.la
+-#monitormod#modulepath ../servers/slapd/back-monitor/
+-#monitormod#moduleload back_monitor.la
+-
+-
+-#######################################################################
+-# database definitions
+-#######################################################################
+-
+-database	@BACKEND@
+-suffix          "dc=example,dc=com"
+-rootdn          "cn=Manager,dc=example,dc=com"
+-rootpw          secret
+-#~null~#directory	@TESTDIR@/db.1.a
+-#indexdb#index		objectClass eq
+-#indexdb#index		mail eq
+-#ndb#dbname db_1_a
+-#ndb#include @DATADIR@/ndb.conf
+-
+-#monitor#database	monitor
+-
+-sasl-realm	@KRB5REALM@
+-sasl-host	localhost
+diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
+index 78dc1f8ae..76c85b442 100755
+--- a/tests/scripts/defines.sh
++++ b/tests/scripts/defines.sh
+@@ -108,7 +108,6 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
+ SCHEMACONF=$DATADIR/slapd-schema.conf
+ TLSCONF=$DATADIR/slapd-tls.conf
+ TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
+-SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
+ GLUECONF=$DATADIR/slapd-glue.conf
+ REFINTCONF=$DATADIR/slapd-refint.conf
+ RETCODECONF=$DATADIR/slapd-retcode.conf
+diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
+index bde9006ca..322df60a4 100755
+--- a/tests/scripts/test077-sasl-gssapi
++++ b/tests/scripts/test077-sasl-gssapi
+@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then
+         exit 0
+ fi
+ 
+-mkdir -p $TESTDIR $DBDIR1
++CONFDIR=$TESTDIR/slapd.d
++CONFLDIF=$TESTDIR/slapd.ldif
++
++mkdir -p $TESTDIR $DBDIR1 $CONFDIR
+ cp -r $DATADIR/tls $TESTDIR
++$SLAPPASSWD -g -n >$CONFIGPWF
+ 
+ echo "Starting KDC for SASL/GSSAPI tests..."
+ . $SRCDIR/scripts/setup_kdc.sh
+ 
+-echo "Running slapadd to build slapd database..."
+-. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
+-$SLAPADD -f $CONF1 -l $LDIFORDERED
++echo "Configuring slapd..."
++cat > $CONFLDIF <<EOF
++dn: cn=config
++objectClass: olcGlobal
++cn: config
++olcSaslHost: localhost
++olcSaslRealm: $KRB5REALM
++olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt
++olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
++olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
++
++dn: cn=schema,cn=config
++objectClass: olcSchemaConfig
++cn: schema
++
++include: file://$ABS_SCHEMADIR/core.ldif
++
++dn: olcDatabase={0}config,cn=config
++objectClass: olcDatabaseConfig
++olcDatabase: {0}config
++olcRootPW:< file://$TESTDIR/configpw
++
++EOF
++$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
+ RC=$?
+ if test $RC != 0 ; then
+ 	echo "slapadd failed ($RC)!"
+@@ -38,7 +63,7 @@ if test $RC != 0 ; then
+ fi
+ 
+ echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
+-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
++$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+ PID=$!
+ if test $WAIT != 0 ; then
+     echo PID $PID
+@@ -141,6 +166,79 @@ else
+ 	fi
+ fi
+ 
++if test $WITH_TLS = no ; then
++        echo "TLS support not available, skipping channe-binding test"
++elif test $HAVE_SASL_GSS_CBIND = no ; then
++        echo "SASL has no channel-binding support in GSSAPI, test skipped"
++else
++	echo "Testing SASL/GSSAPI with SASL_CBINDING..."
++
++	for acb in "none" "tls-unique" "tls-endpoint" ; do
++
++		echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
++		$LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
++dn: cn=config
++changetype: modify
++replace: olcSaslCBinding
++olcSaslCBinding: ${acb}
++EOF
++		RC=$?
++		if test $RC != 0 ; then
++			echo "ldapmodify failed ($RC)!"
++			kill $KDCPROC
++			test $KILLSERVERS != no && kill -HUP $KILLPIDS
++			exit $RC
++		fi
++
++		for icb in "none" "tls-unique" "tls-endpoint" ; do
++
++			# The gnutls implemantation of "tls-unique" seems broken
++			if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
++				if test $WITH_TLS_TYPE == gnutls  ; then
++					continue
++				fi
++			fi
++
++			fail="no"
++			if test $icb != $acb -a $acb != "none" ; then
++				# This currently fails in MIT, but it is planned to be
++				# fixed not to fail like in heimdal - avoid testing.
++				if test $icb = "none" ; then
++					continue
++				fi
++				# Otherwise unmatching bindings are expected to fail.
++				fail="yes"
++			fi
++
++			echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
++			echo -ne "(client: ${icb},\tserver: ${acb}): "
++
++			$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
++			-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
++			-o SASL_CBINDING=$icb > $TESTOUT 2>&1
++
++			RC=$?
++			if test $RC != 0 ; then
++				if test $fail = "no" ; then
++					echo "test failed ($RC)!"
++					kill $KDCPROC
++					test $KILLSERVERS != no && kill -HUP $KILLPIDS
++					exit $RC
++				fi
++			elif test $fail = "yes" ; then
++				echo "failed: command succeeded unexpectedly."
++				kill $KDCPROC
++				test $KILLSERVERS != no && kill -HUP $KILLPIDS
++				exit 1
++			fi
++
++			echo "success"
++			RC=0
++		done
++	done
++fi
++
++
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ 
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-Fix-slaptest-in-test077.patch b/SOURCES/openldap-cbinding-Fix-slaptest-in-test077.patch
new file mode 100644
index 0000000..0e93108
--- /dev/null
+++ b/SOURCES/openldap-cbinding-Fix-slaptest-in-test077.patch
@@ -0,0 +1,39 @@
+From e006994d83af9dcb7813a18253cf4e5beacee043 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Sun, 26 Apr 2020 11:40:23 -0700
+Subject: [PATCH] Fix slaptest in test077
+
+The libtool wrapper scripts lose argv[0] when exec'ing the real binary.
+
+In the CI Docker container, where the build runs as root, this was
+actually starting a real slapd on the default port.
+
+Outside Docker, running as a non-root user, this slapd would just fail
+to start, and wouldn't convert the config either.
+
+Using "slapd -Tt" fixes the issue but also prints a warning from
+slaptest since the database hasn't been initialized yet.
+
+Dynamic config isn't actually used in this test script, so let's just
+run slapd off the config file directly.
+---
+ tests/scripts/test077-sasl-gssapi | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
+index 64abe16fe..bde9006ca 100755
+--- a/tests/scripts/test077-sasl-gssapi
++++ b/tests/scripts/test077-sasl-gssapi
+@@ -24,9 +24,6 @@ fi
+ mkdir -p $TESTDIR $DBDIR1
+ cp -r $DATADIR/tls $TESTDIR
+ 
+-cd $TESTWD
+-
+-
+ echo "Starting KDC for SASL/GSSAPI tests..."
+ . $SRCDIR/scripts/setup_kdc.sh
+ 
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch b/SOURCES/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
new file mode 100644
index 0000000..b38dd83
--- /dev/null
+++ b/SOURCES/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
@@ -0,0 +1,220 @@
+NOTE: The patch has been adjusted to match the base code before backporting.
+
+From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 10 Sep 2013 04:26:51 -0700
+Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT
+
+retrieve peer cert for an active TLS session
+---
+ doc/man/man3/ldap_get_option.3 |  8 ++++++++
+ include/ldap.h                 |  1 +
+ libraries/libldap/ldap-tls.h   |  2 ++
+ libraries/libldap/tls2.c       | 24 ++++++++++++++++++++++++
+ libraries/libldap/tls_g.c      | 19 +++++++++++++++++++
+ libraries/libldap/tls_m.c      | 17 +++++++++++++++++
+ libraries/libldap/tls_o.c      | 16 ++++++++++++++++
+ 7 files changed, 87 insertions(+)
+
+diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
+index eb3f25b33..7546875f5 100644
+--- a/doc/man/man3/ldap_get_option.3
++++ b/doc/man/man3/ldap_get_option.3
+@@ -744,6 +744,14 @@ A non-zero value pointed to by
+ .BR invalue
+ tells the library to create a context for a server.
+ .TP
++.B LDAP_OPT_X_TLS_PEERCERT
++Gets the peer's certificate in DER format from an established TLS session.
++.BR outvalue
++must be
++.BR "struct berval *" ,
++and the data it returns needs to be freed by the caller using
++.BR ldap_memfree (3).
++.TP
+ .B LDAP_OPT_X_TLS_PROTOCOL_MIN
+ Sets/gets the minimum protocol version.
+ .BR invalue
+diff --git a/include/ldap.h b/include/ldap.h
+index 389441031..88bfcabf8 100644
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_PACKAGE		0x6011
+ #define LDAP_OPT_X_TLS_ECNAME		0x6012
+ #define LDAP_OPT_X_TLS_REQUIRE_SAN	0x601a
++#define LDAP_OPT_X_TLS_PEERCERT		0x6015	/* read-only */
+ 
+ #define LDAP_OPT_X_TLS_NEVER	0
+ #define LDAP_OPT_X_TLS_HARD		1
+diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
+index 0ecf81ab9..103004fa7 100644
+--- a/libraries/libldap/ldap-tls.h
++++ b/libraries/libldap/ldap-tls.h
+@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
+ typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
+ typedef int (TI_session_strength)(tls_session *sess);
+ typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
++typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
+ 
+ typedef void (TI_thr_init)(void);
+ 
+@@ -66,6 +67,7 @@ typedef struct tls_impl {
+ 	TI_session_chkhost *ti_session_chkhost;
+ 	TI_session_strength *ti_session_strength;
+ 	TI_session_unique *ti_session_unique;
++	TI_session_peercert *ti_session_peercert;
+ 
+ 	Sockbuf_IO *ti_sbio;
+ 
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 13d734362..ad09ba39b 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -705,6 +705,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
+ 	case LDAP_OPT_X_TLS_CONNECT_ARG:
+ 		*(void **)arg = lo->ldo_tls_connect_arg;
+ 		break;
++	case LDAP_OPT_X_TLS_PEERCERT: {
++		void *sess = NULL;
++		struct berval *bv = arg;
++		bv->bv_len = 0;
++		bv->bv_val = NULL;
++		if ( ld != NULL ) {
++			LDAPConn *conn = ld->ld_defconn;
++			if ( conn != NULL ) {
++				Sockbuf *sb = conn->lconn_sb;
++				sess = ldap_pvt_tls_sb_ctx( sb );
++				if ( sess != NULL )
++					return ldap_pvt_tls_get_peercert( sess, bv );
++			}
++		}
++		break;
++	}
++
+ 	default:
+ 		return -1;
+ 	}
+@@ -1020,6 +1037,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
+ 	tls_session *session = s;
+ 	return tls_imp->ti_session_unique( session, buf, is_server );
+ }
++
++int
++ldap_pvt_tls_get_peercert( void *s, struct berval *der )
++{
++	tls_session *session = s;
++	return tls_imp->ti_session_peercert( session, der );
++}
+ #endif /* HAVE_TLS */
+ 
+ int
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index b78c12086..26d9f99ce 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -675,6 +675,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return 0;
+ }
+ 
++static int
++tlsg_session_peercert( tls_session *sess, struct berval *der )
++{
++	tlsg_session *s = (tlsg_session *)sess;
++	const gnutls_datum_t *peer_cert_list;
++	unsigned int list_size;
++
++	peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
++	if (!peer_cert_list)
++		return -1;
++	der->bv_len = peer_cert_list[0].size;
++	der->bv_val = LDAP_MALLOC( der->bv_len );
++	if (!der->bv_val)
++		return -1;
++	memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
++	return 0;
++}
++
+ /* suites is a string of colon-separated cipher suite names. */
+ static int
+ tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
+@@ -932,6 +950,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsg_session_chkhost,
+ 	tlsg_session_strength,
+ 	tlsg_session_unique,
++	tlsg_session_peercert,
+ 
+ 	&tlsg_sbio,
+ 
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index c64f4c176..d35a803de 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -2880,6 +2880,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return 0;
+ }
+ 
++static int
++tlsm_session_peercert( tls_session *sess, struct berval *der )
++{
++	tlsm_session *s = (tlsm_session *)sess;
++	CERTCertificate *cert;
++	cert = SSL_PeerCertificate( s );
++	if (!cert)
++		return -1;
++	der->bv_len = cert->derCert.len;
++	der->bv_val = LDAP_MALLOC( der->bv_len );
++	if (!der->bv_val)
++		return -1;
++	memcpy( der->bv_val, cert->derCert.data, der->bv_len );
++	return 0;
++}
++
+ /*
+  * TLS support for LBER Sockbufs
+  */
+@@ -3309,6 +3325,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsm_session_chkhost,
+ 	tlsm_session_strength,
+ 	tlsm_session_unique,
++	tlsm_session_peercert,
+ 
+ 	&tlsm_sbio,
+ 
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index f741a461f..157923289 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -861,6 +861,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return buf->bv_len;
+ }
+ 
++static int
++tlso_session_peercert( tls_session *sess, struct berval *der )
++{
++	tlso_session *s = (tlso_session *)sess;
++	unsigned char *ptr;
++	X509 *x = SSL_get_peer_certificate(s);
++	der->bv_len = i2d_X509(x, NULL);
++	der->bv_val = LDAP_MALLOC(der->bv_len);
++	if ( !der->bv_val )
++		return -1;
++	ptr = der->bv_val;
++	i2d_X509(x, &ptr);
++	return 0;
++}
++
+ /*
+  * TLS support for LBER Sockbufs
+  */
+@@ -1379,6 +1394,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlso_session_chkhost,
+ 	tlso_session_strength,
+ 	tlso_session_unique,
++	tlso_session_peercert,
+ 
+ 	&tlso_sbio,
+ 
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch b/SOURCES/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch
new file mode 100644
index 0000000..404c4a4
--- /dev/null
+++ b/SOURCES/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch
@@ -0,0 +1,70 @@
+From 465b1c5972eef1d4e60eb98ae3776d33e270853d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <okuznik@symas.com>
+Date: Fri, 15 Jun 2018 15:12:28 +0100
+Subject: [PATCH] ITS#8573 Add missing URI variables for tests
+
+---
+ tests/scripts/conf.sh    | 18 ++++++++++++++++++
+ tests/scripts/defines.sh |  7 +++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
+index 9a33d88e9..2a859d89d 100755
+--- a/tests/scripts/conf.sh
++++ b/tests/scripts/conf.sh
+@@ -74,6 +74,24 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\
+ 	-e "s;@PORT4@;${PORT4};"			\
+ 	-e "s;@PORT5@;${PORT5};"			\
+ 	-e "s;@PORT6@;${PORT6};"			\
++	-e "s;@SURI1@;${SURI1};"			\
++	-e "s;@SURI2@;${SURI2};"			\
++	-e "s;@SURI3@;${SURI3};"			\
++	-e "s;@SURI4@;${SURI4};"			\
++	-e "s;@SURI5@;${SURI5};"			\
++	-e "s;@SURI6@;${SURI6};"			\
++	-e "s;@URIP1@;${URIP1};"			\
++	-e "s;@URIP2@;${URIP2};"			\
++	-e "s;@URIP3@;${URIP3};"			\
++	-e "s;@URIP4@;${URIP4};"			\
++	-e "s;@URIP5@;${URIP5};"			\
++	-e "s;@URIP6@;${URIP6};"			\
++	-e "s;@SURIP1@;${SURIP1};"			\
++	-e "s;@SURIP2@;${SURIP2};"			\
++	-e "s;@SURIP3@;${SURIP3};"			\
++	-e "s;@SURIP4@;${SURIP4};"			\
++	-e "s;@SURIP5@;${SURIP5};"			\
++	-e "s;@SURIP6@;${SURIP6};"			\
+ 	-e "s/@SASL_MECH@/${SASL_MECH}/"		\
+ 	-e "s;@TESTDIR@;${TESTDIR};"			\
+ 	-e "s;@TESTWD@;${TESTWD};"			\
+diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
+index 8f7c7b853..26dab1bae 100755
+--- a/tests/scripts/defines.sh
++++ b/tests/scripts/defines.sh
+@@ -221,16 +221,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/"
+ URI3="ldap://${LOCALHOST}:$PORT3/"
+ URIP3="ldap://${LOCALIP}:$PORT3/"
+ URI4="ldap://${LOCALHOST}:$PORT4/"
++URIP4="ldap://${LOCALIP}:$PORT4/"
+ URI5="ldap://${LOCALHOST}:$PORT5/"
++URIP5="ldap://${LOCALIP}:$PORT5/"
+ URI6="ldap://${LOCALHOST}:$PORT6/"
++URIP6="ldap://${LOCALIP}:$PORT6/"
+ SURI1="ldaps://${LOCALHOST}:$PORT1/"
+ SURIP1="ldaps://${LOCALIP}:$PORT1/"
+ SURI2="ldaps://${LOCALHOST}:$PORT2/"
+ SURIP2="ldaps://${LOCALIP}:$PORT2/"
+ SURI3="ldaps://${LOCALHOST}:$PORT3/"
++SURIP3="ldaps://${LOCALIP}:$PORT3/"
+ SURI4="ldaps://${LOCALHOST}:$PORT4/"
++SURIP4="ldaps://${LOCALIP}:$PORT4/"
+ SURI5="ldaps://${LOCALHOST}:$PORT5/"
++SURIP5="ldaps://${LOCALIP}:$PORT5/"
+ SURI6="ldaps://${LOCALHOST}:$PORT6/"
++SURIP6="ldaps://${LOCALIP}:$PORT6/"
+ 
+ # LDIF
+ LDIF=$DATADIR/test.ldif
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch b/SOURCES/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
new file mode 100644
index 0000000..e9f5172
--- /dev/null
+++ b/SOURCES/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
@@ -0,0 +1,2108 @@
+From eb087e0861f207858a4e08c72836a86f26d9701c Mon Sep 17 00:00:00 2001
+From: Quanah Gibson-Mount <quanah@openldap.org>
+Date: Thu, 14 Jun 2018 16:12:59 +0100
+Subject: [PATCH] ITS#8573 TLS option test suite
+
+---
+ configure                                     |   4 +
+ configure.in                                  |   4 +
+ tests/data/slapd-tls-sasl.conf                |  65 ++
+ tests/data/slapd-tls.conf                     |  61 ++
+ tests/data/tls/ca/certs/testsuiteCA.crt       |  16 +
+ tests/data/tls/ca/private/testsuiteCA.key     |  16 +
+ .../tls/certs/bjensen@mailgw.example.com.crt  |  16 +
+ tests/data/tls/certs/localhost.crt            |  16 +
+ tests/data/tls/conf/openssl.cnf               | 129 ++++
+ tests/data/tls/create-crt.sh                  |  78 +++
+ .../private/bjensen@mailgw.example.com.key    |  16 +
+ tests/data/tls/private/localhost.key          |  16 +
+ tests/run.in                                  |   3 +-
+ tests/scripts/defines.sh                      |  21 +-
+ tests/scripts/test067-tls                     | 140 +++++
+ tests/scripts/test068-sasl-tls-external       | 102 ++++
+ .../test069-delta-multimaster-starttls        | 574 ++++++++++++++++++
+ tests/scripts/test070-delta-multimaster-ldaps | 571 +++++++++++++++++
+ 18 files changed, 1846 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/slapd-tls-sasl.conf
+ create mode 100644 tests/data/slapd-tls.conf
+ create mode 100644 tests/data/tls/ca/certs/testsuiteCA.crt
+ create mode 100644 tests/data/tls/ca/private/testsuiteCA.key
+ create mode 100644 tests/data/tls/certs/bjensen@mailgw.example.com.crt
+ create mode 100644 tests/data/tls/certs/localhost.crt
+ create mode 100644 tests/data/tls/conf/openssl.cnf
+ create mode 100755 tests/data/tls/create-crt.sh
+ create mode 100644 tests/data/tls/private/bjensen@mailgw.example.com.key
+ create mode 100644 tests/data/tls/private/localhost.key
+ create mode 100755 tests/scripts/test067-tls
+ create mode 100755 tests/scripts/test068-sasl-tls-external
+ create mode 100755 tests/scripts/test069-delta-multimaster-starttls
+ create mode 100755 tests/scripts/test070-delta-multimaster-ldaps
+
+diff --git a/configure b/configure
+index e87850ec2..e8a720961 100755
+--- a/configure
++++ b/configure
+@@ -758,6 +758,7 @@ AUTH_LIBS
+ LIBSLAPI
+ SLAPI_LIBS
+ MODULES_LIBS
++WITH_TLS_TYPE
+ TLS_LIBS
+ SASL_LIBS
+ KRB5_LIBS
+@@ -5133,6 +5134,7 @@ KRB4_LIBS=
+ KRB5_LIBS=
+ SASL_LIBS=
+ TLS_LIBS=
++WITH_TLS_TYPE=
+ MODULES_LIBS=
+ SLAPI_LIBS=
+ LIBSLAPI=
+@@ -15582,6 +15584,7 @@ fi
+ 		if test $have_openssl = yes ; then
+ 			ol_with_tls=openssl
+ 			ol_link_tls=yes
++			WITH_TLS_TYPE=openssl
+ 
+ 
+ $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
+@@ -15716,6 +15719,7 @@ fi
+ 			if test $have_gnutls = yes ; then
+ 				ol_with_tls=gnutls
+ 				ol_link_tls=yes
++				WITH_TLS_TYPE=gnutls
+ 
+ 				TLS_LIBS="-lgnutls"
+ 
+diff --git a/configure.in b/configure.in
+index 0c7c0a9ee..cf143d9bf 100644
+--- a/configure.in
++++ b/configure.in
+@@ -592,6 +592,7 @@ KRB4_LIBS=
+ KRB5_LIBS=
+ SASL_LIBS=
+ TLS_LIBS=
++WITH_TLS_TYPE=
+ MODULES_LIBS=
+ SLAPI_LIBS=
+ LIBSLAPI=
+@@ -1186,6 +1187,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
+ 		if test $have_openssl = yes ; then
+ 			ol_with_tls=openssl
+ 			ol_link_tls=yes
++			WITH_TLS_TYPE=openssl
+ 
+ 			AC_DEFINE(HAVE_OPENSSL, 1, 
+ 				[define if you have OpenSSL])
+@@ -1226,6 +1228,7 @@ if test $ol_link_tls = no ; then
+ 			if test $have_gnutls = yes ; then
+ 				ol_with_tls=gnutls
+ 				ol_link_tls=yes
++				WITH_TLS_TYPE=gnutls
+ 
+ 				TLS_LIBS="-lgnutls"
+ 
+@@ -3163,6 +3166,7 @@ AC_SUBST(KRB4_LIBS)
+ AC_SUBST(KRB5_LIBS)
+ AC_SUBST(SASL_LIBS)
+ AC_SUBST(TLS_LIBS)
++AC_SUBST(WITH_TLS_TYPE)
+ AC_SUBST(MODULES_LIBS)
+ AC_SUBST(SLAPI_LIBS)
+ AC_SUBST(LIBSLAPI)
+diff --git a/tests/data/slapd-tls-sasl.conf b/tests/data/slapd-tls-sasl.conf
+new file mode 100644
+index 000000000..f4bb0773e
+--- /dev/null
++++ b/tests/data/slapd-tls-sasl.conf
+@@ -0,0 +1,65 @@
++# stand-alone slapd config -- for testing (with indexing)
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2017 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++#
++include		@SCHEMADIR@/core.schema
++include		@SCHEMADIR@/cosine.schema
++#
++include		@SCHEMADIR@/corba.schema
++include		@SCHEMADIR@/java.schema
++include		@SCHEMADIR@/inetorgperson.schema
++include		@SCHEMADIR@/misc.schema
++include		@SCHEMADIR@/nis.schema
++include		@SCHEMADIR@/openldap.schema
++#
++include		@SCHEMADIR@/duaconf.schema
++include		@SCHEMADIR@/dyngroup.schema
++include		@SCHEMADIR@/ppolicy.schema
++
++#
++pidfile		@TESTDIR@/slapd.1.pid
++argsfile	@TESTDIR@/slapd.1.args
++
++# SSL configuration
++TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
++TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
++TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
++TLSVerifyClient hard
++
++#
++rootdse 	@DATADIR@/rootdse.ldif
++
++#mod#modulepath	../servers/slapd/back-@BACKEND@/
++#mod#moduleload	back_@BACKEND@.la
++#monitormod#modulepath ../servers/slapd/back-monitor/
++#monitormod#moduleload back_monitor.la
++
++authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)
++
++#######################################################################
++# database definitions
++#######################################################################
++
++database	@BACKEND@
++suffix          "dc=example,dc=com"
++rootdn          "cn=Manager,dc=example,dc=com"
++rootpw          secret
++#~null~#directory	@TESTDIR@/db.1.a
++#indexdb#index		objectClass eq
++#indexdb#index		mail eq
++#ndb#dbname db_1_a
++#ndb#include @DATADIR@/ndb.conf
++
++#monitor#database	monitor
+diff --git a/tests/data/slapd-tls.conf b/tests/data/slapd-tls.conf
+new file mode 100644
+index 000000000..6a7785557
+--- /dev/null
++++ b/tests/data/slapd-tls.conf
+@@ -0,0 +1,61 @@
++# stand-alone slapd config -- for testing (with indexing)
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2017 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++#
++include		@SCHEMADIR@/core.schema
++include		@SCHEMADIR@/cosine.schema
++#
++include		@SCHEMADIR@/corba.schema
++include		@SCHEMADIR@/java.schema
++include		@SCHEMADIR@/inetorgperson.schema
++include		@SCHEMADIR@/misc.schema
++include		@SCHEMADIR@/nis.schema
++include		@SCHEMADIR@/openldap.schema
++#
++include		@SCHEMADIR@/duaconf.schema
++include		@SCHEMADIR@/dyngroup.schema
++include		@SCHEMADIR@/ppolicy.schema
++
++#
++pidfile		@TESTDIR@/slapd.1.pid
++argsfile	@TESTDIR@/slapd.1.args
++
++# SSL configuration
++TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
++TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
++
++#
++rootdse 	@DATADIR@/rootdse.ldif
++
++#mod#modulepath	../servers/slapd/back-@BACKEND@/
++#mod#moduleload	back_@BACKEND@.la
++#monitormod#modulepath ../servers/slapd/back-monitor/
++#monitormod#moduleload back_monitor.la
++
++#######################################################################
++# database definitions
++#######################################################################
++
++database	@BACKEND@
++suffix          "dc=example,dc=com"
++rootdn          "cn=Manager,dc=example,dc=com"
++rootpw          secret
++#~null~#directory	@TESTDIR@/db.1.a
++#indexdb#index		objectClass eq
++#indexdb#index		mail eq
++#ndb#dbname db_1_a
++#ndb#include @DATADIR@/ndb.conf
++
++#monitor#database	monitor
+diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt
+new file mode 100644
+index 000000000..7458e7461
+--- /dev/null
++++ b/tests/data/tls/ca/certs/testsuiteCA.crt
+@@ -0,0 +1,16 @@
++-----BEGIN CERTIFICATE-----
++MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
++BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv
++bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0
++NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
++MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB
++UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd
++rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb
++lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL
++6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU
++7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB
++SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/
++wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws
++ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q
++aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==
++-----END CERTIFICATE-----
+diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key
+new file mode 100644
+index 000000000..2e14d7033
+--- /dev/null
++++ b/tests/data/tls/ca/private/testsuiteCA.key
+@@ -0,0 +1,16 @@
++-----BEGIN PRIVATE KEY-----
++MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ
++WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc
++338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/
++dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg
++O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf
++7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn
++rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f
++wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk
++AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l
++vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9
++27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X
++KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N
++I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL
+++b2qljWeZbGH
++-----END PRIVATE KEY-----
+diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
+new file mode 100644
+index 000000000..93e3a0d39
+--- /dev/null
++++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
+@@ -0,0 +1,16 @@
++-----BEGIN CERTIFICATE-----
++MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
++BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
++ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV
++BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD
++VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa
++YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
++MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg
++QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU
++U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL
++MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn
++wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f
++7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo
++4DnnYQBDnq48VORVX94=
++-----END CERTIFICATE-----
+diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt
+new file mode 100644
+index 000000000..194cb119d
+--- /dev/null
++++ b/tests/data/tls/certs/localhost.crt
+@@ -0,0 +1,16 @@
++-----BEGIN CERTIFICATE-----
++MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
++BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
++ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE
++CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT
++dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
++iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4
++7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv
++8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ
++BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A
++AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG
++8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl
++0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR
++GjeZB1FxqDGHjxBq2O828iejw28bSz4=
++-----END CERTIFICATE-----
+diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf
+new file mode 100644
+index 000000000..a3c8ad9f6
+--- /dev/null
++++ b/tests/data/tls/conf/openssl.cnf
+@@ -0,0 +1,129 @@
++HOME                    = .
++RANDFILE                = $ENV::HOME/.rnd
++
++oid_section             = new_oids
++
++[ new_oids ]
++tsa_policy1 = 1.2.3.4.1
++tsa_policy2 = 1.2.3.4.5.6
++tsa_policy3 = 1.2.3.4.5.7
++
++[ ca ]
++default_ca      = CA_default            # The default ca section
++
++[ CA_default ]
++
++dir             = ./cruft		# Where everything is kept
++certs           = $dir/certs            # Where the issued certs are kept
++crl_dir         = $dir/crl              # Where the issued crl are kept
++database        = $dir/index.txt        # database index file.
++new_certs_dir   = $dir/certs         # default place for new certs.
++certificate     = $dir/cacert.pem       # The CA certificate
++serial          = $dir/serial           # The current serial number
++crlnumber       = $dir/crlnumber        # the current crl number
++crl             = $dir/crl.pem          # The current CRL
++private_key     = $dir/private/cakey.pem# The private key
++RANDFILE        = $dir/private/.rand    # private random number file
++x509_extensions = usr_cert              # The extentions to add to the cert
++name_opt        = ca_default            # Subject Name options
++cert_opt        = ca_default            # Certificate field options
++default_days    = 365                   # how long to certify for
++default_crl_days= 30                    # how long before next CRL
++default_md      = default               # use public key default MD
++preserve        = no                    # keep passed DN ordering
++policy          = policy_match
++
++[ policy_match ]
++countryName             = match
++stateOrProvinceName     = match
++organizationName        = match
++organizationalUnitName  = optional
++commonName              = supplied
++emailAddress            = optional
++
++[ policy_anything ]
++countryName             = optional
++stateOrProvinceName     = optional
++localityName            = optional
++organizationName        = optional
++organizationalUnitName  = optional
++commonName              = supplied
++emailAddress            = optional
++
++[ req ]
++default_bits            = 2048
++default_keyfile         = privkey.pem
++distinguished_name      = req_distinguished_name
++attributes              = req_attributes
++x509_extensions = v3_ca # The extentions to add to the self signed cert
++
++string_mask = utf8only
++
++[ req_distinguished_name ]
++basicConstraints=CA:FALSE
++
++[ req_attributes ]
++challengePassword               = A challenge password
++challengePassword_min           = 4
++challengePassword_max           = 20
++
++unstructuredName                = An optional company name
++
++[ usr_cert ]
++
++basicConstraints=CA:FALSE
++nsComment                       = "OpenSSL Generated Certificate"
++
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++
++[ v3_req ]
++
++basicConstraints = CA:FALSE
++keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++subjectAltName = DNS:localhost,IP:127.0.0.1,IP:::1
++
++[ v3_ca ]
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid:always,issuer
++basicConstraints = CA:true
++
++[ crl_ext ]
++
++authorityKeyIdentifier=keyid:always
++
++[ proxy_cert_ext ]
++basicConstraints=CA:FALSE
++nsComment                       = "OpenSSL Generated Certificate"
++
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
++
++[ tsa ]
++
++default_tsa = tsa_config1       # the default TSA section
++
++[ tsa_config1 ]
++
++dir             = ./demoCA              # TSA root directory
++serial          = $dir/tsaserial        # The current serial number (mandatory)
++crypto_device   = builtin               # OpenSSL engine to use for signing
++signer_cert     = $dir/tsacert.pem      # The TSA signing certificate
++                                        # (optional)
++certs           = $dir/cacert.pem       # Certificate chain to include in reply
++                                        # (optional)
++signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)
++
++default_policy  = tsa_policy1           # Policy if request did not specify it
++                                        # (optional)
++other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
++digests         = md5, sha1             # Acceptable message digests (mandatory)
++accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
++clock_precision_digits  = 0     # number of digits after dot. (optional)
++ordering                = yes   # Is ordering defined for timestamps?
++                                # (optional, default: no)
++tsa_name                = yes   # Must the TSA name be included in the reply?
++                                # (optional, default: no)
++ess_cert_id_chain       = no    # Must the ESS cert id chain be included?
++                                # (optional, default: no)
+diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh
+new file mode 100755
+index 000000000..8c33a24fe
+--- /dev/null
++++ b/tests/data/tls/create-crt.sh
+@@ -0,0 +1,78 @@
++#!/bin/sh
++openssl=$(which openssl)
++
++if [ x"$openssl" = "x" ]; then
++echo "OpenSSL command line binary not found, skipping..."
++fi
++
++USAGE="$0 [-s] [-u <user@domain.com>]"
++SERVER=0
++USER=0
++EMAIL=
++
++while test $# -gt 0 ; do
++	case "$1" in
++		-s | -server)
++			SERVER=1;
++			shift;;
++		-u | -user)
++			if [ x"$2" = "x" ]; then
++				echo "User cert requires an email address as an argument"
++				exit;
++			fi
++			USER=1;
++			EMAIL="$2";
++			shift; shift;;
++		-)
++			shift;;
++		-*)
++			echo "$USAGE"; exit 1
++			;;
++		*)
++			break;;
++	esac
++done
++
++if [ $SERVER = 0 -a $USER = 0 ]; then
++	echo "$USAGE";
++	exit 1;
++fi
++
++rm -rf ./openssl.cnf cruft
++mkdir -p private certs cruft/private cruft/certs
++
++echo "00" > cruft/serial
++touch cruft/index.txt
++touch cruft/index.txt.attr
++hn=$(hostname -f)
++sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf >  ./openssl.cnf
++
++if [ $SERVER = 1 ]; then
++	rm -rf private/localhost.key certs/localhost.crt
++
++	$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \
++		-newkey rsa:1024 -config ./openssl.cnf \
++		-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \
++		-batch > /dev/null 2>&1
++
++	$openssl ca -out certs/localhost.crt -notext -config ./openssl.cnf -days 183000 -in localhost.csr \
++		-keyfile ca/private/testsuiteCA.key -extensions v3_req -cert ca/certs/testsuiteCA.crt \
++		-batch >/dev/null 2>&1
++
++	rm -rf ./openssl.cnf ./localhost.csr cruft
++fi
++
++if [ $USER = 1 ]; then
++	rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr
++
++	$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \
++		-newkey rsa:1024 -config ./openssl.cnf \
++		-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \
++		-batch >/dev/null 2>&1
++
++	$openssl ca -out certs/$EMAIL.crt -notext -config ./openssl.cnf -days 183000 -in $EMAIL.csr \
++		-keyfile ca/private/testsuiteCA.key -extensions req_distinguished_name \
++		-cert ca/certs/testsuiteCA.crt -batch >/dev/null 2>&1
++
++	rm -rf ./openssl.cnf ./$EMAIL.csr cruft
++fi
+diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key
+new file mode 100644
+index 000000000..5f4625fd7
+--- /dev/null
++++ b/tests/data/tls/private/bjensen@mailgw.example.com.key
+@@ -0,0 +1,16 @@
++-----BEGIN PRIVATE KEY-----
++MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2
++xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4
++9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z
++yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r
++oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e
++nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg
++xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra
++EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd
++9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/
++pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI
++tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ
++3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D
++tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg
++36Ixj3L+5H18
++-----END PRIVATE KEY-----
+diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key
+new file mode 100644
+index 000000000..8a24f69f8
+--- /dev/null
++++ b/tests/data/tls/private/localhost.key
+@@ -0,0 +1,16 @@
++-----BEGIN PRIVATE KEY-----
++MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg
++ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM
++w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM
++brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij
++Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf
++2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ
++bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q
++1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf
++3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U
++VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7
++TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b
++iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP
++5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3
++b61hkjQZfbEg5cg=
++-----END PRIVATE KEY-----
+diff --git a/tests/run.in b/tests/run.in
+index a542eedec..468c3e1f2 100644
+--- a/tests/run.in
++++ b/tests/run.in
+@@ -56,6 +56,7 @@ AC_valsort=valsort@BUILD_VALSORT@
+ # misc
+ AC_WITH_SASL=@WITH_SASL@
+ AC_WITH_TLS=@WITH_TLS@
++AC_TLS_TYPE=@WITH_TLS_TYPE@
+ AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@
+ AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@
+ AC_THREADS=threads@BUILD_THREAD@
+@@ -74,7 +75,7 @@ export AC_bdb AC_hdb AC_ldap AC_mdb AC_meta AC_monitor AC_null AC_relay AC_sql \
+ 	AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
+ 	AC_valsort \
+ 	AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \
+-	AC_THREADS AC_LIBS_DYNAMIC
++	AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE
+ 
+ if test ! -x ../servers/slapd/slapd ; then
+ 	echo "Could not locate slapd(8)"
+diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
+index b374cc500..8f7c7b853 100755
+--- a/tests/scripts/defines.sh
++++ b/tests/scripts/defines.sh
+@@ -45,6 +45,9 @@ VALSORT=${AC_valsort-valsortno}
+ # misc
+ WITH_SASL=${AC_WITH_SASL-no}
+ USE_SASL=${SLAPD_USE_SASL-no}
++WITH_TLS=${AC_WITH_TLS-no}
++WITH_TLS_TYPE=${AC_TLS_TYPE-no}
++
+ ACI=${AC_ACI_ENABLED-acino}
+ THREADS=${AC_THREADS-threadsno}
+ SLEEP0=${SLEEP0-1}
+@@ -103,6 +106,8 @@ P2SRCONSUMERCONF=$DATADIR/slapd-syncrepl-consumer-persist2.conf
+ P3SRCONSUMERCONF=$DATADIR/slapd-syncrepl-consumer-persist3.conf
+ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
+ SCHEMACONF=$DATADIR/slapd-schema.conf
++TLSCONF=$DATADIR/slapd-tls.conf
++TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
+ GLUECONF=$DATADIR/slapd-glue.conf
+ REFINTCONF=$DATADIR/slapd-refint.conf
+ RETCODECONF=$DATADIR/slapd-retcode.conf
+@@ -163,6 +168,7 @@ SLURPLOG=$TESTDIR/slurp.log
+ CONFIGPWF=$TESTDIR/configpw
+ 
+ # args
++SASLARGS="-Q"
+ TOOLARGS="-x $LDAP_TOOLARGS"
+ TOOLPROTO="-P 3"
+ 
+@@ -184,7 +190,8 @@ BCMP="diff -iB"
+ CMPOUT=/dev/null
+ SLAPD="$TESTWD/../servers/slapd/slapd -s0"
+ LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS"
+-LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS -LLL"
++LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $SASLARGS $TOOLPROTO $LDAP_TOOLARGS -LLL"
++LDAPSASLWHOAMI="$CLIENTDIR/ldapwhoami $SASLARGS $LDAP_TOOLARGS"
+ LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL"
+ LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS"
+ LDAPDELETE="$CLIENTDIR/ldapdelete $TOOLPROTO $TOOLARGS"
+@@ -199,6 +206,7 @@ LDIFFILTER=$PROGDIR/ldif-filter
+ SLAPDMTREAD=$PROGDIR/slapd-mtread
+ LVL=${SLAPD_DEBUG-0x4105}
+ LOCALHOST=localhost
++LOCALIP=127.0.0.1
+ BASEPORT=${SLAPD_BASEPORT-9010}
+ PORT1=`expr $BASEPORT + 1`
+ PORT2=`expr $BASEPORT + 2`
+@@ -207,11 +215,22 @@ PORT4=`expr $BASEPORT + 4`
+ PORT5=`expr $BASEPORT + 5`
+ PORT6=`expr $BASEPORT + 6`
+ URI1="ldap://${LOCALHOST}:$PORT1/"
++URIP1="ldap://${LOCALIP}:$PORT1/"
+ URI2="ldap://${LOCALHOST}:$PORT2/"
++URIP2="ldap://${LOCALIP}:$PORT2/"
+ URI3="ldap://${LOCALHOST}:$PORT3/"
++URIP3="ldap://${LOCALIP}:$PORT3/"
+ URI4="ldap://${LOCALHOST}:$PORT4/"
+ URI5="ldap://${LOCALHOST}:$PORT5/"
+ URI6="ldap://${LOCALHOST}:$PORT6/"
++SURI1="ldaps://${LOCALHOST}:$PORT1/"
++SURIP1="ldaps://${LOCALIP}:$PORT1/"
++SURI2="ldaps://${LOCALHOST}:$PORT2/"
++SURIP2="ldaps://${LOCALIP}:$PORT2/"
++SURI3="ldaps://${LOCALHOST}:$PORT3/"
++SURI4="ldaps://${LOCALHOST}:$PORT4/"
++SURI5="ldaps://${LOCALHOST}:$PORT5/"
++SURI6="ldaps://${LOCALHOST}:$PORT6/"
+ 
+ # LDIF
+ LDIF=$DATADIR/test.ldif
+diff --git a/tests/scripts/test067-tls b/tests/scripts/test067-tls
+new file mode 100755
+index 000000000..2b245f5f5
+--- /dev/null
++++ b/tests/scripts/test067-tls
+@@ -0,0 +1,140 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2017 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++echo "running defines.sh"
++. $SRCDIR/scripts/defines.sh
++
++if test $WITH_TLS = no ; then
++        echo "TLS support not available, test skipped"
++        exit 0
++fi
++
++mkdir -p $TESTDIR $DBDIR1
++cp -r $DATADIR/tls $TESTDIR
++
++cd $TESTWD
++
++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
++. $CONFFILTER $BACKEND $MONITORDB < $TLSCONF > $CONF1
++$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
++PID=$!
++if test $WAIT != 0 ; then
++    echo PID $PID
++    read foo
++fi
++KILLPIDS="$PID"
++
++sleep 1
++
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "" -H $URI1 \
++		'objectclass=*' > /dev/null 2>&1
++        RC=$?
++        if test $RC = 0 ; then
++                break
++        fi
++        echo "Waiting 5 seconds for slapd to start..."
++        sleep 5
++done
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo -n "Using ldapsearch with startTLS with no server cert validation...."
++$LDAPSEARCH -o tls_reqcert=never -ZZ -b "" -s base -H $URIP1 \
++	'@extensibleObject' > $SEARCHOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapsearch (startTLS) failed ($RC)!"
++	exit $RC
++else
++	echo "success"
++fi
++
++echo -n "Using ldapsearch with startTLS with hard require cert...."
++$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -ZZ -b "" -s base -H $URIP1 \
++	'@extensibleObject' > $SEARCHOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapsearch (startTLS) failed ($RC)!"
++	exit $RC
++else
++	echo "success"
++fi
++
++if test $WITH_TLS_TYPE = openssl ; then
++	echo -n "Using ldapsearch with startTLS and specific protocol version...."
++	$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -o tls_protocol_min=3.3 -ZZ -b "" -s base -H $URIP1 \
++		'@extensibleObject' > $SEARCHOUT 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "ldapsearch (protocol-min) failed ($RC)!"
++		exit $RC
++	else
++		echo "success"
++	fi
++fi
++
++echo -n "Using ldapsearch on $SURI2 with no server cert validation..."
++$LDAPSEARCH -o tls_reqcert=never -b "cn=Subschema" -s base -H $SURIP2 \
++	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
++	>> $SEARCHOUT  2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapsearch (ldaps) failed($RC)!"
++	exit $RC
++else
++	echo "success"
++fi
++
++echo -n "Using ldapsearch on $SURI2 with reqcert HARD and no CA cert.  Should fail..."
++$LDAPSEARCH -o tls_reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \
++	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
++	>> $SEARCHOUT  2>&1
++RC=$?
++if test $RC = 0 ; then
++	echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"
++	exit 1
++else
++	echo "failed correctly with error code ($RC)"
++fi
++
++echo -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..."
++$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \
++	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
++	>> $SEARCHOUT  2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapsearch (ldaps) failed ($RC)!"
++	exit $RC
++else
++	echo "success"
++fi
++
++test $KILLSERVERS != no && kill -HUP $KILLPIDS
++
++if test $RC != 0 ; then
++	echo ">>>>> Test failed"
++else
++	echo ">>>>> Test succeeded"
++	RC=0
++fi
++
++test $KILLSERVERS != no && wait
++
++exit $RC
+diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external
+new file mode 100755
+index 000000000..dcbc50fd4
+--- /dev/null
++++ b/tests/scripts/test068-sasl-tls-external
+@@ -0,0 +1,102 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2017 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++echo "running defines.sh"
++. $SRCDIR/scripts/defines.sh
++
++if test $WITH_TLS = no ; then
++        echo "TLS support not available, test skipped"
++        exit 0
++fi
++
++mkdir -p $TESTDIR $DBDIR1
++cp -r $DATADIR/tls $TESTDIR
++
++cd $TESTWD
++
++echo "Running slapadd to build slapd database..."
++. $CONFFILTER $BACKEND $MONITORDB < $TLSSASLCONF > $CONF1
++$SLAPADD -f $CONF1 -l $LDIFORDERED
++RC=$?
++if test $RC != 0 ; then
++        echo "slapadd failed ($RC)!"
++        exit $RC
++fi
++
++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
++$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
++PID=$!
++if test $WAIT != 0 ; then
++    echo PID $PID
++    read foo
++fi
++KILLPIDS="$PID"
++
++sleep 1
++
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "" -H $URI1 \
++		'objectclass=*' > /dev/null 2>&1
++        RC=$?
++        if test $RC = 0 ; then
++                break
++        fi
++        echo "Waiting 5 seconds for slapd to start..."
++        sleep 5
++done
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo -n "Using ldapwhoami with SASL/EXTERNAL...."
++$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard \
++	-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt -o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key -ZZ -Y EXTERNAL -H $URIP1 \
++	> $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapwhoami (startTLS) failed ($RC)!"
++	exit $RC
++else
++	echo "success"
++fi
++
++echo -n "Validating mapped SASL ID..."
++echo 'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com' > $TESTDIR/dn.out
++$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
++
++RC=$?
++if test $RC != 0 ; then
++	echo "Comparison failed"
++	test $KILLSERVERS != no && kill -HUP $PID
++	exit $RC
++else
++	echo "success"
++fi
++
++test $KILLSERVERS != no && kill -HUP $KILLPIDS
++
++if test $RC != 0 ; then
++	echo ">>>>> Test failed"
++else
++	echo ">>>>> Test succeeded"
++	RC=0
++fi
++
++test $KILLSERVERS != no && wait
++
++exit $RC
+diff --git a/tests/scripts/test069-delta-multimaster-starttls b/tests/scripts/test069-delta-multimaster-starttls
+new file mode 100755
+index 000000000..2dfbb30a1
+--- /dev/null
++++ b/tests/scripts/test069-delta-multimaster-starttls
+@@ -0,0 +1,574 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2017 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++echo "running defines.sh"
++. $SRCDIR/scripts/defines.sh
++
++if test $WITH_TLS = no ; then
++        echo "TLS support not available, test skipped"
++        exit 0
++fi
++
++if test $SYNCPROV = syncprovno; then
++	echo "Syncrepl provider overlay not available, test skipped"
++	exit 0
++fi
++if test $ACCESSLOG = accesslogno; then
++	echo "Accesslog overlay not available, test skipped"
++	exit 0
++fi
++
++MMR=2
++
++XDIR=$TESTDIR/srv
++TMP=$TESTDIR/tmp
++
++mkdir -p $TESTDIR
++cp -r $DATADIR/tls $TESTDIR
++
++$SLAPPASSWD -g -n >$CONFIGPWF
++
++if test x"$SYNCMODE" = x ; then
++	SYNCMODE=rp
++fi
++case "$SYNCMODE" in
++	ro)
++		SYNCTYPE="type=refreshOnly interval=00:00:00:03"
++		;;
++	rp)
++		SYNCTYPE="type=refreshAndPersist interval=00:00:00:03"
++		;;
++	*)
++		echo "unknown sync mode $SYNCMODE"
++		exit 1;
++		;;
++esac
++
++#
++# Test delta-sync mmr
++# - start servers
++# - configure over ldap
++# - populate over ldap
++# - configure syncrepl over ldap
++# - break replication
++# - modify each server separately
++# - restore replication
++# - compare results
++#
++
++nullExclude=""
++test $BACKEND = null && nullExclude="# "
++
++KILLPIDS=
++
++echo "Initializing server configurations..."
++n=1
++while [ $n -le $MMR ]; do
++
++DBDIR=${XDIR}$n/db
++CFDIR=${XDIR}$n/slapd.d
++
++mkdir -p ${XDIR}$n $DBDIR.1 $DBDIR.2 $CFDIR
++
++o=`expr 3 - $n`
++cat > $TMP <<EOF
++dn: cn=config
++objectClass: olcGlobal
++cn: config
++olcServerID: $n
++olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
++olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
++
++EOF
++
++if [ "$SYNCPROV" = syncprovmod -o "$ACCESSLOG" = accesslogmod ]; then
++  cat <<EOF >> $TMP
++dn: cn=module,cn=config
++objectClass: olcModuleList
++cn: module
++olcModulePath: $TESTWD/../servers/slapd/overlays
++EOF
++  if [ "$SYNCPROV" = syncprovmod ]; then
++  echo "olcModuleLoad: syncprov.la" >> $TMP
++  fi
++  if [ "$ACCESSLOG" = accesslogmod ]; then
++  echo "olcModuleLoad: accesslog.la" >> $TMP
++  fi
++  echo "" >> $TMP
++fi
++
++if [ "$BACKENDTYPE" = mod ]; then
++cat <<EOF >> $TMP
++dn: cn=module,cn=config
++objectClass: olcModuleList
++cn: module
++olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
++olcModuleLoad: back_$BACKEND.la
++
++EOF
++fi
++MYURI=`eval echo '$URI'$n`
++PROVIDERURI=`eval echo '$URIP'$o`
++if test $INDEXDB = indexdb ; then
++INDEX1="olcDbIndex: objectClass,entryCSN,reqStart,reqDN,reqResult eq"
++INDEX2="olcDbIndex: objectClass,entryCSN,entryUUID eq"
++else
++INDEX1=
++INDEX2=
++fi
++cat >> $TMP <<EOF
++dn: cn=schema,cn=config
++objectclass: olcSchemaconfig
++cn: schema
++
++include: file://$ABS_SCHEMADIR/core.ldif
++
++include: file://$ABS_SCHEMADIR/cosine.ldif
++
++include: file://$ABS_SCHEMADIR/inetorgperson.ldif
++
++include: file://$ABS_SCHEMADIR/openldap.ldif
++
++include: file://$ABS_SCHEMADIR/nis.ldif
++
++dn: olcDatabase={0}config,cn=config
++objectClass: olcDatabaseConfig
++olcDatabase: {0}config
++olcRootPW:< file://$CONFIGPWF
++
++dn: olcDatabase={1}$BACKEND,cn=config
++objectClass: olcDatabaseConfig
++${nullExclude}objectClass: olc${BACKEND}Config
++olcDatabase: {1}$BACKEND
++olcSuffix: cn=log
++${nullExclude}olcDbDirectory: ${DBDIR}.1
++olcRootDN: $MANAGERDN
++$INDEX1
++
++dn: olcOverlay=syncprov,olcDatabase={1}$BACKEND,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcSyncProvConfig
++olcOverlay: syncprov
++olcSpNoPresent: TRUE
++olcSpReloadHint: TRUE
++
++dn: olcDatabase={2}$BACKEND,cn=config
++objectClass: olcDatabaseConfig
++${nullExclude}objectClass: olc${BACKEND}Config
++olcDatabase: {2}$BACKEND
++olcSuffix: $BASEDN
++${nullExclude}olcDbDirectory: ${DBDIR}.2
++olcRootDN: $MANAGERDN
++olcRootPW: $PASSWD
++olcSyncRepl: rid=001 provider=$PROVIDERURI binddn="$MANAGERDN" bindmethod=simple
++  credentials=$PASSWD searchbase="$BASEDN" $SYNCTYPE
++  retry="3 +" timeout=3 logbase="cn=log"
++  logfilter="(&(objectclass=auditWriteObject)(reqresult=0))"
++  syncdata=accesslog tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
++  starttls=critical
++olcMirrorMode: TRUE
++$INDEX2
++
++dn: olcOverlay=syncprov,olcDatabase={2}$BACKEND,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcSyncProvConfig
++olcOverlay: syncprov
++
++dn: olcOverlay=accesslog,olcDatabase={2}$BACKEND,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcAccessLogConfig
++olcOverlay: accesslog
++olcAccessLogDB: cn=log
++olcAccessLogOps: writes
++olcAccessLogSuccess: TRUE
++
++EOF
++$SLAPADD -F $CFDIR -n 0  -d-1< $TMP > $TESTOUT 2>&1
++PORT=`eval echo '$PORT'$n`
++echo "Starting server $n on TCP/IP port $PORT..."
++cd ${XDIR}${n}
++LOG=`eval echo '$LOG'$n`
++$SLAPD -F slapd.d -h $MYURI -d $LVL $TIMING > $LOG 2>&1 &
++PID=$!
++if test $WAIT != 0 ; then
++    echo PID $PID
++    read foo
++fi
++KILLPIDS="$PID $KILLPIDS"
++cd $TESTWD
++
++echo "Using ldapsearch to check that server $n is running..."
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "" -H $MYURI \
++		'objectclass=*' > /dev/null 2>&1
++	RC=$?
++	if test $RC = 0 ; then
++		break
++	fi
++	echo "Waiting 5 seconds for slapd to start..."
++	sleep 5
++done
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++if [ $n = 1 ]; then
++echo "Using ldapadd for context on server 1..."
++$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFORDEREDCP \
++	>> $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapadd failed for server $n database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++fi
++
++n=`expr $n + 1`
++done
++
++echo "Using ldapadd to populate server 1..."
++$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFORDEREDNOCP \
++	>> $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapadd failed for server $n database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
++sleep $SLEEP1
++
++n=1
++while [ $n -le $MMR ]; do
++PORT=`expr $BASEPORT + $n`
++URI="ldap://${LOCALHOST}:$PORT/"
++
++echo "Using ldapsearch to read all the entries from server $n..."
++$LDAPSEARCH -S "" -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD  \
++	'objectclass=*' > $TESTDIR/server$n.out 2>&1
++RC=$?
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed at server $n ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt
++n=`expr $n + 1`
++done
++
++n=2
++while [ $n -le $MMR ]; do
++echo "Comparing retrieved entries from server 1 and server $n..."
++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++
++if test $? != 0 ; then
++	echo "test failed - server 1 and server $n databases differ"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++n=`expr $n + 1`
++done
++
++echo "Using ldapadd to populate server 2..."
++$LDAPADD -D "$MANAGERDN" -H $URI2 -w $PASSWD -f $LDIFADD1 \
++	>> $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapadd failed for server 2 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com"
++sleep 1
++for i in 1 2 3; do
++	$LDAPSEARCH -S "" -b "$THEDN" -H $URI1 \
++		-s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1
++	RC=$?
++
++	if test $RC = 0 ; then
++		break
++	fi
++
++	if test $RC != 32 ; then
++		echo "ldapsearch failed at slave ($RC)!"
++		test $KILLSERVERS != no && kill -HUP $KILLPIDS
++		exit $RC
++	fi
++
++	echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
++	sleep $SLEEP1
++done
++
++n=1
++while [ $n -le $MMR ]; do
++PORT=`expr $BASEPORT + $n`
++URI="ldap://${LOCALHOST}:$PORT/"
++
++echo "Using ldapsearch to read all the entries from server $n..."
++$LDAPSEARCH -S "" -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD  \
++	'objectclass=*' > $TESTDIR/server$n.out 2>&1
++RC=$?
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed at server $n ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt
++n=`expr $n + 1`
++done
++
++n=2
++while [ $n -le $MMR ]; do
++echo "Comparing retrieved entries from server 1 and server $n..."
++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++
++if test $? != 0 ; then
++	echo "test failed - server 1 and server $n databases differ"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++n=`expr $n + 1`
++done
++
++echo "Breaking replication between server 1 and 2..."
++n=1
++while [ $n -le $MMR ]; do
++o=`expr 3 - $n`
++MYURI=`eval echo '$URI'$n`
++PROVIDERURI=`eval echo '$URIP'$o`
++$LDAPMODIFY -D cn=config -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 <<EOF
++dn: olcDatabase={2}$BACKEND,cn=config
++changetype: modify
++replace: olcSyncRepl
++olcSyncRepl: rid=001 provider=$PROVIDERURI binddn="$MANAGERDN" bindmethod=simple
++  credentials=InvalidPw searchbase="$BASEDN" $SYNCTYPE
++  retry="3 +" timeout=3 logbase="cn=log"
++  logfilter="(&(objectclass=auditWriteObject)(reqresult=0))"
++  syncdata=accesslog tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
++  starttls=critical
++-
++replace: olcMirrorMode
++olcMirrorMode: TRUE
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server $n config ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++n=`expr $n + 1`
++done
++
++echo "Using ldapmodify to force conflicts between server 1 and 2..."
++$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++add: description
++description: Amazing
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 1 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -D "$MANAGERDN" -H $URI2 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++add: description
++description: Stupendous
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 2 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++delete: description
++description: Outstanding
++-
++add: description
++description: Mindboggling
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 1 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -D "$MANAGERDN" -H $URI2 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++delete: description
++description: OutStanding
++-
++add: description
++description: Bizarre
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 2 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++add: carLicense
++carLicense: 123-XYZ
++-
++add: employeeNumber
++employeeNumber: 32
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 1 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -D "$MANAGERDN" -H $URI2 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++add: employeeType
++employeeType: deadwood
++-
++add: employeeNumber
++employeeNumber: 64
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 2 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++replace: sn
++sn: Replaced later
++-
++replace: sn
++sn: Surname
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 1 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo "Restoring replication between server 1 and 2..."
++n=1
++while [ $n -le $MMR ]; do
++o=`expr 3 - $n`
++MYURI=`eval echo '$URI'$n`
++PROVIDERURI=`eval echo '$URIP'$o`
++$LDAPMODIFY -D cn=config -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 <<EOF
++dn: olcDatabase={2}$BACKEND,cn=config
++changetype: modify
++replace: olcSyncRepl
++olcSyncRepl: rid=001 provider=$PROVIDERURI binddn="$MANAGERDN" bindmethod=simple
++  credentials=$PASSWD searchbase="$BASEDN" $SYNCTYPE
++  retry="3 +" timeout=3 logbase="cn=log"
++  logfilter="(&(objectclass=auditWriteObject)(reqresult=0))"
++  syncdata=accesslog tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
++  starttls=critical
++-
++replace: olcMirrorMode
++olcMirrorMode: TRUE
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server $n config ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++n=`expr $n + 1`
++done
++
++echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
++sleep $SLEEP1
++
++n=1
++while [ $n -le $MMR ]; do
++PORT=`expr $BASEPORT + $n`
++URI="ldap://${LOCALHOST}:$PORT/"
++
++echo "Using ldapsearch to read all the entries from server $n..."
++$LDAPSEARCH -S "" -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD  \
++	'objectclass=*' > $TESTDIR/server$n.out 2>&1
++RC=$?
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed at server $n ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++$LDIFFILTER -s a < $TESTDIR/server$n.out > $TESTDIR/server$n.flt
++n=`expr $n + 1`
++done
++
++n=2
++while [ $n -le $MMR ]; do
++echo "Comparing retrieved entries from server 1 and server $n..."
++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++
++if test $? != 0 ; then
++	echo "test failed - server 1 and server $n databases differ"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++n=`expr $n + 1`
++done
++
++test $KILLSERVERS != no && kill -HUP $KILLPIDS
++
++echo ">>>>> Test succeeded"
++
++test $KILLSERVERS != no && wait
++
++exit 0
+diff --git a/tests/scripts/test070-delta-multimaster-ldaps b/tests/scripts/test070-delta-multimaster-ldaps
+new file mode 100755
+index 000000000..1024640ef
+--- /dev/null
++++ b/tests/scripts/test070-delta-multimaster-ldaps
+@@ -0,0 +1,571 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2017 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++echo "running defines.sh"
++. $SRCDIR/scripts/defines.sh
++
++if test $WITH_TLS = no ; then
++        echo "TLS support not available, test skipped"
++        exit 0
++fi
++
++if test $SYNCPROV = syncprovno; then
++	echo "Syncrepl provider overlay not available, test skipped"
++	exit 0
++fi
++if test $ACCESSLOG = accesslogno; then
++	echo "Accesslog overlay not available, test skipped"
++	exit 0
++fi
++
++MMR=2
++
++XDIR=$TESTDIR/srv
++TMP=$TESTDIR/tmp
++
++mkdir -p $TESTDIR
++cp -r $DATADIR/tls $TESTDIR
++
++$SLAPPASSWD -g -n >$CONFIGPWF
++
++if test x"$SYNCMODE" = x ; then
++	SYNCMODE=rp
++fi
++case "$SYNCMODE" in
++	ro)
++		SYNCTYPE="type=refreshOnly interval=00:00:00:03"
++		;;
++	rp)
++		SYNCTYPE="type=refreshAndPersist interval=00:00:00:03"
++		;;
++	*)
++		echo "unknown sync mode $SYNCMODE"
++		exit 1;
++		;;
++esac
++
++#
++# Test delta-sync mmr
++# - start servers
++# - configure over ldap
++# - populate over ldap
++# - configure syncrepl over ldap
++# - break replication
++# - modify each server separately
++# - restore replication
++# - compare results
++#
++
++nullExclude=""
++test $BACKEND = null && nullExclude="# "
++
++KILLPIDS=
++
++echo "Initializing server configurations..."
++n=1
++while [ $n -le $MMR ]; do
++
++DBDIR=${XDIR}$n/db
++CFDIR=${XDIR}$n/slapd.d
++
++mkdir -p ${XDIR}$n $DBDIR.1 $DBDIR.2 $CFDIR
++
++o=`expr 3 - $n`
++cat > $TMP <<EOF
++dn: cn=config
++objectClass: olcGlobal
++cn: config
++olcServerID: $n
++olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
++olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
++
++EOF
++
++if [ "$SYNCPROV" = syncprovmod -o "$ACCESSLOG" = accesslogmod ]; then
++  cat <<EOF >> $TMP
++dn: cn=module,cn=config
++objectClass: olcModuleList
++cn: module
++olcModulePath: $TESTWD/../servers/slapd/overlays
++EOF
++  if [ "$SYNCPROV" = syncprovmod ]; then
++  echo "olcModuleLoad: syncprov.la" >> $TMP
++  fi
++  if [ "$ACCESSLOG" = accesslogmod ]; then
++  echo "olcModuleLoad: accesslog.la" >> $TMP
++  fi
++  echo "" >> $TMP
++fi
++
++if [ "$BACKENDTYPE" = mod ]; then
++cat <<EOF >> $TMP
++dn: cn=module,cn=config
++objectClass: olcModuleList
++cn: module
++olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
++olcModuleLoad: back_$BACKEND.la
++
++EOF
++fi
++MYURI=`eval echo '$SURIP'$n`
++PROVIDERURI=`eval echo '$SURIP'$o`
++if test $INDEXDB = indexdb ; then
++INDEX1="olcDbIndex: objectClass,entryCSN,reqStart,reqDN,reqResult eq"
++INDEX2="olcDbIndex: objectClass,entryCSN,entryUUID eq"
++else
++INDEX1=
++INDEX2=
++fi
++cat >> $TMP <<EOF
++dn: cn=schema,cn=config
++objectclass: olcSchemaconfig
++cn: schema
++
++include: file://$ABS_SCHEMADIR/core.ldif
++
++include: file://$ABS_SCHEMADIR/cosine.ldif
++
++include: file://$ABS_SCHEMADIR/inetorgperson.ldif
++
++include: file://$ABS_SCHEMADIR/openldap.ldif
++
++include: file://$ABS_SCHEMADIR/nis.ldif
++
++dn: olcDatabase={0}config,cn=config
++objectClass: olcDatabaseConfig
++olcDatabase: {0}config
++olcRootPW:< file://$CONFIGPWF
++
++dn: olcDatabase={1}$BACKEND,cn=config
++objectClass: olcDatabaseConfig
++${nullExclude}objectClass: olc${BACKEND}Config
++olcDatabase: {1}$BACKEND
++olcSuffix: cn=log
++${nullExclude}olcDbDirectory: ${DBDIR}.1
++olcRootDN: $MANAGERDN
++$INDEX1
++
++dn: olcOverlay=syncprov,olcDatabase={1}$BACKEND,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcSyncProvConfig
++olcOverlay: syncprov
++olcSpNoPresent: TRUE
++olcSpReloadHint: TRUE
++
++dn: olcDatabase={2}$BACKEND,cn=config
++objectClass: olcDatabaseConfig
++${nullExclude}objectClass: olc${BACKEND}Config
++olcDatabase: {2}$BACKEND
++olcSuffix: $BASEDN
++${nullExclude}olcDbDirectory: ${DBDIR}.2
++olcRootDN: $MANAGERDN
++olcRootPW: $PASSWD
++olcSyncRepl: rid=001 provider=$PROVIDERURI binddn="$MANAGERDN" bindmethod=simple
++  credentials=$PASSWD searchbase="$BASEDN" $SYNCTYPE
++  retry="3 +" timeout=3 logbase="cn=log"
++  logfilter="(&(objectclass=auditWriteObject)(reqresult=0))"
++  syncdata=accesslog tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
++olcMirrorMode: TRUE
++$INDEX2
++
++dn: olcOverlay=syncprov,olcDatabase={2}$BACKEND,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcSyncProvConfig
++olcOverlay: syncprov
++
++dn: olcOverlay=accesslog,olcDatabase={2}$BACKEND,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcAccessLogConfig
++olcOverlay: accesslog
++olcAccessLogDB: cn=log
++olcAccessLogOps: writes
++olcAccessLogSuccess: TRUE
++
++EOF
++$SLAPADD -F $CFDIR -n 0  -d-1< $TMP > $TESTOUT 2>&1
++PORT=`eval echo '$PORT'$n`
++echo "Starting server $n on TCP/IP port $PORT..."
++cd ${XDIR}${n}
++LOG=`eval echo '$LOG'$n`
++$SLAPD -F slapd.d -h $MYURI -d $LVL $TIMING > $LOG 2>&1 &
++PID=$!
++if test $WAIT != 0 ; then
++    echo PID $PID
++    read foo
++fi
++KILLPIDS="$PID $KILLPIDS"
++cd $TESTWD
++
++echo "Using ldapsearch to check that server $n is running..."
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -s base -b "" -H $MYURI \
++		'objectclass=*' > /dev/null 2>&1
++	RC=$?
++	if test $RC = 0 ; then
++		break
++	fi
++	echo "Waiting 5 seconds for slapd to start..."
++	sleep 5
++done
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++if [ $n = 1 ]; then
++echo "Using ldapadd for context on server 1..."
++$LDAPADD -D "$MANAGERDN" -H $SURIP1 -w $PASSWD -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -f $LDIFORDEREDCP \
++	>> $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapadd failed for server $n database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++fi
++
++n=`expr $n + 1`
++done
++
++echo "Using ldapadd to populate server 1..."
++$LDAPADD -D "$MANAGERDN" -H $SURIP1 -w $PASSWD -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -f $LDIFORDEREDNOCP \
++	>> $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapadd failed for server $n database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
++sleep $SLEEP1
++
++n=1
++while [ $n -le $MMR ]; do
++PORT=`expr $BASEPORT + $n`
++URI="ldaps://${LOCALIP}:$PORT/"
++
++echo "Using ldapsearch to read all the entries from server $n..."
++$LDAPSEARCH -S "" -b "$BASEDN" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $URI -w $PASSWD  \
++	'objectclass=*' > $TESTDIR/server$n.out 2>&1
++RC=$?
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed at server $n ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt
++n=`expr $n + 1`
++done
++
++n=2
++while [ $n -le $MMR ]; do
++echo "Comparing retrieved entries from server 1 and server $n..."
++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++
++if test $? != 0 ; then
++	echo "test failed - server 1 and server $n databases differ"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++n=`expr $n + 1`
++done
++
++echo "Using ldapadd to populate server 2..."
++$LDAPADD -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD -f $LDIFADD1 \
++	>> $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapadd failed for server 2 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com"
++sleep 1
++for i in 1 2 3; do
++	$LDAPSEARCH -S "" -b "$THEDN" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -H $SURIP1 \
++		-s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1
++	RC=$?
++
++	if test $RC = 0 ; then
++		break
++	fi
++
++	if test $RC != 32 ; then
++		echo "ldapsearch failed at slave ($RC)!"
++		test $KILLSERVERS != no && kill -HUP $KILLPIDS
++		exit $RC
++	fi
++
++	echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
++	sleep $SLEEP1
++done
++
++n=1
++while [ $n -le $MMR ]; do
++PORT=`expr $BASEPORT + $n`
++URI="ldaps://${LOCALIP}:$PORT/"
++
++echo "Using ldapsearch to read all the entries from server $n..."
++$LDAPSEARCH -S "" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD  \
++	'objectclass=*' > $TESTDIR/server$n.out 2>&1
++RC=$?
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed at server $n ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt
++n=`expr $n + 1`
++done
++
++n=2
++while [ $n -le $MMR ]; do
++echo "Comparing retrieved entries from server 1 and server $n..."
++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++
++if test $? != 0 ; then
++	echo "test failed - server 1 and server $n databases differ"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++n=`expr $n + 1`
++done
++
++echo "Breaking replication between server 1 and 2..."
++n=1
++while [ $n -le $MMR ]; do
++o=`expr 3 - $n`
++MYURI=`eval echo '$SURIP'$n`
++PROVIDERURI=`eval echo '$SURIP'$o`
++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D cn=config -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 <<EOF
++dn: olcDatabase={2}$BACKEND,cn=config
++changetype: modify
++replace: olcSyncRepl
++olcSyncRepl: rid=001 provider=$PROVIDERURI binddn="$MANAGERDN" bindmethod=simple
++  credentials=InvalidPw searchbase="$BASEDN" $SYNCTYPE
++  retry="3 +" timeout=3 logbase="cn=log"
++  logfilter="(&(objectclass=auditWriteObject)(reqresult=0))"
++  syncdata=accesslog tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
++-
++replace: olcMirrorMode
++olcMirrorMode: TRUE
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server $n config ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++n=`expr $n + 1`
++done
++
++echo "Using ldapmodify to force conflicts between server 1 and 2..."
++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++add: description
++description: Amazing
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 1 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++add: description
++description: Stupendous
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 2 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++delete: description
++description: Outstanding
++-
++add: description
++description: Mindboggling
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 1 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++delete: description
++description: OutStanding
++-
++add: description
++description: Bizarre
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 2 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++add: carLicense
++carLicense: 123-XYZ
++-
++add: employeeNumber
++employeeNumber: 32
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 1 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++add: employeeType
++employeeType: deadwood
++-
++add: employeeNumber
++employeeNumber: 64
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 2 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \
++	>> $TESTOUT 2>&1 << EOF
++dn: $THEDN
++changetype: modify
++replace: sn
++sn: Replaced later
++-
++replace: sn
++sn: Surname
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server 1 database ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo "Restoring replication between server 1 and 2..."
++n=1
++while [ $n -le $MMR ]; do
++o=`expr 3 - $n`
++MYURI=`eval echo '$SURIP'$n`
++PROVIDERURI=`eval echo '$SURIP'$o`
++$LDAPMODIFY -D cn=config -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 <<EOF
++dn: olcDatabase={2}$BACKEND,cn=config
++changetype: modify
++replace: olcSyncRepl
++olcSyncRepl: rid=001 provider=$PROVIDERURI binddn="$MANAGERDN" bindmethod=simple
++  credentials=$PASSWD searchbase="$BASEDN" $SYNCTYPE
++  retry="3 +" timeout=3 logbase="cn=log"
++  logfilter="(&(objectclass=auditWriteObject)(reqresult=0))"
++  syncdata=accesslog tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
++-
++replace: olcMirrorMode
++olcMirrorMode: TRUE
++
++EOF
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed for server $n config ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++n=`expr $n + 1`
++done
++
++echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
++sleep $SLEEP1
++
++n=1
++while [ $n -le $MMR ]; do
++PORT=`expr $BASEPORT + $n`
++URI="ldaps://${LOCALIP}:$PORT/"
++
++echo "Using ldapsearch to read all the entries from server $n..."
++$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -S "" -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD  \
++	'objectclass=*' > $TESTDIR/server$n.out 2>&1
++RC=$?
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed at server $n ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++$LDIFFILTER -s a < $TESTDIR/server$n.out > $TESTDIR/server$n.flt
++n=`expr $n + 1`
++done
++
++n=2
++while [ $n -le $MMR ]; do
++echo "Comparing retrieved entries from server 1 and server $n..."
++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++
++if test $? != 0 ; then
++	echo "test failed - server 1 and server $n databases differ"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++n=`expr $n + 1`
++done
++
++test $KILLSERVERS != no && kill -HUP $KILLPIDS
++
++echo ">>>>> Test succeeded"
++
++test $KILLSERVERS != no && wait
++
++exit 0
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch b/SOURCES/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch
new file mode 100644
index 0000000..d86a707
--- /dev/null
+++ b/SOURCES/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch
@@ -0,0 +1,582 @@
+NOTE: The patch has been adjusted to match the base code before backporting.
+
+From 8a259e3df16def3f05828f355e98a5089cd6e6d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
+Date: Thu, 14 Jun 2018 16:14:15 +0100
+Subject: [PATCH] ITS#8573 allow all libldap options in tools -o option
+
+---
+ clients/tools/common.c     |  15 ++-
+ doc/devel/args             |   2 +-
+ doc/man/man1/ldapcompare.1 |   9 +-
+ doc/man/man1/ldapdelete.1  |   9 +-
+ doc/man/man1/ldapexop.1    |   9 +-
+ doc/man/man1/ldapmodify.1  |   9 +-
+ doc/man/man1/ldapmodrdn.1  |   9 +-
+ doc/man/man1/ldappasswd.1  |   9 +-
+ doc/man/man1/ldapsearch.1  |   9 +-
+ doc/man/man1/ldapwhoami.1  |  13 ++-
+ doc/man/man8/slapcat.8     |   2 +-
+ include/ldap_pvt.h         |   5 +
+ libraries/libldap/init.c   | 231 ++++++++++++++++++++++---------------
+ servers/slapd/slapcommon.c |   5 +-
+ 14 files changed, 200 insertions(+), 136 deletions(-)
+
+diff --git a/clients/tools/common.c b/clients/tools/common.c
+index 39db70b93..d5c3491fc 100644
+--- a/clients/tools/common.c
++++ b/clients/tools/common.c
+@@ -351,9 +351,9 @@ N_("  -I         use SASL Interactive mode\n"),
+ N_("  -n         show what would be done but don't actually do it\n"),
+ N_("  -N         do not use reverse DNS to canonicalize SASL host name\n"),
+ N_("  -O props   SASL security properties\n"),
+-N_("  -o <opt>[=<optparam>] general options\n"),
++N_("  -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n"),
++N_("             ldif_wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
+ N_("             nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
+-N_("             ldif-wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
+ N_("  -p port    port on LDAP server\n"),
+ N_("  -Q         use SASL Quiet mode\n"),
+ N_("  -R realm   SASL realm\n"),
+@@ -785,6 +785,11 @@ tool_args( int argc, char **argv )
+ 			if ( (cvalue = strchr( control, '=' )) != NULL ) {
+ 				*cvalue++ = '\0';
+ 			}
++			for ( next=control; *next; next++ ) {
++				if ( *next == '-' ) {
++					*next = '_';
++				}
++			}
+ 
+ 			if ( strcasecmp( control, "nettimeout" ) == 0 ) {
+ 				if( nettimeout.tv_sec != -1 ) {
+@@ -814,7 +819,7 @@ tool_args( int argc, char **argv )
+ 	 				exit( EXIT_FAILURE );
+  				}
+ 
+-			} else if ( strcasecmp( control, "ldif-wrap" ) == 0 ) {
++			} else if ( strcasecmp( control, "ldif_wrap" ) == 0 ) {
+ 				if ( cvalue == 0 ) {
+ 					ldif_wrap = LDIF_LINE_WIDTH;
+ 
+@@ -825,13 +830,13 @@ tool_args( int argc, char **argv )
+ 					unsigned int u;
+ 					if ( lutil_atou( &u, cvalue ) ) {
+ 						fprintf( stderr,
+-							_("Unable to parse ldif-wrap=\"%s\"\n"), cvalue );
++							_("Unable to parse ldif_wrap=\"%s\"\n"), cvalue );
+ 		 				exit( EXIT_FAILURE );
+ 					}
+ 					ldif_wrap = (ber_len_t)u;
+ 				}
+ 
+-			} else {
++			} else if ( ldap_pvt_conf_option( control, cvalue, 1 ) ) {
+ 				fprintf( stderr, "Invalid general option name: %s\n",
+ 					control );
+ 				usage();
+diff --git a/doc/devel/args b/doc/devel/args
+index 7805eff1c..31c22f948 100644
+--- a/doc/devel/args
++++ b/doc/devel/args
+@@ -27,7 +27,7 @@ ldapwhoami       * DE**HI**  NO QR  UVWXYZ   def*h*** *nop*    vwxy
+ 	-h host
+ 	-n no-op
+ 	-N no (SASLprep) normalization of simple bind password
+-	-o general options (currently nettimeout and ldif-wrap only)
++	-o general libldap options (plus ldif_wrap and nettimeout for backwards comp.)
+ 	-p port
+ 	-v verbose
+ 	-V version
+diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
+index 667815a26..de90498db 100644
+--- a/doc/man/man1/ldapcompare.1
++++ b/doc/man/man1/ldapcompare.1
+@@ -186,13 +186,14 @@ Compare extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
+index 9e7036230..872424a65 100644
+--- a/doc/man/man1/ldapdelete.1
++++ b/doc/man/man1/ldapdelete.1
+@@ -192,13 +192,14 @@ Delete extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
+index 5f5ae7aae..96a7c514e 100644
+--- a/doc/man/man1/ldapexop.1
++++ b/doc/man/man1/ldapexop.1
+@@ -189,13 +189,14 @@ Specify general extensions.  \'!\' indicates criticality.
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
+index f884c5bfb..90f813506 100644
+--- a/doc/man/man1/ldapmodify.1
++++ b/doc/man/man1/ldapmodify.1
+@@ -255,13 +255,14 @@ Modify extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
+index fa9eac627..900ba7e0e 100644
+--- a/doc/man/man1/ldapmodrdn.1
++++ b/doc/man/man1/ldapmodrdn.1
+@@ -186,13 +186,14 @@ Modrdn extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
+index d3f45b082..bf273fb25 100644
+--- a/doc/man/man1/ldappasswd.1
++++ b/doc/man/man1/ldappasswd.1
+@@ -188,13 +188,14 @@ Passwd Modify extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
+index 196179232..901e56043 100644
+--- a/doc/man/man1/ldapsearch.1
++++ b/doc/man/man1/ldapsearch.1
+@@ -332,13 +332,14 @@ Search extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
+index b684de54a..79864c729 100644
+--- a/doc/man/man1/ldapwhoami.1
++++ b/doc/man/man1/ldapwhoami.1
+@@ -143,13 +143,18 @@ WhoAmI extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
++.B -o
++option that can be passed here, check
++.BR ldap.conf (5)
++for details.
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8
+index d05cfa643..24c8f03ea 100644
+--- a/doc/man/man8/slapcat.8
++++ b/doc/man/man8/slapcat.8
+@@ -149,7 +149,7 @@ Possible generic options/values are:
+               syslog\-level=<level> (see `\-S' in slapd(8))
+               syslog\-user=<user>   (see `\-l' in slapd(8))
+ 
+-              ldif-wrap={no|<n>}
++              ldif_wrap={no|<n>}
+ 
+ .in
+ \fIn\fP is the number of columns allowed for the LDIF output
+diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
+index 61c620785..c586a95b5 100644
+--- a/include/ldap_pvt.h
++++ b/include/ldap_pvt.h
+@@ -321,6 +321,11 @@ struct ldapmsg;
+ LDAP_F ( int ) ldap_pvt_discard LDAP_P((
+ 	struct ldap *ld, ber_int_t msgid ));
+ 
++/* init.c */
++LDAP_F( int )
++ldap_pvt_conf_option LDAP_P((
++	char *cmd, char *opt, int userconf ));
++
+ /* messages.c */
+ LDAP_F( BerElement * )
+ ldap_get_message_ber LDAP_P((
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 182ef7d7e..746824fbd 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -148,6 +148,141 @@ static const struct ol_attribute {
+ #define MAX_LDAP_ATTR_LEN  sizeof("GSSAPI_ALLOW_REMOTE_PRINCIPAL")
+ #define MAX_LDAP_ENV_PREFIX_LEN 8
+ 
++static int
++ldap_int_conf_option(
++	struct ldapoptions *gopts,
++	char *cmd, char *opt, int userconf )
++{
++	int i;
++
++	for(i=0; attrs[i].type != ATTR_NONE; i++) {
++		void *p;
++
++		if( !userconf && attrs[i].useronly ) {
++			continue;
++		}
++
++		if(strcasecmp(cmd, attrs[i].name) != 0) {
++			continue;
++		}
++
++		switch(attrs[i].type) {
++		case ATTR_BOOL:
++			if((strcasecmp(opt, "on") == 0)
++				|| (strcasecmp(opt, "yes") == 0)
++				|| (strcasecmp(opt, "true") == 0))
++			{
++				LDAP_BOOL_SET(gopts, attrs[i].offset);
++
++			} else {
++				LDAP_BOOL_CLR(gopts, attrs[i].offset);
++			}
++
++			break;
++
++		case ATTR_INT: {
++			char *next;
++			long l;
++			p = &((char *) gopts)[attrs[i].offset];
++			l = strtol( opt, &next, 10 );
++			if ( next != opt && next[ 0 ] == '\0' ) {
++				* (int*) p = l;
++			}
++			} break;
++
++		case ATTR_KV: {
++				const struct ol_keyvalue *kv;
++
++				for(kv = attrs[i].data;
++					kv->key != NULL;
++					kv++) {
++
++					if(strcasecmp(opt, kv->key) == 0) {
++						p = &((char *) gopts)[attrs[i].offset];
++						* (int*) p = kv->value;
++						break;
++					}
++				}
++			} break;
++
++		case ATTR_STRING:
++			p = &((char *) gopts)[attrs[i].offset];
++			if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
++			* (char**) p = LDAP_STRDUP(opt);
++			break;
++		case ATTR_OPTION:
++			ldap_set_option( NULL, attrs[i].offset, opt );
++			break;
++		case ATTR_SASL:
++#ifdef HAVE_CYRUS_SASL
++			ldap_int_sasl_config( gopts, attrs[i].offset, opt );
++#endif
++			break;
++		case ATTR_GSSAPI:
++#ifdef HAVE_GSSAPI
++			ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
++#endif
++			break;
++		case ATTR_TLS:
++#ifdef HAVE_TLS
++			ldap_int_tls_config( NULL, attrs[i].offset, opt );
++#endif
++			break;
++		case ATTR_OPT_TV: {
++			struct timeval tv;
++			char *next;
++			tv.tv_usec = 0;
++			tv.tv_sec = strtol( opt, &next, 10 );
++			if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
++				(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
++			}
++			} break;
++		case ATTR_OPT_INT: {
++			long l;
++			char *next;
++			l = strtol( opt, &next, 10 );
++			if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
++				int v = (int)l;
++				(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
++			}
++			} break;
++		}
++
++		break;
++	}
++
++	if ( attrs[i].type == ATTR_NONE ) {
++		Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_config: "
++				"unknown option '%s'",
++				cmd, 0, 0 );
++		return 1;
++	}
++
++	return 0;
++}
++
++int
++ldap_pvt_conf_option(
++	char *cmd, char *opt, int userconf )
++{
++	struct ldapoptions *gopts;
++	int rc = LDAP_OPT_ERROR;
++
++	/* Get pointer to global option structure */
++	gopts = LDAP_INT_GLOBAL_OPT();
++	if (NULL == gopts) {
++		return LDAP_NO_MEMORY;
++	}
++
++	if ( gopts->ldo_valid != LDAP_INITIALIZED ) {
++		ldap_int_initialize(gopts, NULL);
++		if ( gopts->ldo_valid != LDAP_INITIALIZED )
++			return LDAP_LOCAL_ERROR;
++	}
++
++	return ldap_int_conf_option( gopts, cmd, opt, userconf );
++}
++
+ static void openldap_ldap_init_w_conf(
+ 	const char *file, int userconf )
+ {
+@@ -213,101 +348,7 @@ static void openldap_ldap_init_w_conf(
+ 		while(isspace((unsigned char)*start)) start++;
+ 		opt = start;
+ 
+-		for(i=0; attrs[i].type != ATTR_NONE; i++) {
+-			void *p;
+-
+-			if( !userconf && attrs[i].useronly ) {
+-				continue;
+-			}
+-
+-			if(strcasecmp(cmd, attrs[i].name) != 0) {
+-				continue;
+-			}
+-
+-			switch(attrs[i].type) {
+-			case ATTR_BOOL:
+-				if((strcasecmp(opt, "on") == 0) 
+-					|| (strcasecmp(opt, "yes") == 0)
+-					|| (strcasecmp(opt, "true") == 0))
+-				{
+-					LDAP_BOOL_SET(gopts, attrs[i].offset);
+-
+-				} else {
+-					LDAP_BOOL_CLR(gopts, attrs[i].offset);
+-				}
+-
+-				break;
+-
+-			case ATTR_INT: {
+-				char *next;
+-				long l;
+-				p = &((char *) gopts)[attrs[i].offset];
+-				l = strtol( opt, &next, 10 );
+-				if ( next != opt && next[ 0 ] == '\0' ) {
+-					* (int*) p = l;
+-				}
+-				} break;
+-
+-			case ATTR_KV: {
+-					const struct ol_keyvalue *kv;
+-
+-					for(kv = attrs[i].data;
+-						kv->key != NULL;
+-						kv++) {
+-
+-						if(strcasecmp(opt, kv->key) == 0) {
+-							p = &((char *) gopts)[attrs[i].offset];
+-							* (int*) p = kv->value;
+-							break;
+-						}
+-					}
+-				} break;
+-
+-			case ATTR_STRING:
+-				p = &((char *) gopts)[attrs[i].offset];
+-				if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
+-				* (char**) p = LDAP_STRDUP(opt);
+-				break;
+-			case ATTR_OPTION:
+-				ldap_set_option( NULL, attrs[i].offset, opt );
+-				break;
+-			case ATTR_SASL:
+-#ifdef HAVE_CYRUS_SASL
+-			   	ldap_int_sasl_config( gopts, attrs[i].offset, opt );
+-#endif
+-				break;
+-			case ATTR_GSSAPI:
+-#ifdef HAVE_GSSAPI
+-				ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
+-#endif
+-				break;
+-			case ATTR_TLS:
+-#ifdef HAVE_TLS
+-			   	ldap_int_tls_config( NULL, attrs[i].offset, opt );
+-#endif
+-				break;
+-			case ATTR_OPT_TV: {
+-				struct timeval tv;
+-				char *next;
+-				tv.tv_usec = 0;
+-				tv.tv_sec = strtol( opt, &next, 10 );
+-				if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
+-					(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
+-				}
+-				} break;
+-			case ATTR_OPT_INT: {
+-				long l;
+-				char *next;
+-				l = strtol( opt, &next, 10 );
+-				if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
+-					int v = (int)l;
+-					(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
+-				}
+-				} break;
+-			}
+-
+-			break;
+-		}
++		ldap_int_conf_option( gopts, cmd, opt, userconf );
+ 	}
+ 
+ 	fclose(fp);
+diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
+index 01574af1e..a62c69581 100644
+--- a/servers/slapd/slapcommon.c
++++ b/servers/slapd/slapcommon.c
+@@ -228,7 +228,8 @@ parse_slapopt( int tool, int *mode )
+ 			break;
+ 		}
+ 
+-	} else if ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) {
++	} else if ( ( strncasecmp( optarg, "ldif_wrap", len ) == 0 ) ||
++			( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) ) {
+ 		switch ( tool ) {
+ 		case SLAPCAT:
+ 			if ( strcasecmp( p, "no" ) == 0 ) {
+@@ -237,7 +238,7 @@ parse_slapopt( int tool, int *mode )
+ 			} else {
+ 				unsigned int u;
+ 				if ( lutil_atou( &u, p ) ) {
+-					Debug( LDAP_DEBUG_ANY, "unable to parse ldif-wrap=\"%s\".\n", p, 0, 0 );
++					Debug( LDAP_DEBUG_ANY, "unable to parse ldif_wrap=\"%s\".\n", p, 0, 0 );
+ 					return -1;
+ 				}
+ 				ldif_wrap = (ber_len_t)u;
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch b/SOURCES/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
new file mode 100644
index 0000000..31574ee
--- /dev/null
+++ b/SOURCES/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
@@ -0,0 +1,631 @@
+NOTE: The patch has been adjusted to match the base code before backporting.
+
+From 3cd50fa8b32a21040a9892e2a8a7a9dfc7541ce6 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 14 Apr 2020 16:10:48 +0300
+Subject: [PATCH] ITS#9189 rework sasl-cbinding support
+
+Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use,
+defaults to "none".
+
+Add "tls-endpoint" binding type implementing "tls-server-end-point" from
+RCF 5929, which is compatible with Windows.
+
+Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
+---
+ doc/man/man3/ldap_get_option.3 |  16 ++++++
+ doc/man/man5/ldap.conf.5       |   3 +
+ doc/man/man5/slapd-config.5    |   4 ++
+ doc/man/man5/slapd.conf.5      |   3 +
+ include/ldap.h                 |   5 ++
+ include/ldap_pvt.h             |   5 ++
+ libraries/libldap/cyrus.c      | 101 +++++++++++++++++++++++++++++----
+ libraries/libldap/init.c       |   1 +
+ libraries/libldap/ldap-int.h   |   1 +
+ libraries/libldap/ldap-tls.h   |   2 +
+ libraries/libldap/tls2.c       |   7 +++
+ libraries/libldap/tls_g.c      |  59 +++++++++++++++++++
+ libraries/libldap/tls_o.c      |  45 +++++++++++++++
+ servers/slapd/bconfig.c        |  11 +++-
+ servers/slapd/config.c         |   1 +
+ servers/slapd/connection.c     |   9 +--
+ servers/slapd/proto-slap.h     |   4 +-
+ servers/slapd/sasl.c           |  27 ++++++---
+ 18 files changed, 274 insertions(+), 30 deletions(-)
+
+diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
+index 7546875f5..e953900ce 100644
+--- a/doc/man/man3/ldap_get_option.3
++++ b/doc/man/man3/ldap_get_option.3
+@@ -557,6 +557,22 @@ must be a
+ .BR "char **" .
+ Its content needs to be freed by the caller using
+ .BR ldap_memfree (3).
++.B LDAP_OPT_X_SASL_CBINDING
++Sets/gets the channel-binding type to use in SASL,
++one of
++.BR LDAP_OPT_X_SASL_CBINDING_NONE
++(the default),
++.BR LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE
++the "tls-unique" type from RCF 5929.
++.BR LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT
++the "tls-server-end-point" from RCF 5929, compatible with Windows.
++.BR invalue
++must be
++.BR "const int *" ;
++.BR outvalue
++must be
++.BR "int *" .
++.TP
+ .SH TCP OPTIONS
+ The TCP options are OpenLDAP specific.
+ Mainly intended for use with Linux, they may not be portable.
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index adf134899..29810fc9f 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -286,6 +286,9 @@ size allowed.  0 disables security layers.  The default is 65536.
+ .TP
+ .B SASL_NOCANON <on/true/yes/off/false/no>
+ Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off.
++.TP
++.B SASL_CBINDING <none/tls-unique/tls-endpoint>
++The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.
+ .SH GSSAPI OPTIONS
+ If OpenLDAP is built with Generic Security Services Application Programming Interface support,
+ there are more options you can specify.
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+index 0dddfdb6c..8c987d8c1 100644
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -699,6 +699,10 @@ Used to specify the fully qualified domain name used for SASL processing.
+ .B olcSaslRealm: <realm>
+ Specify SASL realm.  Default is empty.
+ .TP
++.B olcSaslCbinding: none | tls-unique | tls-endpoint
++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
++Default is none.
++.TP
+ .B olcSaslSecProps: <properties>
+ Used to specify Cyrus SASL security properties.
+ The
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+index 0071072b1..203ab988e 100644
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -893,6 +893,9 @@ The
+ property specifies the maximum security layer receive buffer
+ size allowed.  0 disables security layers.  The default is 65536.
+ .TP
++.B sasl\-cbinding none | tls-unique | tls-endpoint
++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
++.TP
+ .B schemadn <dn>
+ Specify the distinguished name for the subschema subentry that
+ controls the entries on this server.  The default is "cn=Subschema".
+diff --git a/include/ldap.h b/include/ldap.h
+index 88bfcabf8..e8ac968a9 100644
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -180,6 +180,10 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3)
+ 
++#define LDAP_OPT_X_SASL_CBINDING_NONE		0
++#define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE	1
++#define LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT	2
++
+ /* OpenLDAP SASL options */
+ #define LDAP_OPT_X_SASL_MECH			0x6100
+ #define LDAP_OPT_X_SASL_REALM			0x6101
+@@ -195,6 +199,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_SASL_NOCANON			0x610b
+ #define LDAP_OPT_X_SASL_USERNAME		0x610c /* read-only */
+ #define LDAP_OPT_X_SASL_GSS_CREDS		0x610d
++#define LDAP_OPT_X_SASL_CBINDING		0x610e
+ 
+ /* OpenLDAP GSSAPI options */
+ #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT      0x6200
+diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
+index c586a95b5..b71552ec5 100644
+--- a/include/ldap_pvt.h
++++ b/include/ldap_pvt.h
+@@ -262,6 +262,10 @@ LDAP_F (void *) ldap_pvt_sasl_mutex_new LDAP_P((void));
+ LDAP_F (int) ldap_pvt_sasl_mutex_lock LDAP_P((void *mutex));
+ LDAP_F (int) ldap_pvt_sasl_mutex_unlock LDAP_P((void *mutex));
+ LDAP_F (void) ldap_pvt_sasl_mutex_dispose LDAP_P((void *mutex));
++
++LDAP_F (int) ldap_pvt_sasl_cbinding_parse LDAP_P(( const char *arg ));
++LDAP_F (void *) ldap_pvt_sasl_cbinding LDAP_P(( void *ssl, int type,
++					        int is_server ));
+ #endif /* HAVE_CYRUS_SASL */
+ 
+ struct sockbuf; /* avoid pulling in <lber.h> */
+@@ -426,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
+ 	LDAPDN_rewrite_dummy *func, unsigned flags ));
+ LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
+ LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
++LDAP_F (int) ldap_pvt_tls_get_endpoint LDAP_P(( void *ctx, struct berval *buf, int is_server ));
+ 
+ LDAP_END_DECL
+ 
+diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
+index 3171d56a3..081e3cea5 100644
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -368,6 +368,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
+ 	return LDAP_SUCCESS;
+ }
+ 
++int ldap_pvt_sasl_cbinding_parse( const char *arg )
++{
++	int i = -1;
++
++	if ( strcasecmp(arg, "none") == 0 )
++		i = LDAP_OPT_X_SASL_CBINDING_NONE;
++	else if ( strcasecmp(arg, "tls-unique") == 0 )
++		i = LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE;
++	else if ( strcasecmp(arg, "tls-endpoint") == 0 )
++		i = LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT;
++
++	return i;
++}
++
++void *ldap_pvt_sasl_cbinding( void *ssl, int type, int is_server )
++{
++#if defined(SASL_CHANNEL_BINDING) && defined(HAVE_TLS)
++	char unique_prefix[] = "tls-unique:";
++	char endpoint_prefix[] = "tls-server-end-point:";
++	char cbinding[ 64 ];
++	struct berval cbv = { 64, cbinding };
++	void *cb_data; /* used since cb->data is const* */
++	sasl_channel_binding_t *cb;
++	char *prefix;
++	int plen;
++
++	switch (type) {
++	case LDAP_OPT_X_SASL_CBINDING_NONE:
++		return NULL;
++	case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
++		if ( !ldap_pvt_tls_get_unique( ssl, &cbv, is_server ))
++			return NULL;
++		prefix = unique_prefix;
++		plen = sizeof(unique_prefix) -1;
++		break;
++	case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
++		if ( !ldap_pvt_tls_get_endpoint( ssl, &cbv, is_server ))
++			return NULL;
++		prefix = endpoint_prefix;
++		plen = sizeof(endpoint_prefix) -1;
++		break;
++	default:
++		return NULL;
++	}
++
++	cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len );
++	cb->len = plen + cbv.bv_len;
++	cb->data = cb_data = cb+1;
++	memcpy( cb_data, prefix, plen );
++	memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len );
++	cb->name = "ldap";
++	cb->critical = 0;
++
++	return cb;
++#else
++	return NULL;
++#endif
++}
++
+ int
+ ldap_int_sasl_bind(
+ 	LDAP			*ld,
+@@ -497,17 +556,12 @@ ldap_int_sasl_bind(
+ 			(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
+ 			LDAP_FREE( authid.bv_val );
+ #ifdef SASL_CHANNEL_BINDING	/* 2.1.25+ */
+-			{
+-				char cbinding[64];
+-				struct berval cbv = { sizeof(cbinding), cbinding };
+-				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
+-					sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
+-						cbv.bv_len);
+-					cb->name = "ldap";
+-					cb->critical = 0;
+-					cb->data = (char *)(cb+1);
+-					cb->len = cbv.bv_len;
+-					memcpy( cb->data, cbv.bv_val, cbv.bv_len );
++			if ( ld->ld_defconn->lconn_sasl_cbind == NULL ) {
++				void *cb;
++				cb = ldap_pvt_sasl_cbinding( ssl,
++							     ld->ld_options.ldo_sasl_cbinding,
++							     0 );
++				if ( cb != NULL ) {
+ 					sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
+ 						SASL_CHANNEL_BINDING, cb );
+ 					ld->ld_defconn->lconn_sasl_cbind = cb;
+@@ -930,12 +984,20 @@ int ldap_pvt_sasl_secprops(
+ int
+ ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
+ {
+-	int rc;
++	int rc, i;
+ 
+ 	switch( option ) {
+ 	case LDAP_OPT_X_SASL_SECPROPS:
+ 		rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops );
+ 		if( rc == LDAP_SUCCESS ) return 0;
++		break;
++	case LDAP_OPT_X_SASL_CBINDING:
++		i = ldap_pvt_sasl_cbinding_parse( arg );
++		if ( i >= 0 ) {
++			lo->ldo_sasl_cbinding = i;
++			return 0;
++		}
++		break;
+ 	}
+ 
+ 	return -1;
+@@ -1041,6 +1103,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
+ 			/* this option is write only */
+ 			return -1;
+ 
++		case LDAP_OPT_X_SASL_CBINDING:
++			*(int *)arg = ld->ld_options.ldo_sasl_cbinding;
++			break;
++
+ #ifdef SASL_GSS_CREDS
+ 		case LDAP_OPT_X_SASL_GSS_CREDS: {
+ 			sasl_conn_t *ctx;
+@@ -1142,6 +1208,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
+ 		return sc == LDAP_SUCCESS ? 0 : -1;
+ 		}
+ 
++	case LDAP_OPT_X_SASL_CBINDING:
++		if ( !arg ) return -1;
++		switch( *(int *) arg ) {
++		case LDAP_OPT_X_SASL_CBINDING_NONE:
++		case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
++		case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
++			ld->ld_options.ldo_sasl_cbinding = *(int *) arg;
++			return 0;
++		}
++		return -1;
++
+ #ifdef SASL_GSS_CREDS
+ 	case LDAP_OPT_X_SASL_GSS_CREDS: {
+ 		sasl_conn_t *ctx;
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 746824fbd..0c4b6237e 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -113,6 +113,7 @@ static const struct ol_attribute {
+ 		offsetof(struct ldapoptions, ldo_def_sasl_authzid)},
+ 	{0, ATTR_SASL,		"SASL_SECPROPS",	NULL,	LDAP_OPT_X_SASL_SECPROPS},
+ 	{0, ATTR_BOOL,		"SASL_NOCANON",	NULL,	LDAP_BOOL_SASL_NOCANON},
++	{0, ATTR_SASL,		"SASL_CBINDING",	NULL,	LDAP_OPT_X_SASL_CBINDING},
+ #endif
+ 
+ #ifdef HAVE_GSSAPI
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 397894271..08d4b4a92 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -276,6 +276,7 @@ struct ldapoptions {
+ 
+ 	/* SASL Security Properties */
+ 	struct sasl_security_properties	ldo_sasl_secprops;
++	int ldo_sasl_cbinding;
+ #define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
+ #else
+ #define LDAP_LDO_SASL_NULLARG
+diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
+index 103004fa7..77975bb6c 100644
+--- a/libraries/libldap/ldap-tls.h
++++ b/libraries/libldap/ldap-tls.h
+@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
+ typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
+ typedef int (TI_session_strength)(tls_session *sess);
+ typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
++typedef int (TI_session_endpoint)(tls_session *sess, struct berval *buf, int is_server);
+ typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
+ 
+ typedef void (TI_thr_init)(void);
+@@ -67,6 +68,7 @@ typedef struct tls_impl {
+ 	TI_session_chkhost *ti_session_chkhost;
+ 	TI_session_strength *ti_session_strength;
+ 	TI_session_unique *ti_session_unique;
++	TI_session_endpoint *ti_session_endpoint;
+ 	TI_session_peercert *ti_session_peercert;
+ 
+ 	Sockbuf_IO *ti_sbio;
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 8b1fee748..f74af7d1d 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -1041,6 +1041,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
+ 	return tls_imp->ti_session_unique( session, buf, is_server );
+ }
+ 
++int
++ldap_pvt_tls_get_endpoint( void *s, struct berval *buf, int is_server )
++{
++	tls_session *session = s;
++	return tls_imp->ti_session_endpoint( session, buf, is_server );
++}
++
+ int
+ ldap_pvt_tls_get_peercert( void *s, struct berval *der )
+ {
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index 26d9f99ce..52dfcd3ab 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -675,6 +675,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return 0;
+ }
+ 
++static int
++tlsg_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
++{
++	tlsg_session *s = (tlsg_session *)sess;
++	const gnutls_datum_t *cert_data;
++	gnutls_x509_crt_t server_cert;
++	gnutls_digest_algorithm_t md;
++	int sign_algo, md_len, rc;
++
++	if ( is_server )
++		cert_data = gnutls_certificate_get_ours( s->session );
++	else
++		cert_data = gnutls_certificate_get_peers( s->session, NULL );
++
++	if ( cert_data == NULL )
++		return 0;
++
++	rc = gnutls_x509_crt_init( &server_cert );
++	if ( rc != GNUTLS_E_SUCCESS )
++		return 0;
++
++	rc = gnutls_x509_crt_import( server_cert, cert_data, GNUTLS_X509_FMT_DER );
++	if ( rc != GNUTLS_E_SUCCESS ) {
++		gnutls_x509_crt_deinit( server_cert );
++		return 0;
++	}
++
++	sign_algo = gnutls_x509_crt_get_signature_algorithm( server_cert );
++	gnutls_x509_crt_deinit( server_cert );
++	if ( sign_algo <= GNUTLS_SIGN_UNKNOWN )
++		return 0;
++
++	md = gnutls_sign_get_hash_algorithm( sign_algo );
++	if ( md == GNUTLS_DIG_UNKNOWN )
++		return 0;
++
++	/* See RFC 5929 */
++	switch (md) {
++	case GNUTLS_DIG_NULL:
++	case GNUTLS_DIG_MD2:
++	case GNUTLS_DIG_MD5:
++	case GNUTLS_DIG_SHA1:
++		md = GNUTLS_DIG_SHA256;
++	}
++
++	md_len = gnutls_hash_get_len( md );
++	if ( md_len == 0 || md_len > buf->bv_len )
++		return 0;
++
++	rc = gnutls_hash_fast( md, cert_data->data, cert_data->size, buf->bv_val );
++	if ( rc != GNUTLS_E_SUCCESS )
++		return 0;
++
++	buf->bv_len = md_len;
++
++	return md_len;
++}
++
+ static int
+ tlsg_session_peercert( tls_session *sess, struct berval *der )
+ {
+@@ -950,6 +1008,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsg_session_chkhost,
+ 	tlsg_session_strength,
+ 	tlsg_session_unique,
++	tlsg_session_endpoint,
+ 	tlsg_session_peercert,
+ 
+ 	&tlsg_sbio,
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 157923289..8ede11572 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -861,6 +861,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return buf->bv_len;
+ }
+ 
++static int
++tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
++{
++	tlso_session *s = (tlso_session *)sess;
++	const EVP_MD *md;
++	unsigned int md_len;
++	X509 *cert;
++
++	if ( buf->bv_len < EVP_MAX_MD_SIZE )
++		return 0;
++
++	if ( is_server )
++		cert = SSL_get_certificate( s );
++	else
++		cert = SSL_get_peer_certificate( s );
++
++	if ( cert == NULL )
++		return 0;
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000
++	md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
++#else
++	md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
++#endif
++
++	/* See RFC 5929 */
++	if ( md == NULL ||
++	     md == EVP_md_null() ||
++#ifndef OPENSSL_NO_MD2
++	     md == EVP_md2() ||
++#endif
++	     md == EVP_md4() ||
++	     md == EVP_md5() ||
++	     md == EVP_sha1() )
++		md = EVP_sha256();
++
++	if ( !X509_digest( cert, md, buf->bv_val, &md_len ))
++		return 0;
++
++	buf->bv_len = md_len;
++
++	return md_len;
++}
++
+ static int
+ tlso_session_peercert( tls_session *sess, struct berval *der )
+ {
+@@ -1394,6 +1438,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlso_session_chkhost,
+ 	tlso_session_strength,
+ 	tlso_session_unique,
++	tlso_session_endpoint,
+ 	tlso_session_peercert,
+ 
+ 	&tlso_sbio,
+diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
+index 3188ccfbe..8c4ccb860 100644
+--- a/servers/slapd/bconfig.c
++++ b/servers/slapd/bconfig.c
+@@ -569,6 +569,15 @@ static ConfigTable config_back_cf_table[] = {
+ #endif
+ 		"( OLcfgGlAt:89 NAME 'olcSaslAuxprops' "
+ 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
++	{ "sasl-cbinding", NULL, 2, 2, 0,
++#ifdef HAVE_CYRUS_SASL
++		ARG_STRING, &sasl_cbinding,
++#else
++		ARG_IGNORED, NULL,
++#endif
++		"( OLcfgGlAt:100 NAME 'olcSaslCBinding' "
++			"EQUALITY caseIgnoreMatch "
++			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ 	{ "sasl-host", "host", 2, 2, 0,
+ #ifdef HAVE_CYRUS_SASL
+ 		ARG_STRING|ARG_UNIQUE, &sasl_host,
+@@ -820,7 +829,7 @@ static ConfigOCs cf_ocs[] = {
+ 		 "olcPluginLogFile $ olcReadOnly $ olcReferral $ "
+ 		 "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "
+ 		 "olcRootDSE $ "
+-		 "olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
++		 "olcSaslAuxprops $ olcSaslCBinding $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
+ 		 "olcSecurity $ olcServerID $ olcSizeLimit $ "
+ 		 "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
+ 		 "olcTCPBuffer $ "
+diff --git a/servers/slapd/config.c b/servers/slapd/config.c
+index 5108da696..77dd3c1ae 100644
+--- a/servers/slapd/config.c
++++ b/servers/slapd/config.c
+@@ -73,6 +73,7 @@ char	*global_host = NULL;
+ struct berval global_host_bv = BER_BVNULL;
+ char	*global_realm = NULL;
+ char	*sasl_host = NULL;
++char	*sasl_cbinding = NULL;
+ char		**default_passwd_hash = NULL;
+ struct berval default_search_base = BER_BVNULL;
+ struct berval default_search_nbase = BER_BVNULL;
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index 0602fdceb..d074009e4 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -1430,12 +1430,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
+ 			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
+ 			slap_sasl_external( c, c->c_tls_ssf, &authid );
+ 			if ( authid.bv_val ) free( authid.bv_val );
+-			{
+-				char cbinding[64];
+-				struct berval cbv = { sizeof(cbinding), cbinding };
+-				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
+-					slap_sasl_cbinding( c, &cbv );
+-			}
++
++			slap_sasl_cbinding( c, ssl );
++
+ 		} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
+ 			LBER_SB_OPT_NEEDS_WRITE, NULL )) {	/* need to retry */
+ 			slapd_set_write( s, 1 );
+diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
+index de1cabf32..9b52760bd 100644
+--- a/servers/slapd/proto-slap.h
++++ b/servers/slapd/proto-slap.h
+@@ -1657,8 +1657,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
+ 	slap_ssf_t ssf,	/* relative strength of external security */
+ 	struct berval *authid );	/* asserted authenication id */
+ 
+-LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
+-	struct berval *cbv );
++LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, void *ssl );
+ 
+ LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
+ LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
+@@ -2039,6 +2038,7 @@ LDAP_SLAPD_V (char *)	global_host;
+ LDAP_SLAPD_V (struct berval)	global_host_bv;
+ LDAP_SLAPD_V (char *)	global_realm;
+ LDAP_SLAPD_V (char *)	sasl_host;
++LDAP_SLAPD_V (char *)	sasl_cbinding;
+ LDAP_SLAPD_V (char *)	slap_sasl_auxprops;
+ LDAP_SLAPD_V (char **)	default_passwd_hash;
+ LDAP_SLAPD_V (int)		lber_debug;
+diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
+index 258cd5407..c14e8a628 100644
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1203,6 +1203,8 @@ int slap_sasl_destroy( void )
+ #endif
+ 	free( sasl_host );
+ 	sasl_host = NULL;
++	free( sasl_cbinding );
++	sasl_cbinding = NULL;
+ 
+ 	return 0;
+ }
+@@ -1389,17 +1391,24 @@ int slap_sasl_external(
+ 	return LDAP_SUCCESS;
+ }
+ 
+-int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
++int slap_sasl_cbinding( Connection *conn, void *ssl )
+ {
+ #ifdef SASL_CHANNEL_BINDING
+-	sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
+-	cb->name = "ldap";
+-	cb->critical = 0;
+-	cb->data = (char *)(cb+1);
+-	cb->len = cbv->bv_len;
+-	memcpy( cb->data, cbv->bv_val, cbv->bv_len );
+-	sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
+-	conn->c_sasl_cbind = cb;
++	void *cb;
++	int i;
++
++	if ( sasl_cbinding == NULL )
++		return LDAP_SUCCESS;
++
++	i = ldap_pvt_sasl_cbinding_parse( sasl_cbinding );
++	if ( i < 0 )
++		return LDAP_SUCCESS;
++
++	cb = ldap_pvt_sasl_cbinding( ssl, i, 1 );
++	if ( cb != NULL ) {
++		sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
++		conn->c_sasl_cbind = cb;
++	}
+ #endif
+ 	return LDAP_SUCCESS;
+ }
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch b/SOURCES/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
new file mode 100644
index 0000000..a8727dc
--- /dev/null
+++ b/SOURCES/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
@@ -0,0 +1,45 @@
+From 7b0017ad49a2290ec26cbcdffded8a527799e981 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 18 Apr 2020 16:30:03 +0200
+Subject: [PATCH] ITS#9189 add channel-bindings tests
+
+---
+ tests/scripts/test068-sasl-tls-external | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external
+index dcbc50fd4..ee112cf98 100755
+--- a/tests/scripts/test068-sasl-tls-external
++++ b/tests/scripts/test068-sasl-tls-external
+@@ -88,6 +88,28 @@ else
+ 	echo "success"
+ fi
+ 
++# Exercise channel-bindings code in builds without SASL support
++for cb in "none" "tls-unique" "tls-endpoint" ; do
++
++	echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
++
++	$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt     \
++	-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt           \
++	-o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key          \
++	-o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1      \
++	> $TESTOUT 2>&1
++
++	RC=$?
++	if test $RC != 0 ; then
++		echo "ldapwhoami failed ($RC)!"
++		test $KILLSERVERS != no && kill -HUP $PID
++		exit $RC
++	else
++		echo "success"
++	fi
++done
++
++
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ 
+ if test $RC != 0 ; then
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch b/SOURCES/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch
new file mode 100644
index 0000000..ee9a3ca
--- /dev/null
+++ b/SOURCES/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch
@@ -0,0 +1,27 @@
+From 4cac398b19c21ad56949ef7e67e285c6c8e7ecea Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 23 Apr 2020 22:47:32 +0200
+Subject: [PATCH] ITS#9189 - initialize ldo_sasl_cbinding in
+ LDAP_LDO_SASL_NULLARG
+
+Reported-by: Ryan Tandy @ryan
+---
+ libraries/libldap/ldap-int.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 08d4b4a92..8c7f1e5c1 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -277,7 +277,7 @@ struct ldapoptions {
+ 	/* SASL Security Properties */
+ 	struct sasl_security_properties	ldo_sasl_secprops;
+ 	int ldo_sasl_cbinding;
+-#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
++#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0},0
+ #else
+ #define LDAP_LDO_SASL_NULLARG
+ #endif
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-ITS-9215-fix-for-glibc-again.patch b/SOURCES/openldap-cbinding-ITS-9215-fix-for-glibc-again.patch
new file mode 100644
index 0000000..ec62c85
--- /dev/null
+++ b/SOURCES/openldap-cbinding-ITS-9215-fix-for-glibc-again.patch
@@ -0,0 +1,28 @@
+From d548ab15e0d615524c403440c01a9748bfcac87d Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 28 Apr 2020 16:33:41 +0100
+Subject: [PATCH] ITS#9215 fix for glibc again
+
+---
+ libraries/libldap_r/thr_posix.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libraries/libldap_r/thr_posix.c b/libraries/libldap_r/thr_posix.c
+index e4b435707..62f94ca16 100644
+--- a/libraries/libldap_r/thr_posix.c
++++ b/libraries/libldap_r/thr_posix.c
+@@ -18,6 +18,11 @@
+ 
+ #if defined( HAVE_PTHREADS )
+ 
++#ifdef __GLIBC__
++#undef _FEATURES_H
++#define _XOPEN_SOURCE 500		/* For pthread_setconcurrency() on glibc */
++#endif
++
+ #include <ac/errno.h>
+ 
+ #ifdef REPLACE_BROKEN_YIELD
+-- 
+2.31.1
+
diff --git a/SOURCES/openldap-cbinding-Make-prototypes-available-where-needed.patch b/SOURCES/openldap-cbinding-Make-prototypes-available-where-needed.patch
new file mode 100644
index 0000000..206f7ca
--- /dev/null
+++ b/SOURCES/openldap-cbinding-Make-prototypes-available-where-needed.patch
@@ -0,0 +1,64 @@
+NOTE: The patch has been adjusted to match the base code before backporting.
+
+From cd914149a665167b2c5ae16baa0c438824588819 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
+Date: Tue, 19 Feb 2019 10:26:39 +0000
+Subject: [PATCH] Make prototypes available where needed
+
+---
+ libraries/libldap/tls2.c   | 3 +++
+ servers/slapd/config.c     | 1 +
+ servers/slapd/proto-slap.h | 4 ++++
+ 3 files changed, 8 insertions(+)
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index ad09ba39b..8b1fee748 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -76,6 +76,9 @@ static oid_name oids[] = {
+ 
+ #ifdef HAVE_TLS
+ 
++LDAP_F(int) ldap_pvt_tls_check_hostname LDAP_P(( LDAP *ld, void *s, const char *name_in ));
++LDAP_F(int) ldap_pvt_tls_get_peercert LDAP_P(( void *s, struct berval *der ));
++
+ void
+ ldap_pvt_tls_ctx_free ( void *c )
+ {
+diff --git a/servers/slapd/config.c b/servers/slapd/config.c
+index bd68a2421..5108da696 100644
+--- a/servers/slapd/config.c
++++ b/servers/slapd/config.c
+@@ -48,6 +48,7 @@
+ #endif
+ #include "lutil.h"
+ #include "lutil_ldap.h"
++#include "ldif.h"
+ #include "config.h"
+ 
+ #ifdef _WIN32
+diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
+index 7f8e604fa..de1cabf32 100644
+--- a/servers/slapd/proto-slap.h
++++ b/servers/slapd/proto-slap.h
+@@ -739,6 +739,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
+ LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
+ 	slap_bindconf *bc, LDAP *ld ));
+ LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
++LDAP_SLAPD_F (void) slap_client_keepalive LDAP_P(( LDAP *ld, slap_keepalive *sk ));
+ LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb ));
+ LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
+ 	const char *fname, int lineno, int argc, char **argv ));
+@@ -1656,6 +1657,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
+ 	slap_ssf_t ssf,	/* relative strength of external security */
+ 	struct berval *authid );	/* asserted authenication id */
+ 
++LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
++	struct berval *cbv );
++
+ LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
+ LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
+ 
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-Update-keys-to-RSA-4096.patch b/SOURCES/openldap-cbinding-Update-keys-to-RSA-4096.patch
new file mode 100644
index 0000000..f4342e4
--- /dev/null
+++ b/SOURCES/openldap-cbinding-Update-keys-to-RSA-4096.patch
@@ -0,0 +1,526 @@
+From 3ab98b2fc98843289c1833891518fb3b5b42dcd8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
+Date: Tue, 30 Oct 2018 15:42:35 +0000
+Subject: [PATCH] Update keys to RSA 4096
+
+---
+ tests/data/tls/ca/certs/testsuiteCA.crt       | 133 ++++++++++++++++--
+ tests/data/tls/ca/private/testsuiteCA.key     |  64 +++++++--
+ .../tls/certs/bjensen@mailgw.example.com.crt  |  44 ++++--
+ tests/data/tls/certs/localhost.crt            |  44 ++++--
+ tests/data/tls/conf/openssl.cnf               |   2 +-
+ tests/data/tls/create-crt.sh                  |   9 +-
+ .../private/bjensen@mailgw.example.com.key    |  64 +++++++--
+ tests/data/tls/private/localhost.key          |  64 +++++++--
+ 8 files changed, 336 insertions(+), 88 deletions(-)
+
+diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt
+index 7458e7461..62c88acca 100644
+--- a/tests/data/tls/ca/certs/testsuiteCA.crt
++++ b/tests/data/tls/ca/certs/testsuiteCA.crt
+@@ -1,16 +1,121 @@
++Certificate:
++    Data:
++        Version: 3 (0x2)
++        Serial Number:
++            0b:43:f8:e9:ee:d3:38:37:92:db:19:65:d9:94:17:cc:70:45:d4:06
++        Signature Algorithm: sha256WithRSAEncryption
++        Issuer: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
++        Validity
++            Not Before: Oct 30 15:29:02 2018 GMT
++            Not After : Nov 13 15:29:02 2519 GMT
++        Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
++        Subject Public Key Info:
++            Public Key Algorithm: rsaEncryption
++                RSA Public-Key: (4096 bit)
++                Modulus:
++                    00:be:e0:ff:36:89:65:c0:4e:46:e6:24:e8:3d:81:
++                    97:92:28:4b:11:c6:21:ac:28:14:31:b2:a3:64:24:
++                    62:61:24:bd:76:7b:9e:7c:3a:50:65:fa:97:f3:c5:
++                    9d:49:cc:61:3a:31:6f:0d:a4:d8:70:57:73:c8:c6:
++                    66:06:d0:59:3f:24:3b:56:5d:70:20:e4:51:2b:88:
++                    5e:f4:78:82:bc:55:b5:d5:5b:f6:e5:55:1f:3a:af:
++                    59:9f:b7:5d:72:70:fe:b6:a4:dd:4e:f9:d0:38:e8:
++                    15:14:c7:45:ed:5e:d3:4c:ee:02:34:3a:37:d8:75:
++                    f1:49:0d:f6:8a:7b:8c:87:39:c9:fb:f2:3a:96:57:
++                    cd:7c:18:a7:bb:35:de:d3:c4:79:57:20:48:07:b9:
++                    65:f6:bd:7b:01:5c:99:8a:92:35:7c:b7:e3:96:1c:
++                    6f:4c:47:42:c1:77:d6:62:49:0e:be:01:8f:c9:f4:
++                    64:68:4c:b0:ec:10:12:d0:0e:5f:67:0e:e8:a4:bd:
++                    df:9c:fb:5b:04:6f:3c:2a:35:1b:5a:ca:98:ba:f3:
++                    61:f4:3a:77:28:be:a3:63:f1:d6:94:0d:fb:a0:87:
++                    e3:a5:9f:56:b6:a6:6a:90:13:80:2a:2e:ae:fe:af:
++                    aa:e3:e7:d8:3b:2b:a3:52:4f:73:2d:12:aa:e2:a3:
++                    0c:aa:fb:11:40:86:68:de:be:2b:9b:36:19:9c:d7:
++                    d7:5e:13:21:c9:b3:34:6d:09:53:ff:a3:2e:92:f4:
++                    33:80:de:7a:47:1c:47:57:68:53:2a:db:73:6e:6d:
++                    fa:40:df:55:25:a1:fc:87:c4:86:ef:6e:16:ec:f8:
++                    48:35:f5:96:b3:55:ce:56:a9:6e:c1:8c:ea:32:85:
++                    26:ea:af:0c:92:24:05:e2:49:12:b7:07:8f:06:96:
++                    be:13:fa:ec:49:f7:d4:49:6f:b9:c7:6c:79:53:39:
++                    a3:89:c4:4a:92:66:b0:f3:0c:72:6d:50:3c:63:1f:
++                    f3:76:63:a8:aa:b7:fd:db:ef:98:b4:5b:49:b6:84:
++                    66:e5:fc:60:0b:c1:f7:b0:f7:84:68:7e:71:5d:ac:
++                    fc:a9:cb:f6:02:fc:86:d3:a7:c3:42:ef:ba:f4:1a:
++                    27:71:5d:22:f5:53:e1:a6:f4:a5:dc:31:38:45:0b:
++                    a1:6d:ab:9c:05:2e:87:8c:31:02:99:80:6d:3f:66:
++                    e8:8a:d7:64:4f:08:7e:2f:f0:1f:28:ff:85:57:22:
++                    ee:6a:a7:05:72:f8:cf:5d:07:c6:73:23:82:85:82:
++                    76:4e:36:8a:ec:ea:f1:53:1e:e0:77:d1:4a:9f:df:
++                    ec:87:91:0a:56:40:b7:23:19:fa:60:14:d0:f0:32:
++                    4d:11:39
++                Exponent: 65537 (0x10001)
++        X509v3 extensions:
++            X509v3 Subject Key Identifier: 
++                90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
++            X509v3 Authority Key Identifier: 
++                keyid:90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
++
++            X509v3 Basic Constraints: critical
++                CA:TRUE
++    Signature Algorithm: sha256WithRSAEncryption
++         0f:7f:a0:c5:3c:ac:dc:ed:8f:56:3e:64:89:e6:87:d0:ca:a5:
++         37:b8:0e:49:aa:93:d3:e5:ac:ff:54:24:91:07:1b:9c:dc:08:
++         e6:cc:15:53:be:85:4c:51:52:d3:88:d0:d8:c7:b7:98:40:41:
++         8a:a7:7a:4c:96:85:61:8c:98:76:f6:a3:2c:10:31:a1:d8:e6:
++         a7:4c:ec:c3:29:ad:04:8b:e3:f2:2d:4c:30:0d:a4:bc:c8:93:
++         d2:9b:88:1d:a4:25:eb:ff:9f:f2:d9:c5:3b:bf:51:91:71:06:
++         92:35:96:5c:ca:6d:d6:86:47:63:07:7f:37:35:53:68:e9:4e:
++         d0:d0:25:42:18:e0:00:9e:ca:f5:bd:b7:94:ee:99:51:44:3a:
++         0c:44:40:e3:87:e6:ce:6c:2b:3f:c1:01:6c:5c:32:d5:59:b5:
++         bd:25:a3:1a:ff:85:a5:89:9c:d8:24:4b:fa:59:99:5a:64:ab:
++         a1:d8:0f:c0:19:28:84:1e:89:c2:a1:15:4e:0f:7e:1f:bf:f8:
++         92:df:9f:1c:d5:4a:98:40:82:ee:41:1f:de:f7:25:11:fd:76:
++         0a:cf:37:40:bc:c2:2d:6a:ea:4a:0c:6d:b0:e6:75:37:b5:63:
++         a8:a1:c5:81:d0:84:c0:f3:e0:c3:5c:c4:9f:ec:3b:9f:8a:74:
++         ce:f0:cc:e3:e9:15:08:a0:ea:3e:a9:8e:bc:9a:01:00:96:fe:
++         37:6f:61:b5:2c:4b:1f:5d:d7:24:09:fe:bf:f4:77:47:e4:ee:
++         7c:ea:6b:67:84:ee:56:4f:5f:b9:b8:e4:db:70:e1:4a:b3:94:
++         4d:dd:52:45:05:4d:79:d4:7c:8b:9d:9b:6a:0b:73:9e:f3:0e:
++         d5:d5:46:da:b4:fb:4a:ea:5b:ab:8e:42:68:0e:96:cd:8a:6e:
++         35:a8:e6:1b:6a:ed:a8:9e:3c:cc:3b:44:54:b8:2d:ba:c7:83:
++         91:7c:70:40:0c:14:b8:21:7a:12:ac:8c:96:4c:94:a6:ee:fe:
++         cc:77:34:8e:e3:c3:c0:44:19:51:85:07:6c:d8:d1:2e:69:8d:
++         b1:0e:42:fb:e6:16:65:86:c6:e3:2f:a7:3f:b4:8e:4f:1c:83:
++         c4:0a:ae:a0:d9:17:fd:cf:a2:38:a1:9f:70:dc:5c:df:3c:07:
++         7b:64:01:ff:35:8c:45:43:e8:fa:a4:f6:c4:71:78:17:6e:6a:
++         7f:d1:6e:66:c6:89:33:3b:28:4a:76:bf:ca:29:05:51:07:98:
++         ce:63:62:25:61:7f:5e:c6:91:23:02:13:15:4f:fd:24:58:9d:
++         2d:ac:eb:cb:9a:c2:82:2f:50:5c:5a:16:bb:8c:bf:4d:66:2c:
++         6f:1c:c4:a9:28:e1:3d:4d
+ -----BEGIN CERTIFICATE-----
+-MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
+-BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv
+-bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0
+-NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+-MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB
+-UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd
+-rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb
+-lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL
+-6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU
+-7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB
+-SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/
+-wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws
+-ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q
+-aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==
++MIIFjzCCA3egAwIBAgIUC0P46e7TODeS2xll2ZQXzHBF1AYwDQYJKoZIhvcNAQEL
++BQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRwwGgYDVQQKDBNPcGVuTERB
++UCBGb3VuZGF0aW9uMRwwGgYDVQQLDBNPcGVuTERBUCBUZXN0IFN1aXRlMCAXDTE4
++MTAzMDE1MjkwMloYDzI1MTkxMTEzMTUyOTAyWjBWMQswCQYDVQQGEwJVUzELMAkG
++A1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNVBAsM
++E09wZW5MREFQIFRlc3QgU3VpdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
++AoICAQC+4P82iWXATkbmJOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfz
++xZ1JzGE6MW8NpNhwV3PIxmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mf
++t11ycP62pN1O+dA46BUUx0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7
++Nd7TxHlXIEgHuWX2vXsBXJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQ
++Dl9nDuikvd+c+1sEbzwqNRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4Aq
++Lq7+r6rj59g7K6NST3MtEqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S
++9DOA3npHHEdXaFMq23NubfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbq
++rwySJAXiSRK3B48Glr4T+uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iq
++t/3b75i0W0m2hGbl/GALwfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm
++9KXcMThFC6Ftq5wFLoeMMQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8Zz
++I4KFgnZONors6vFTHuB30Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABo1MwUTAd
++BgNVHQ4EFgQUkM9RHegI1Ew0cHFr0gsAaNn9YFAwHwYDVR0jBBgwFoAUkM9RHegI
++1Ew0cHFr0gsAaNn9YFAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
++AgEAD3+gxTys3O2PVj5kieaH0MqlN7gOSaqT0+Ws/1QkkQcbnNwI5swVU76FTFFS
++04jQ2Me3mEBBiqd6TJaFYYyYdvajLBAxodjmp0zswymtBIvj8i1MMA2kvMiT0puI
++HaQl6/+f8tnFO79RkXEGkjWWXMpt1oZHYwd/NzVTaOlO0NAlQhjgAJ7K9b23lO6Z
++UUQ6DERA44fmzmwrP8EBbFwy1Vm1vSWjGv+FpYmc2CRL+lmZWmSrodgPwBkohB6J
++wqEVTg9+H7/4kt+fHNVKmECC7kEf3vclEf12Cs83QLzCLWrqSgxtsOZ1N7VjqKHF
++gdCEwPPgw1zEn+w7n4p0zvDM4+kVCKDqPqmOvJoBAJb+N29htSxLH13XJAn+v/R3
++R+TufOprZ4TuVk9fubjk23DhSrOUTd1SRQVNedR8i52bagtznvMO1dVG2rT7Supb
++q45CaA6WzYpuNajmG2rtqJ48zDtEVLgtuseDkXxwQAwUuCF6EqyMlkyUpu7+zHc0
++juPDwEQZUYUHbNjRLmmNsQ5C++YWZYbG4y+nP7SOTxyDxAquoNkX/c+iOKGfcNxc
++3zwHe2QB/zWMRUPo+qT2xHF4F25qf9FuZsaJMzsoSna/yikFUQeYzmNiJWF/XsaR
++IwITFU/9JFidLazry5rCgi9QXFoWu4y/TWYsbxzEqSjhPU0=
+ -----END CERTIFICATE-----
+diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key
+index 2e14d7033..01a6614c1 100644
+--- a/tests/data/tls/ca/private/testsuiteCA.key
++++ b/tests/data/tls/ca/private/testsuiteCA.key
+@@ -1,16 +1,52 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ
+-WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc
+-338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/
+-dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg
+-O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf
+-7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn
+-rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f
+-wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk
+-AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l
+-vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9
+-27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X
+-KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N
+-I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL
+-+b2qljWeZbGH
++MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+4P82iWXATkbm
++JOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfzxZ1JzGE6MW8NpNhwV3PI
++xmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mft11ycP62pN1O+dA46BUU
++x0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7Nd7TxHlXIEgHuWX2vXsB
++XJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQDl9nDuikvd+c+1sEbzwq
++NRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4AqLq7+r6rj59g7K6NST3Mt
++Eqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S9DOA3npHHEdXaFMq23Nu
++bfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbqrwySJAXiSRK3B48Glr4T
+++uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iqt/3b75i0W0m2hGbl/GAL
++wfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm9KXcMThFC6Ftq5wFLoeM
++MQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8ZzI4KFgnZONors6vFTHuB3
++0Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABAoICAQCVkIdpnE92V9+GBfVT/G9f
++vuLTkoRf+SeZqXgNx9SuebNbW5HblXXZ8nmOMZIFeXfVuVZjQn+1x1CaSZs4S5ki
++uKkmCyEJJN3VVo3Q0XzfRemsvNrA5+oIec2oMG2wdomfY59leqmFbZTXKy3HyT2Y
++Uga4FcYcfo4JyD8eU6DRdJ6oJC10EGiajFchghyPoqvRcSH/q24R4Ha5om1M/zOZ
++/hz+SlmLU2sjXVtGuCgtCdw5Sp5Ce5VF43JaRGjMwAnazEyjHPE8kEx8ZhCBG66B
++DqP6UrV736T3c0/Hww0fxFrENA4mIE/vhNgwNVQ5jDxDSC9ObesTW93Lu4za+Re6
++pmP1eeS/oe1OcI1d/xK2IIQwzB7ZkJ0StbFLnjs7DATO7BGzhC9egC6s+z9oSgTS
++KvmLyoiL5U4fesVJwcCPKwwkVH9n22TuqmvB5mmvZvRTe2+OgDH55Nkfx1SoI8+Q
++/fwV9UXIIg5en+Kv8lOaWCZujmMsjHC79bwxPLeaePRwD/RBkT1MLW/T4fWGpAt3
++H89+yufH31Y/1QMxVVtR9OdxCtljiXno/bArMNZ0oE1TiCcckMzdjKh7RNfkEXRM
++Pga92HBTgtJ3tfWJ4qOtJ4NKJPQ7wRmR03Bug8+bGM4K5HDO08fNuag/pP3AQvrM
++QGbHFVho3I7/DXnmRBq/gQKCAQEA75eptBtP8PWnN9uNsQoWxvFKQBtbLfPKUcVP
+++LWOWF4ag2YRRf6TIzvGfIk54OGSL/srWCDKjXWJ0NgUn6yiqOkoP4oxEE1m2QDY
++7oCk9vJipJcrtNCKL6NhKwZDOjlDSROb/hBeMgr14Da/WkPE6zQhuwN5y4Japbjs
++cBYTao2uOg4QQz5Aee+ee55L6iAgMT0PnlQtv1uVW3D46e02CrQKtRmtDxqT3Nux
++nudJdz+rMFM0EDgVKUYRwFCa6xjI4y2K1aCwCtJG9yTJpYqCD9hehfwEije6dNNg
++p5RX3M9ai710Yx4F26cwX/t8AxqgF/2XBI0ZWD6x69cp7suPTQKCAQEAy/NUEgXN
++nymq8NK+umZwFJU7cy3weozRuEkmgmCWj4XYhbvTw6MbK+2R9XKa3ilqSd2sU2lX
++qE66kfAgqZMJ9RB+7nDOaLAMUuGw1DrwFZE7r3mKXgc4NgjtmGav4E3URXPHj5zb
++JbbN95zl96Fm3Nevs5p8sb0KexgbzHe4UzJNYFgT0l+TjJbJUAiNPsEw1bnV4cxn
++b1HO2CWTeGtAOJyjMRNwI+40wnk2N6An+Ddvb2mj2h30HujSZHnL94RAqa7RHDb6
++lU+7JX/ll5G0mFQOFQAs4UPos2bg7hS1mfYO+UVrG4OH9gXns12158WqFED+lhmJ
++O8WDWEVAblVrnQKCAQAB9aOVrYOB3QB5HHqUMBjvl5mb3J1qSswkzxBQYGvBnUNq
++P7N0dxiM+TguXJD0neOsMMmx9tKxRXzTEHFavPa3mvCRVHgCQh/NNoyPps2yl1jn
++L7VTzUDUEuoAiBSUrVM3jcmA0nFyx1QreUcnXdaGde6wsN6WI4LKSDDm2cde37nF
++D8hiRGgSlzscl7bXO1wICw/No7KcFguqq8ndX+tJOx+7S3J25SjAbauOOSYIq6Si
++yItsdoj1xXTvtbkOoy1BbmXsSVwnOoEKFGrxx6g4qPRc9Cq1Vq9XtULdHAF79NYw
++vmPtS5mQqlVi85OYEuesSo6pot3KMvkRjLjzEwchAoIBACEvrvZfy12iwhX9tNtP
++39z5i3rqdr76OwXpoUKFxPoFpX3dWk/zMnCrb5yo0VplEs6CK5BHC+RvKxykHix5
++qJ0f2geig3O1ccvqvYNLM9XOlA+xjzpNom/odADgdK3i/C9w74AG3gH9BPbNqP3q
++XXqB/i0Tbkbdo97zxVI4CN5AySZsLo2Ez9WIk6laOuGDPhcI7iyXvhz3CtlRA/YM
++PZ74nfVWXGD8WclrP889WEOjgZZ3choD1b1R1SpUR0Q3WO5Da/NTXuL83k7zyMAp
++DWHcC46PQL5G9o56pw8Wf5ZV24nkKdGITY9S1qjxDrBwEYTKLqLt9M6tDPpICnvp
++mmECggEBALfnUgpdGugn46UmQUMI1y+NZbSKhJHG+OBWdcc1j4kDZhF/Ei7g8pvk
++hFU5p/YA6JbGioZxiqjdrYLvgTPnJVkxy7arLTN2j2GVlhUA74BY+kNzENk2Tj9c
++zJSMVZn+WZrXNQhfYyA3FyW3wGN67GBXAHPQxFTdU3G4mR1WcyJCxKIyzP+2M8o9
++16tpb80QRnc0OLm9Izppe7JUp2hCQt+O6E8izvLE8k2ldOr5ncTNWlxTJ0yx0hEO
++WTFqhwOM1pEmtxas1gLr8MX0hNsaQR+kjG2f8rPmH+GEZeeAwuhoJY1PcKAOYM5Y
++yu/1yFXYTrmhD/P0+nJn1DfS5JljCJY=
+ -----END PRIVATE KEY-----
+diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
+index 93e3a0d39..eb0fc693f 100644
+--- a/tests/data/tls/certs/bjensen@mailgw.example.com.crt
++++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
+@@ -1,16 +1,32 @@
+ -----BEGIN CERTIFICATE-----
+-MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
+-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
+-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
+-ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV
+-BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD
+-VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa
+-YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+-MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg
+-QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU
+-U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL
+-MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn
+-wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f
+-7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo
+-4DnnYQBDnq48VORVX94=
++MIIFfDCCA2SgAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
++BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNzQwWhgPMjUxOTEx
++MTMxNTM3NDBaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNVBAoM
++E09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYDVQQD
++DBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYaYmpl
++bnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
++ggIKAoICAQCcHBkHcUSKG4s7nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA
++7qkZvMJR8ws2u8TQU/18FhH4+0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWg
++qPYe/K3bAtSRtF7wDxF77eb2Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38
++kpIB5WENCEy77QK9GEGAlMVIRXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nN
++LxTdLe1qbZyRgEqRKgW5WcWrW46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yIms
++CbzlSRLC1dfj++2mzCMxoc3xpZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvR
++X9uQOnXnazQvlRfsaHQjGUKyhMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzL
++twWkESVDU0tNg/czWLn56smV7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjI
++LQuEBssrV1h8WblruWRU31Mn+mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5ui
++cNcYTXCfa5ZpPL608f7cWuG2GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4
++yPXHATrCtYO1wqIyu9Yuirdg7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABow0w
++CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCq8VvpcoAgCK/D5yi/2puB
++LD7kYaVaSXxrUQBeLTmKERw3akpgW7QTGCNgM425VVaBQRPtv8YcX9OycUAylAA+
++7lzwdP95OJGnUOjQY4x4iRAwCPkpDCcnwc43c3WAyQb2S46aZJaWK4S0+RM3CmWH
++1Fzb6aODdnoBEKk0XgNrB6/teB+UWgtTSxWiY/HWiArDaZDPMAxqEK0hnB+b/sBD
++ZoBYnfnQXezylqbk9vkzTIbSVrv5ZZdQELOAnPuxUCFpYew1OGKcg+1twYKDHgBS
++s13zN03eMEnC/O4Z01dhu16vqdikdP+tJJrppjvZtJys0KIP24ltDnpA6h/3m/Cl
++U1eiTDgWO+SsfiL1K4gcTL1eLjnCBFfnHN5gfgAV5w5DaKzvKp7Qu8db4DtH+S4o
++W/MBKuaHHKWUPGksvFUiGNgE/XyDU4MK34/5ulzbrWmqb24pYAzm1MyjsdzmXObw
+++fzg6EDBB14cWA2hA7mSqnzkiW1pELVym6+uTaIlopSIFr8nNAimwLiY5QJNGYvd
++hgNNvOyUUO+nON3aHsC/rRMgar3eo7A9AkQJ6qKVvPR2h1317PJLuKaLfjbaCzNw
++iA3JSQjcwR2ydlSgKKN2d/XXm/G4PZ9tUcBY4Zngn0ViT0/m7MFy9qsiWG97+yaZ
++nYsN5WfwDZrtG24dTotxVQ==
+ -----END CERTIFICATE-----
+diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt
+index 194cb119d..3aeae3c16 100644
+--- a/tests/data/tls/certs/localhost.crt
++++ b/tests/data/tls/certs/localhost.crt
+@@ -1,16 +1,32 @@
+ -----BEGIN CERTIFICATE-----
+-MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
+-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
+-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
+-ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE
+-CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT
+-dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+-iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4
+-7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv
+-8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ
+-BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A
+-AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG
+-8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl
+-0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR
+-GjeZB1FxqDGHjxBq2O828iejw28bSz4=
++MIIFhTCCA22gAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
++BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNjMwWhgPMjUxOTEx
++MTMxNTM2MzBaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT
++T3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBTdWl0
++ZTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
++CgKCAgEA6Ud89ugah2oWY00q1g+M6NkpluewwvGq4tkMau1gq+Q5Biv61bubgdSA
++Z+Zkkxe3Sx0Zv7i5wldIN4wXqEDlMg2qhfzKDSNKUofc0z7FLMb0Cn46WqlciUCY
++VetHhBghGd+6fxOOz+x98FhiiAif+AdiUWBTKFFohWXo/9aiGgm0ueJj2NS3Eyac
++xOKoTcDd9TMsOJ2fMH2MlquArLobCvuphOrVbqBoeeol2SzFDDOW8ryPDzFGy5xh
++ZHkm/3sGIoDpDkDR0yhvBzn47qdLI5myc6Fj96s7S2xgqiqGXJW0D0FCfpUQXxfm
++ahz/Jdwl+hqs5Eg/aA+LE/7lmS7szo3zwJQ53ApdcaupHi4fU60wPVrdo29wLwDO
++hDuS+Oc1os1UyJt0T0a+zB4PIP2rxifyxI1iWmZFt7tJyLv1k7yMN7CLCWzsSy5P
++BZpGmHV9Wbvb660N6NzlFDMqnjJWDAr1BLoV4ywmpiWPhy/7JtKXFe1V3jT5MvGM
++26IOC+zCwwZVyEIIASeWepZDuto00Lqo7jOKSlLRmuhTX1ELK8xYX6ZU/fz0FwYn
++bLu6bI4mRGfbJ12fWYm5QMje2QAuvndfi759HUeuLl6TgmeQFgqFA/6Kkwoz0Ncb
++Kaaj+ByvLXfI4S3lvkwT26nOAt966fb1bsdkb8P52NdkqeSMk5cCAwEAAaNIMEYw
++CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/
++AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4ICAQCGQCs10hwY
++t5o3AWjU8oT8HWnLDsEzIvI/Z2dvtsFSOFotH14d8a7CdCKNiry8BbQ82A4sG/Xw
++0aVdP1EscxGhpJuMHG4Ph9PZBm31ZW2VoRHOEs7/Moi6G/1yldVxWUH/qXO00Dw9
++cEsiUQdPrPQDoVBKYAMuV15RP9b3iPpw3GY1EkIu+akGVziHFmFYUoU2gctiGIZ6
++6KiqBFvCP1Yvm3RSZ5t/Kv/jPMetAnCq+9JAUAodAh2+goBvUCAN9Itr/tEs98jq
++9d14J7gzIRDdNHKOLrRFmoMrTaDZNtqBe5jiMf0O55tgjv4BqN4w11M51bjY4umd
++GX+OXoBJG+MK7AZyaHPjHa1NMoLDOUhTvHb4zPNkPiVb8r3lYkQ4VCtre+4qqrEn
++cEt9KWGpHkoz4GSKn6uidQebdi4waexcGttsHbKPaKZqzYXAJ2bjFZnv85zPtpjO
++qxzqrMUruiCU7EfjGAdZ8S0lwjdMihznLATjKuwQkJ2mVg2HbLgxZu578FHTBOHW
++LjVIr/80auF4Ino9ocHpIwL/E4jpYQWP/Uv4KBHwkAktmUOwqyt0iysRaWy4Gp7S
++keBI9FoGtJ1Mq5M2tVINBzt1ESC3t03KqyY+/9r/IeY7A7yukC0YJnJ+HorfuQFf
++0//7DOEA58bRswyWTLOAjYMJHilTKOozSQ==
+ -----END CERTIFICATE-----
+diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf
+index a3c8ad9f6..632cff11c 100644
+--- a/tests/data/tls/conf/openssl.cnf
++++ b/tests/data/tls/conf/openssl.cnf
+@@ -51,7 +51,7 @@ commonName              = supplied
+ emailAddress            = optional
+ 
+ [ req ]
+-default_bits            = 2048
++default_bits            = @KEY_BITS@
+ default_keyfile         = privkey.pem
+ distinguished_name      = req_distinguished_name
+ attributes              = req_attributes
+diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh
+index 8c33a24fe..739f8eaf1 100755
+--- a/tests/data/tls/create-crt.sh
++++ b/tests/data/tls/create-crt.sh
+@@ -5,6 +5,9 @@ if [ x"$openssl" = "x" ]; then
+ echo "OpenSSL command line binary not found, skipping..."
+ fi
+ 
++KEY_BITS=4096
++KEY_TYPE=rsa:$KEY_BITS
++
+ USAGE="$0 [-s] [-u <user@domain.com>]"
+ SERVER=0
+ USER=0
+@@ -45,13 +48,13 @@ echo "00" > cruft/serial
+ touch cruft/index.txt
+ touch cruft/index.txt.attr
+ hn=$(hostname -f)
+-sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf >  ./openssl.cnf
++sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf >  ./openssl.cnf
+ 
+ if [ $SERVER = 1 ]; then
+ 	rm -rf private/localhost.key certs/localhost.crt
+ 
+ 	$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \
+-		-newkey rsa:1024 -config ./openssl.cnf \
++		-newkey $KEY_TYPE -config ./openssl.cnf \
+ 		-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \
+ 		-batch > /dev/null 2>&1
+ 
+@@ -66,7 +69,7 @@ if [ $USER = 1 ]; then
+ 	rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr
+ 
+ 	$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \
+-		-newkey rsa:1024 -config ./openssl.cnf \
++		-newkey $KEY_TYPE -config ./openssl.cnf \
+ 		-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \
+ 		-batch >/dev/null 2>&1
+ 
+diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key
+index 5f4625fd7..e30e11586 100644
+--- a/tests/data/tls/private/bjensen@mailgw.example.com.key
++++ b/tests/data/tls/private/bjensen@mailgw.example.com.key
+@@ -1,16 +1,52 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2
+-xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4
+-9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z
+-yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r
+-oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e
+-nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg
+-xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra
+-EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd
+-9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/
+-pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI
+-tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ
+-3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D
+-tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg
+-36Ixj3L+5H18
++MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCcHBkHcUSKG4s7
++nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA7qkZvMJR8ws2u8TQU/18FhH4
+++0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWgqPYe/K3bAtSRtF7wDxF77eb2
++Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38kpIB5WENCEy77QK9GEGAlMVI
++RXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nNLxTdLe1qbZyRgEqRKgW5WcWr
++W46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yImsCbzlSRLC1dfj++2mzCMxoc3x
++pZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvRX9uQOnXnazQvlRfsaHQjGUKy
++hMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzLtwWkESVDU0tNg/czWLn56smV
++7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjILQuEBssrV1h8WblruWRU31Mn
+++mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5uicNcYTXCfa5ZpPL608f7cWuG2
++GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4yPXHATrCtYO1wqIyu9Yuirdg
++7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABAoICAQCWY/s40EXXRvG7XBGKe1Sn
++MZGGllyduVVQMFzJIkOsnkDKKuTY+dZlP4Zo5Q/PIvWKpRnWGRP6lsh5tJkukiHd
++jk4VvJk4AzS7mNhkRyYy3ZW3ulB5NpsXS67P610RwIhIVhuf6ORPH8GBW9lRxwoL
++1v4WpGjbywHkKQvR0Sp7lVGULuwnM0dSK2G9sdztUTGbWZlp0hRIawojtcrRt2ft
++Liyy4hooWMmAFS3wu1y3fHSNn5kEFpfis5jF+5jdDvvmsFElx/X7uiBUFMAV2vry
++wu2mceibiGjnq7Nn6I7fhgKzGnkgzzDSLA9uVBde2+RAHlO0fLTq+5YLVhe0pNBM
++J1Y0soNaO3XfVV6Vnyz8X+ruHItW2OBF9AYhIlXq/6d3MMX51BEM6odEtsi8zFgo
++ENN0GAXoyoofg+IvzPiVU2Ud7s4pAlK473d7sAQEeiFWaj7iwueAgofSUFRz7E/H
++umdhytKiJXqcjJ9O2k4sBsmQoPIB++LlUPRIlZY9UvTFxLbd/ifFUv5fqa6z0IX6
++wkIzXmRHhG+ETk1IZBJAAho7iyyYOTP+JnnToUAMWoUaZUO2bzaZfQha8Z3KVtG/
++PJUfHClBXqvFNaAUvA9Df3JoJddJ4pO1g0QjS/dp4C2KwNkH4oqMJctvCersoPWu
++5DYiWY6KR4GjokJ1lBeWAQKCAQEAzSKa+m2C4ANNCJB9tcKYDbYIdibCpzO+k1Fb
++gZUtNi9dEE0Po8rMG0jthm+GKJjNjiG5idSUMo+WNEGBPkELueex81AlEpOqQ6/9
++67cyjAsF/FvgkWOpKJnGOySF/TpK4kPGYyS3ICvs1KNE5HEywHyC4C/MD8N9Z5tX
++/DfW6sBM/wPipE9YDpKfAg3fDG9YJN/gJZ8TlZVqzzw75rKGcMeLc8f0mbMo+KWQ
++VKV4vrgz1eiVrHc5VeGUaXe1Yei5El671wAdtFdmm51A2fWd80fPlQdqfAwpX7x4
++FWuo9z2QX70rM/NTWfk4nQ6ZFEHxtm++OiTfh7RwauI8fxye6QKCAQEAwtF/tOth
++UgHrohB2DCE9gA0rxkynJHK9/SXSd0KBjERO2i41iuC9YlJT/NpNz9fM7l+L02aP
++wWLMqyC7moNmIpJMY2xBGU0EowQ/3xsSNo3u/fvOS4MyGLKENUPMFgO0J7yopiqt
++Ea31TcrFSTMSmFZCv8cGt38EwS6sdJZd/RB+h3yxesit8pouwpfbtLPx6LSGkPHY
++5nNVPgbt6xaxZJ/1kNbLFObSoZ3lzWBwp93dQh/WqeeeI51LGdM1G6fTL8HrmGFJ
++EX0AKpexFVnG/GROJc8taWtMbk9W5oK30JqR7hpSaluYbonpr9k4WQA+EAZjXfcJ
++0V0AMsMUhGtvFwKCAQAQZf7LnCuFKt5im+JgwFCVcALXJxwSb7GBZ1SQVFOL7Fdd
++MTvZ1SFh4P+T6qBn6GcuQIXrfcHnFNFmFgJ17o84akwwbiy4gnNu+8epqzhwN4Vf
+++hxGoxfntftByRao+pr34YEfddTpznkdOnwMYvwypQF1WHzQmckRmjp7YB9fHsZI
++8I+SoQEiERiC+oblIJWERR1PBJt1Lr+eF2uWcpkKtPjx5X8pNkhFMD8MdTnkzSbf
++p7snUVSVB/ZsQ/SNAiShUk9jzY+SVhZOxFBl3BunUgtHF5OsnPBFxfQ3iia0tQgw
++jxfADGiSXbjn3T3hf7AJ7H7heQchewwtjy5U3v3ZAoIBAQCEAyRPe0SKJoT+X7su
++QwQClmo4SE7mUt5NAOkaKTXRz6PDEpbzkZCjZHhHGcKqeWgDizkbuh7lg0Z/G4Ik
++lK+L86jRolSGiXr/3+xMCXMRBqKQ9qV24+L5e1Y9JcDQlhfo6V06pCZ8mW1lFmcT
++UAlksucuPvZdNzQIl9ECe7YauqeStbsqIXxFrZbMA808KMde0Z1x8H/ywOpdSqLD
++r6/rKL1lNTeN5U+Ldox228fa6Gt62EpE/Y9aQMbYLBeLsvBXJ0e3DQ1PTW3kbr/v
++YNOGyY1u73GtQqkbAqY3MxLNxz/loW6BZanoFYoFv+L/5Dsp7ro8vR6pASUWQLzR
++cl9nAoIBAQCre87G76UXv6FIggT+cKM9MKS69KIE3mzNTYUo90L74vF65hJqlaIa
++mfEcPpEU+UY+ufZSIHtTDBj/9Rswaf5whJY7RfL42pSGnW2YOMpuwDIKAEvcJedu
++kZhbthBin4pa28X6L5sNxug+7Wykgesd48PmMLG4pTF+D9u7SgO37Ew5UzylPWNi
++Lrv9TlX1vv9rNFh/hOCA93DNrJlNNPltIcMDByVVjrq31QmxMJwE7cdvl1V7eoiO
++NQuGuGyFIEKPtl9dEUaA4SGYZ7fUqPZaZuzzM0Xa5UMpdcIzcuYYNn3G6FvV6vwU
++dH+lv5X1bTB18GK88ANpC2qLCKRJPCTx
+ -----END PRIVATE KEY-----
+diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key
+index 8a24f69f8..99cb512c4 100644
+--- a/tests/data/tls/private/localhost.key
++++ b/tests/data/tls/private/localhost.key
+@@ -1,16 +1,52 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg
+-ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM
+-w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM
+-brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij
+-Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf
+-2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ
+-bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q
+-1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf
+-3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U
+-VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7
+-TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b
+-iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP
+-5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3
+-b61hkjQZfbEg5cg=
++MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDpR3z26BqHahZj
++TSrWD4zo2SmW57DC8ari2Qxq7WCr5DkGK/rVu5uB1IBn5mSTF7dLHRm/uLnCV0g3
++jBeoQOUyDaqF/MoNI0pSh9zTPsUsxvQKfjpaqVyJQJhV60eEGCEZ37p/E47P7H3w
++WGKICJ/4B2JRYFMoUWiFZej/1qIaCbS54mPY1LcTJpzE4qhNwN31Myw4nZ8wfYyW
++q4CsuhsK+6mE6tVuoGh56iXZLMUMM5byvI8PMUbLnGFkeSb/ewYigOkOQNHTKG8H
++Ofjup0sjmbJzoWP3qztLbGCqKoZclbQPQUJ+lRBfF+ZqHP8l3CX6GqzkSD9oD4sT
++/uWZLuzOjfPAlDncCl1xq6keLh9TrTA9Wt2jb3AvAM6EO5L45zWizVTIm3RPRr7M
++Hg8g/avGJ/LEjWJaZkW3u0nIu/WTvIw3sIsJbOxLLk8FmkaYdX1Zu9vrrQ3o3OUU
++MyqeMlYMCvUEuhXjLCamJY+HL/sm0pcV7VXeNPky8Yzbog4L7MLDBlXIQggBJ5Z6
++lkO62jTQuqjuM4pKUtGa6FNfUQsrzFhfplT9/PQXBidsu7psjiZEZ9snXZ9ZiblA
++yN7ZAC6+d1+Lvn0dR64uXpOCZ5AWCoUD/oqTCjPQ1xsppqP4HK8td8jhLeW+TBPb
++qc4C33rp9vVux2Rvw/nY12Sp5IyTlwIDAQABAoICADh1+wLvjmwz+xMxvCpvPRWm
++afCCR0AHqeqZye2fYoR4Cm05+837SFoWCrYbB0CqvsxJUNAcb6lf4rS/DYLFojOJ
++JzqiwmyHnBd5lrLyQFrkFHDtuEX1M9ZscfJprbeE944BnmvfWfNtM9YWLlLqc31e
++nCdB/x6FBZ0z2z8Avd87dih/aNc0NNNHxy3IBiA7i/0q04soaz0bRgm5nL0xlhYE
++bzUieWH7JQ5M47g6o76eReyeQqnUrWPeh5v/zraLGiMDvGScv6wx3x2KpHtutjr5
++mj1uVHm/UeyhYIwPGtIR0bDXhLaKcZnyeOw59G8/Z1mvVyUxb1dKW8kNKpj2yI2H
++Y1SjhW5qaOeaDPxAPqVyo6SUQIzOn6SD0l7aGyOyvYULjiw342HQYU4rQeSPOtjt
+++NYMirnT7WNnmoSIsXx7nwUe38EWx5gCHy8taF4aZr5K85yZKnmsiX3vX/hH30yc
++GLOnDDa3b0FE2J2eYos14ru8RTqSLSxclr5Ru2yTdwLgE0gg+iygO1/tYYkqxZ09
++j+METJpg4wv+cQUG/BxysISqNjaPSPHdyJeTMzC8B+PUUpbRoBuvLLokkZ9P95nG
++72TFklEOB0m0VMxrEfev0HGSzkQm92s2Bf41TRaHTPSkg+G1s0haZTNqRVTGPrr/
++eyiz0qH2bgDeubJ3VuTBAoIBAQD9N+KeKo+hRWeV/I6BCBOfMeQOqlqIxYfYAxU+
++CuutILbTnGKFMTAx43syh/a5EV7q4yM81RCXKK/Lmja2OIeYJUb88bC/h0x/gq5W
++LLxHbKgFDUDF2VcWShMqDOo8J8FbzWwb9bOOShqASoR6FacJuOqlFvS8gaswZtiW
++fOvlWRKO2ybULgQctX5gOf1ctuab1VrzuHnNB30gVFc95Dg1b6RiyVAa8AFm6gs9
++6Rewk527+4T5Ho5UXvdsTVJsAhzJgVjPSyF2Vc1CRrp8lIffsg5Prb4w8kvB0i64
++09zn+jAfVRpjdGWqMI7BR1pCdheGMqv006ZVYY+QhcBIb0BHAoIBAQDr14d5PPDv
++pCjlJnCKNzX2irU6bdIY+zvXoemj/cYvHqQbPOe/kaCWFNPMxANKMmZSTdSM7qqR
++s0P1RW/R7moWNSesYwW+2Jp2hIhiWmy+E+ksXeTlFwVpuMHSDPS/N61N8XgmT3pI
++Qngl1hgxGbttniKEwI+Nc7Z3FYDDCp206nmC5y33D+ZYHv1L3e33pyqHdHD/uIeU
++57OPr7Mmd/J6pmClh1dqyZwVBClc2V6w0y2G8Lk1v79wOMrn+4/p9KH2BgkFe2gr
++uB8TOLlUhttQ8VfzXCd+Zi9s3oW0h7Vkvt4kDlJm0MrnMmK0aqgKB+7XkKE0ccVQ
++xSodzbBdDYoxAoIBAH2qGmD8JkOWug2JRP9sDrDWhaNxj3SI8x2Uiho8OTG2JoVl
+++s621oArsJwnNZ4qrLxM9NPfuVgK7RNR+Qz9iO1MsqodF+Y1MxWkuPgzQ0z+83Nu
++XFLTxZBeOpyHxEcOQ7tXeut1SCK5S+WXFZ+w1zDQAELl3ZcfkuF2aM5mOHuddMRI
++pkBuhcPpnkoK/V3htxhnDbgeOPQzXzmIIbOpauu5+A6+cW6s5UU5qVKUNxl+aK09
++6YPoUiI07v1kch7//WFTO8vEMVsUwcS+bRYecD/nkYqhYt3PoSETOfSnz92gH/ms
++tmfdAAcyCeaJjpWlHY+P3h6mWsnMnP7QIdjQvUkCggEAGFkiBWRDQ5phFndHex2E
++FrXvS972p9mYLgTrSCD1CvxQ2PcKvf5c4+G2lBdQd6KIacrbPMmPFoe5ZmMKzlOc
++5DoMpIF8oF1gZQf9xJmtTFpl4ky3Sud7iZSnffYUdoFbBQb+7oWaDEfAe7eEu9z6
++OrDuw2HV8DaYCedQadJ4warLbLZNSop7r3FTmTeKT90USPO+jsgQR1E8eoMbLceI
++Yx02MSCt57p0wL6zPoC6g+rpclr75A6txvo2CIkyLGczKWEqIUTCVnEl1CgxCgb6
++MXsZJ2jGMwh9sPGwQBkaoxIJgRNxcmfv6rqK8jFos9Bp2ht2aSGty07vsDACGzlA
++oQKCAQEA8PzgkyGYHs2DwNhmv3j5ZFaP0RukwbdChSoxmbC9JP2JJxxYcnww5jYH
++xeM1bahqkdKyG5iDRiYB74EolZUMA3Zny13R4HWxNe4aUZW1H8mdmhllXX90aUOU
++WEvF2yYZbg9CQIq7zQh8HsF/S8sDTsXoZOx30zrPgb44spWKRmxdwUJt944weXvc
++p5XkLvVzBVJ+RD5IgPTBFl1iCkw3eq01CFcbTdfe9cS8V9IgDy0Jq2GvRE3Y2JS6
++xqtBB1MgZvrUoAZ8jPacRRXddg87Hwgs9+R1jaE+ZYixojOFg+JnQOGkUd9FhJAW
++bcnWV4XIPIMbouL4132Ove+GukJlPA==
+ -----END PRIVATE KEY-----
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch b/SOURCES/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
new file mode 100644
index 0000000..125ae6b
--- /dev/null
+++ b/SOURCES/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
@@ -0,0 +1,487 @@
+From 8e3e85e329f5cbd989936b0df8a0ac06906a4824 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 14 Apr 2020 16:19:05 +0300
+Subject: [PATCH] auth: add SASL/GSSAPI tests
+
+---
+ tests/data/krb5.conf              |  32 ++++++
+ tests/data/slapd-sasl-gssapi.conf |  65 ++++++++++++
+ tests/scripts/conf.sh             |   3 +
+ tests/scripts/defines.sh          |   5 +
+ tests/scripts/setup_kdc.sh        | 144 +++++++++++++++++++++++++++
+ tests/scripts/test077-sasl-gssapi | 159 ++++++++++++++++++++++++++++++
+ 6 files changed, 408 insertions(+)
+ create mode 100644 tests/data/krb5.conf
+ create mode 100644 tests/data/slapd-sasl-gssapi.conf
+ create mode 100755 tests/scripts/setup_kdc.sh
+ create mode 100755 tests/scripts/test077-sasl-gssapi
+
+diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf
+new file mode 100644
+index 000000000..739113742
+--- /dev/null
++++ b/tests/data/krb5.conf
+@@ -0,0 +1,32 @@
++[libdefaults]
++  default_realm = @KRB5REALM@
++  dns_lookup_realm = false
++  dns_lookup_kdc = false
++  default_ccache_name = FILE://@TESTDIR@/ccache
++  #udp_preference_limit = 1
++[realms]
++ @KRB5REALM@ = {
++  kdc = @KDCHOST@:@KDCPORT@
++  acl_file = @TESTDIR@/kadm.acl
++  database_name = @TESTDIR@/kdc.db
++  key_stash_file = @TESTDIR@/kdc.stash
++ }
++[kdcdefaults]
++  kdc_ports = @KDCPORT@
++  kdc_tcp_ports = @KDCPORT@
++[logging]
++  kdc = FILE:@TESTDIR@/kdc.log
++  admin_server = FILE:@TESTDIR@/kadm.log
++  default = FILE:@TESTDIR@/krb5.log
++
++#Heimdal
++[kdc]
++ database = {
++  dbname = @TESTDIR@/kdc.db
++  realm = @KRB5REALM@
++  mkey_file = @TESTDIR@/kdc.stash
++  log_file = @TESTDIR@/kdc.log
++  acl_file = @TESTDIR@/kadm.acl
++ }
++[hdb]
++  db-dir = @TESTDIR@
+diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
+new file mode 100644
+index 000000000..611fc7097
+--- /dev/null
++++ b/tests/data/slapd-sasl-gssapi.conf
+@@ -0,0 +1,65 @@
++# stand-alone slapd config -- for testing (with indexing)
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2020 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++#
++include		@SCHEMADIR@/core.schema
++include		@SCHEMADIR@/cosine.schema
++#
++include		@SCHEMADIR@/corba.schema
++include		@SCHEMADIR@/java.schema
++include		@SCHEMADIR@/inetorgperson.schema
++include		@SCHEMADIR@/misc.schema
++include		@SCHEMADIR@/nis.schema
++include		@SCHEMADIR@/openldap.schema
++#
++include		@SCHEMADIR@/duaconf.schema
++include		@SCHEMADIR@/dyngroup.schema
++
++#
++pidfile		@TESTDIR@/slapd.1.pid
++argsfile	@TESTDIR@/slapd.1.args
++
++# SSL configuration
++TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
++TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
++TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
++
++#
++rootdse 	@DATADIR@/rootdse.ldif
++
++#mod#modulepath	../servers/slapd/back-@BACKEND@/
++#mod#moduleload	back_@BACKEND@.la
++#monitormod#modulepath ../servers/slapd/back-monitor/
++#monitormod#moduleload back_monitor.la
++
++
++#######################################################################
++# database definitions
++#######################################################################
++
++database	@BACKEND@
++suffix          "dc=example,dc=com"
++rootdn          "cn=Manager,dc=example,dc=com"
++rootpw          secret
++#~null~#directory	@TESTDIR@/db.1.a
++#indexdb#index		objectClass eq
++#indexdb#index		mail eq
++#ndb#dbname db_1_a
++#ndb#include @DATADIR@/ndb.conf
++
++#monitor#database	monitor
++
++sasl-realm	@KRB5REALM@
++sasl-host	localhost
+diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
+index 2a859d89d..5b477ed93 100755
+--- a/tests/scripts/conf.sh
++++ b/tests/scripts/conf.sh
+@@ -97,4 +97,7 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\
+ 	-e "s;@TESTWD@;${TESTWD};"			\
+ 	-e "s;@DATADIR@;${DATADIR};"			\
+ 	-e "s;@SCHEMADIR@;${SCHEMADIR};"		\
++	-e "s;@KRB5REALM@;${KRB5REALM};"		\
++	-e "s;@KDCHOST@;${KDCHOST};"			\
++	-e "s;@KDCPORT@;${KDCPORT};"			\
+ 	-e "/^#/d"
+diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
+index 26dab1bae..78dc1f8ae 100755
+--- a/tests/scripts/defines.sh
++++ b/tests/scripts/defines.sh
+@@ -108,6 +108,7 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
+ SCHEMACONF=$DATADIR/slapd-schema.conf
+ TLSCONF=$DATADIR/slapd-tls.conf
+ TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
++SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
+ GLUECONF=$DATADIR/slapd-glue.conf
+ REFINTCONF=$DATADIR/slapd-refint.conf
+ RETCODECONF=$DATADIR/slapd-retcode.conf
+@@ -214,6 +215,7 @@ PORT3=`expr $BASEPORT + 3`
+ PORT4=`expr $BASEPORT + 4`
+ PORT5=`expr $BASEPORT + 5`
+ PORT6=`expr $BASEPORT + 6`
++KDCPORT=`expr $BASEPORT + 7`
+ URI1="ldap://${LOCALHOST}:$PORT1/"
+ URIP1="ldap://${LOCALIP}:$PORT1/"
+ URI2="ldap://${LOCALHOST}:$PORT2/"
+@@ -239,6 +241,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/"
+ SURI6="ldaps://${LOCALHOST}:$PORT6/"
+ SURIP6="ldaps://${LOCALIP}:$PORT6/"
+ 
++KRB5REALM="K5.REALM"
++KDCHOST=$LOCALHOST
++
+ # LDIF
+ LDIF=$DATADIR/test.ldif
+ LDIFADD1=$DATADIR/do_add.1
+diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
+new file mode 100755
+index 000000000..1cb784075
+--- /dev/null
++++ b/tests/scripts/setup_kdc.sh
+@@ -0,0 +1,144 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2020 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++export KRB5_TRACE=$TESTDIR/k5_trace
++export KRB5_CONFIG=$TESTDIR/krb5.conf
++export KRB5_KDC_PROFILE=$KRB5_CONFIG
++export KRB5_KTNAME=$TESTDIR/server.kt
++export KRB5_CLIENT_KTNAME=$TESTDIR/client.kt
++export KRB5CCNAME=$TESTDIR/client.ccache
++
++KDCLOG=$TESTDIR/setup_kdc.log
++KSERVICE=ldap/$LOCALHOST
++KUSER=kuser
++
++. $CONFFILTER < $DATADIR/krb5.conf > $KRB5_CONFIG
++
++PATH=${PATH}:/usr/lib/heimdal-servers:/usr/sbin:/usr/local/sbin
++
++echo "Trying Heimdal KDC..."
++
++kdc --version 2>&1 | grep Heimdal > $KDCLOG 2>&1
++RC=$?
++if test $RC = 0 ; then
++
++	kstash --random-key > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kstash failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	flags="--realm-max-ticket-life=1h --realm-max-renewable-life=1h"
++	kadmin -l init $flags $KRB5REALM > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin init failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin -l add --random-key --use-defaults $KSERVICE > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin -l ext -k $KRB5_KTNAME $KSERVICE > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin -l add --random-key --use-defaults $KUSER > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin -l ext -k $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kdc --addresses=$LOCALIP --ports="$KDCPORT/udp" > $KDCLOG 2>&1 &
++else
++	echo "Trying MIT KDC..."
++
++	kdb5_util create -r $KRB5REALM -s -P password > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: kdb5_util create failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin.local -q "addprinc -randkey $KSERVICE" > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: admin addprinc failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin.local -q "ktadd -k $KRB5_KTNAME $KSERVICE" > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin.local -q "addprinc -randkey $KUSER" > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: kadmin addprinc failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin.local -q "ktadd -k $KRB5_CLIENT_KTNAME $KUSER" > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	krb5kdc -n > $KDCLOG 2>&1 &
++fi
++
++KDCPROC=$!
++sleep 1
++
++kinit -kt $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
++RC=$?
++if test $RC != 0 ; then
++	kill $KDCPROC
++	echo "SASL/GSSAPI: kinit failed, skipping GSSAPI tests"
++	exit 0
++fi
++
++pluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
++RC=$?
++if test $RC != 0 ; then
++
++	saslpluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
++	RC=$?
++	if test $RC != 0 ; then
++		kill $KDCPROC
++		echo "cyrus-sasl has no GSSAPI support, test skipped"
++		exit 0
++	fi
++fi
+diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
+new file mode 100755
+index 000000000..64abe16fe
+--- /dev/null
++++ b/tests/scripts/test077-sasl-gssapi
+@@ -0,0 +1,159 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2020 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++echo "running defines.sh"
++. $SRCDIR/scripts/defines.sh
++
++if test $WITH_SASL = no ; then
++        echo "SASL support not available, test skipped"
++        exit 0
++fi
++
++mkdir -p $TESTDIR $DBDIR1
++cp -r $DATADIR/tls $TESTDIR
++
++cd $TESTWD
++
++
++echo "Starting KDC for SASL/GSSAPI tests..."
++. $SRCDIR/scripts/setup_kdc.sh
++
++echo "Running slapadd to build slapd database..."
++. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
++$SLAPADD -f $CONF1 -l $LDIFORDERED
++RC=$?
++if test $RC != 0 ; then
++	echo "slapadd failed ($RC)!"
++	kill $KDCPROC
++	exit $RC
++fi
++
++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
++$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
++PID=$!
++if test $WAIT != 0 ; then
++    echo PID $PID
++    read foo
++fi
++KILLPIDS="$PID"
++
++sleep 1
++
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "" -H $URI1 \
++		'objectclass=*' > /dev/null 2>&1
++        RC=$?
++        if test $RC = 0 ; then
++                break
++        fi
++        echo "Waiting 5 seconds for slapd to start..."
++        sleep 5
++done
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++grep GSSAPI $TESTOUT
++RC=$?
++if test $RC != 0 ; then
++	echo "failed: GSSAPI mechanism not in supportedSASLMechanisms."
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo -n "Using ldapwhoami with SASL/GSSAPI: "
++$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapwhoami failed ($RC)!"
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++else
++	echo "success"
++fi
++
++echo -n "Validating mapped SASL/GSSAPI ID: "
++echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out
++$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
++RC=$?
++if test $RC != 0 ; then
++	echo "Comparison failed"
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++else
++	echo "success"
++fi
++
++if test $WITH_TLS = no ; then
++        echo "SASL/GSSAPI: TLS support not available, skipping TLS part."
++else
++	echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: "
++	$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
++		-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
++		> $TESTOUT 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "ldapwhoami failed ($RC)!"
++		kill $KDCPROC
++		test $KILLSERVERS != no && kill -HUP $KILLPIDS
++		exit $RC
++	else
++		echo "success"
++	fi
++
++	echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: "
++	$LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow	\
++		-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
++		> $TESTOUT 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "ldapwhoami failed ($RC)!"
++		kill $KDCPROC
++		test $KILLSERVERS != no && kill -HUP $KILLPIDS
++		exit $RC
++	else
++		echo "success"
++	fi
++fi
++
++kill $KDCPROC
++test $KILLSERVERS != no && kill -HUP $KILLPIDS
++
++if test $RC != 0 ; then
++	echo ">>>>> Test failed"
++else
++	echo ">>>>> Test succeeded"
++	RC=0
++fi
++
++test $KILLSERVERS != no && wait
++
++exit $RC
+-- 
+2.29.2
+
diff --git a/SOURCES/openldap-cbinding-fix-multiprovider-tests.patch b/SOURCES/openldap-cbinding-fix-multiprovider-tests.patch
new file mode 100644
index 0000000..532bec1
--- /dev/null
+++ b/SOURCES/openldap-cbinding-fix-multiprovider-tests.patch
@@ -0,0 +1,137 @@
+From a6d34ed8672a02b49bb286cbeb2d75a08bc0c085 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@rehdat.com>
+Date: Thu, 1 Jul 2021 12:53:24 +0200
+Subject: [PATCH] Fix Channel Binding tests
+
+---
+ ...s => test069-delta-multiprovider-starttls} | 24 +++++++++----------
+ ...daps => test070-delta-multiprovider-ldaps} | 24 +++++++++----------
+ 2 files changed, 24 insertions(+), 24 deletions(-)
+ rename tests/scripts/{test069-delta-multimaster-starttls => test069-delta-multiprovider-starttls} (96%)
+ rename tests/scripts/{test070-delta-multimaster-ldaps => test070-delta-multiprovider-ldaps} (96%)
+
+diff --git a/tests/scripts/test069-delta-multimaster-starttls b/tests/scripts/test069-delta-multiprovider-starttls
+similarity index 96%
+rename from tests/scripts/test069-delta-multimaster-starttls
+rename to tests/scripts/test069-delta-multiprovider-starttls
+index 2dfbb30a1..01fed1e2c 100755
+--- a/tests/scripts/test069-delta-multimaster-starttls
++++ b/tests/scripts/test069-delta-multiprovider-starttls
+@@ -2,7 +2,7 @@
+ # $OpenLDAP$
+ ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ ##
+-## Copyright 1998-2017 The OpenLDAP Foundation.
++## Copyright 1998-2021 The OpenLDAP Foundation.
+ ## All rights reserved.
+ ##
+ ## Redistribution and use in source and binary forms, with or without
+@@ -277,7 +277,7 @@ done
+ n=2
+ while [ $n -le $MMR ]; do
+ echo "Comparing retrieved entries from server 1 and server $n..."
+-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
+ 
+ if test $? != 0 ; then
+ 	echo "test failed - server 1 and server $n databases differ"
+@@ -301,7 +301,7 @@ THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com"
+ sleep 1
+ for i in 1 2 3; do
+ 	$LDAPSEARCH -S "" -b "$THEDN" -H $URI1 \
+-		-s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1
++		-s base '(objectClass=*)' entryCSN > "${PROVIDEROUT}.$i" 2>&1
+ 	RC=$?
+ 
+ 	if test $RC = 0 ; then
+@@ -309,7 +309,7 @@ for i in 1 2 3; do
+ 	fi
+ 
+ 	if test $RC != 32 ; then
+-		echo "ldapsearch failed at slave ($RC)!"
++		echo "ldapsearch failed at replica ($RC)!"
+ 		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ 		exit $RC
+ 	fi
+@@ -340,7 +340,7 @@ done
+ n=2
+ while [ $n -le $MMR ]; do
+ echo "Comparing retrieved entries from server 1 and server $n..."
+-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
+ 
+ if test $? != 0 ; then
+ 	echo "test failed - server 1 and server $n databases differ"
+@@ -555,7 +555,7 @@ done
+ n=2
+ while [ $n -le $MMR ]; do
+ echo "Comparing retrieved entries from server 1 and server $n..."
+-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
+ 
+ if test $? != 0 ; then
+ 	echo "test failed - server 1 and server $n databases differ"
+diff --git a/tests/scripts/test070-delta-multimaster-ldaps b/tests/scripts/test070-delta-multiprovider-ldaps
+similarity index 96%
+rename from tests/scripts/test070-delta-multimaster-ldaps
+rename to tests/scripts/test070-delta-multiprovider-ldaps
+index 1024640ef..37de9ddd0 100755
+--- a/tests/scripts/test070-delta-multimaster-ldaps
++++ b/tests/scripts/test070-delta-multiprovider-ldaps
+@@ -2,7 +2,7 @@
+ # $OpenLDAP$
+ ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ ##
+-## Copyright 1998-2017 The OpenLDAP Foundation.
++## Copyright 1998-2021 The OpenLDAP Foundation.
+ ## All rights reserved.
+ ##
+ ## Redistribution and use in source and binary forms, with or without
+@@ -276,7 +276,7 @@ done
+ n=2
+ while [ $n -le $MMR ]; do
+ echo "Comparing retrieved entries from server 1 and server $n..."
+-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
+ 
+ if test $? != 0 ; then
+ 	echo "test failed - server 1 and server $n databases differ"
+@@ -300,7 +300,7 @@ THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com"
+ sleep 1
+ for i in 1 2 3; do
+ 	$LDAPSEARCH -S "" -b "$THEDN" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -H $SURIP1 \
+-		-s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1
++		-s base '(objectClass=*)' entryCSN > "${PROVIDEROUT}.$i" 2>&1
+ 	RC=$?
+ 
+ 	if test $RC = 0 ; then
+@@ -308,7 +308,7 @@ for i in 1 2 3; do
+ 	fi
+ 
+ 	if test $RC != 32 ; then
+-		echo "ldapsearch failed at slave ($RC)!"
++		echo "ldapsearch failed at replica ($RC)!"
+ 		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ 		exit $RC
+ 	fi
+@@ -339,7 +339,7 @@ done
+ n=2
+ while [ $n -le $MMR ]; do
+ echo "Comparing retrieved entries from server 1 and server $n..."
+-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
+ 
+ if test $? != 0 ; then
+ 	echo "test failed - server 1 and server $n databases differ"
+@@ -552,7 +552,7 @@ done
+ n=2
+ while [ $n -le $MMR ]; do
+ echo "Comparing retrieved entries from server 1 and server $n..."
+-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
++$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
+ 
+ if test $? != 0 ; then
+ 	echo "test failed - server 1 and server $n databases differ"
+-- 
+2.31.1
+
diff --git a/SOURCES/openldap-manpages.patch b/SOURCES/openldap-manpages.patch
new file mode 100644
index 0000000..b69a391
--- /dev/null
+++ b/SOURCES/openldap-manpages.patch
@@ -0,0 +1,73 @@
+Various manual pages changes:
+* removes LIBEXECDIR from slapd.8
+* removes references to non-existing manpages (bz 624616)
+
+diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
+index 3def6da..466c772 100644
+--- a/doc/man/man1/ldapmodify.1
++++ b/doc/man/man1/ldapmodify.1
+@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
+ .BR ldap_add_ext (3),
+ .BR ldap_delete_ext (3),
+ .BR ldap_modify_ext (3),
+-.BR ldap_modrdn_ext (3),
+-.BR ldif (5).
++.BR ldif (5)
+ .SH AUTHOR
+ The OpenLDAP Project <http://www.openldap.org/>
+ .SH ACKNOWLEDGEMENTS
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index cfde143..63592cb 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -317,6 +317,7 @@ certificates in separate individual files. The
+ .B TLS_CACERT
+ is always used before
+ .B TLS_CACERTDIR.
++The specified directory must be managed with the OpenSSL c_rehash utility.
+ This parameter is ignored with GnuTLS.
+ 
+ When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
+index b739f4d..e2a1a00 100644
+--- a/doc/man/man8/slapd.8
++++ b/doc/man/man8/slapd.8
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd 
++.B slapd
+ [\c
+ .BR \-4 | \-6 ]
+ [\c
+@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd
++	slapd
+ .ft
+ .fi
+ .LP
+@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++	slapd -f /var/tmp/slapd.conf -d 255
+ .ft
+ .fi
+ .LP
+@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-Tt
++	slapd -Tt
+ .ft
+ .fi
+ .LP
+-- 
+1.8.1.4
+
diff --git a/SOURCES/openldap-openssl-manpage-defaultCA.patch b/SOURCES/openldap-openssl-manpage-defaultCA.patch
new file mode 100644
index 0000000..7ec2caa
--- /dev/null
+++ b/SOURCES/openldap-openssl-manpage-defaultCA.patch
@@ -0,0 +1,48 @@
+Reference default system-wide CA certificates in manpages
+
+OpenSSL, unless explicitly configured, uses system-wide default set of CA
+certificates.
+
+Author: Matus Honek <mhonek@redhat.com>
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -307,6 +307,9 @@ are more options you can specify.  These options are used when an
+ .B ldaps:// URI
+ is selected (by default or otherwise) or when the application
+ negotiates TLS by issuing the LDAP StartTLS operation.
++.LP
++When using OpenSSL, if neither  \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
++is set, the system-wide default set of CA certificates is used.
+ .TP
+ .B TLS_CACERT <filename>
+ Specifies the file that contains certificates for all of the Certificate
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -801,6 +801,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither  \fBolcTLSCACertificateFile\fP nor
++\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B olcTLSCipherSuite: <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -1032,6 +1032,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither  \fBTLSCACertificateFile\fP nor
++\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B TLSCipherSuite <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.
diff --git a/SOURCES/openldap-reentrant-gethostby.patch b/SOURCES/openldap-reentrant-gethostby.patch
new file mode 100644
index 0000000..140b6e3
--- /dev/null
+++ b/SOURCES/openldap-reentrant-gethostby.patch
@@ -0,0 +1,33 @@
+The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
+example if libldap needs to be initialized from within gethostbyXXXX() (which
+actually happens if nss_ldap is used for hostname resolution and earlier
+modules can't resolve the local host name), so use the reentrant versions of
+the functions, even if we're not being compiled for use in libldap_r
+
+Resolves: #179730
+Author: Jeffery Layton <jlayton@redhat.com>
+
+diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
+index 373c81c..a012062 100644
+--- a/libraries/libldap/util-int.c
++++ b/libraries/libldap/util-int.c
+@@ -52,8 +52,8 @@ extern int h_errno;
+ #ifndef LDAP_R_COMPILE
+ # undef HAVE_REENTRANT_FUNCTIONS
+ # undef HAVE_CTIME_R
+-# undef HAVE_GETHOSTBYNAME_R
+-# undef HAVE_GETHOSTBYADDR_R
++/* # undef HAVE_GETHOSTBYNAME_R */
++/* # undef HAVE_GETHOSTBYADDR_R */
+ 
+ #else
+ # include <ldap_pvt_thread.h>
+@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
+ #define BUFSTART (1024-32)
+ #define BUFMAX (32*1024-32)
+ 
+-#if defined(LDAP_R_COMPILE)
++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
+ static char *safe_realloc( char **buf, int len );
+ 
+ #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))
diff --git a/SOURCES/openldap-smbk5pwd-overlay.patch b/SOURCES/openldap-smbk5pwd-overlay.patch
new file mode 100644
index 0000000..38936cf
--- /dev/null
+++ b/SOURCES/openldap-smbk5pwd-overlay.patch
@@ -0,0 +1,62 @@
+Compile smbk5pwd together with other overlays.
+
+Author: Jan Šafránek <jsafrane@redhat.com>
+Resolves: #550895
+
+Update to link against OpenSSL
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Resolves: #841560
+
+diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
+index f20ad94..b6433ff 100644
+--- a/contrib/slapd-modules/smbk5pwd/README
++++ b/contrib/slapd-modules/smbk5pwd/README
+@@ -1,3 +1,8 @@
++******************************************************************************
++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
++******************************************************************************
++
+ This directory contains a slapd overlay, smbk5pwd, that extends the
+ PasswordModify Extended Operation to update Kerberos keys and Samba
+ password hashes for an LDAP user.
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index 3af20e8..ef73663 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
+ 	syncprov.c \
+ 	translucent.c \
+ 	unique.c \
+-	valsort.c
++	valsort.c \
++	smbk5pwd.c
+ OBJS = statover.o \
+ 	@SLAPD_STATIC_OVERLAYS@ \
+ 	overlays.o
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ 
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+ 
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -125,6 +126,12 @@ unique.la : unique.lo
+ valsort.la : valsort.lo
+ 	$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+ 
++smbk5pwd.lo : smbk5pwd.c
++	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++smbk5pwd.la : smbk5pwd.lo
++	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local:	$(PROGRAMS)
+ 	@if test -n "$?" ; then \
+ 		$(MKDIR) $(DESTDIR)$(moduledir); \
+-- 
+1.7.10.4
+
diff --git a/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
new file mode 100644
index 0000000..ed4f2ad
--- /dev/null
+++ b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
@@ -0,0 +1,41 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
+
+Proof of concept for fixing http://bugs.debian.org/327585
+(patch ported from freeradius bug http://bugs.debian.org/416266)
+
+Resolves: #960048
+---
+--- openldap/servers/slapd/module.c.orig	2010-05-18 17:42:04.000000000 +0200
++++ openldap/servers/slapd/module.c	2010-05-18 17:45:46.000000000 +0200
+@@ -117,6 +117,20 @@
+ 	return -1;	/* not found */
+ }
+ 
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++	lt_dlhandle handle = 0;
++	lt_dladvise advise;
++
++	if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++			&& !lt_dladvise_global (&advise))
++		handle = lt_dlopenadvise (filename, advise);
++
++	lt_dladvise_destroy (&advise);
++
++	return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ 	module_loaded_t *module;
+@@ -180,7 +194,7 @@
+ 	 * to calling Debug. This is because Debug is a macro that expands
+ 	 * into multiple function calls.
+ 	 */
+-	if ((module->lib = lt_dlopenext(file)) == NULL) {
++	if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ 		error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ 		strcpy( ebuf, error );
diff --git a/SOURCES/slapd.ldif b/SOURCES/slapd.ldif
new file mode 100644
index 0000000..a4ae4c0
--- /dev/null
+++ b/SOURCES/slapd.ldif
@@ -0,0 +1,158 @@
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+#
+# TLS settings
+#
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by oclTLSCACertificatePath one has to include them explicitly:
+#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
+#
+# Private cert and key are not pregenerated.
+#olcTLSCertificateFile:
+#olcTLSCertificateKeyFile:
+#
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#olcTLSCipherSuite: PROFILE=SYSTEM
+
+
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 64-bit encryption for simple bind
+#
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+# - modulepath is architecture dependent value (32/64-bit system)
+# - back_sql.la backend requires openldap-servers-sql package
+# - dyngroup.la and dynlist.la cannot be used at the same time
+#
+
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath:	/usr/lib/openldap
+#olcModulepath:	/usr/lib64/openldap
+#olcModuleload: accesslog.la
+#olcModuleload: auditlog.la
+#olcModuleload: back_dnssrv.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_mdb.la
+#olcModuleload: back_meta.la
+#olcModuleload: back_null.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_relay.la
+#olcModuleload: back_shell.la
+#olcModuleload: back_sock.la
+#olcModuleload: collect.la
+#olcModuleload: constraint.la
+#olcModuleload: dds.la
+#olcModuleload: deref.la
+#olcModuleload: dyngroup.la
+#olcModuleload: dynlist.la
+#olcModuleload: memberof.la
+#olcModuleload: pcache.la
+#olcModuleload: ppolicy.la
+#olcModuleload: refint.la
+#olcModuleload: retcode.la
+#olcModuleload: rwm.la
+#olcModuleload: seqmod.la
+#olcModuleload: smbk5pwd.la
+#olcModuleload: sssvlv.la
+#olcModuleload: syncprov.la
+#olcModuleload: translucent.la
+#olcModuleload: unique.la
+#olcModuleload: valsort.la
+
+
+#
+# Schema settings
+#
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+
+#
+# Frontend settings
+#
+
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+#
+# Configuration database
+#
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+
+#
+# Server status monitoring
+#
+
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
+
+#
+# Backend database definitions
+#
+
+dn: olcDatabase=mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcSuffix: dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+olcDbDirectory:	/var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service
new file mode 100644
index 0000000..30821fd
--- /dev/null
+++ b/SOURCES/slapd.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenLDAP Server Daemon
+After=syslog.target network-online.target
+Documentation=man:slapd
+Documentation=man:slapd-config
+Documentation=man:slapd-hdb
+Documentation=man:slapd-mdb
+Documentation=file:///usr/share/doc/openldap-servers/guide.html
+
+[Service]
+Type=forking
+ExecStartPre=/usr/libexec/openldap/check-config.sh
+ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
+
+[Install]
+WantedBy=multi-user.target
+Alias=openldap.service
diff --git a/SOURCES/slapd.tmpfiles b/SOURCES/slapd.tmpfiles
new file mode 100644
index 0000000..634cea1
--- /dev/null
+++ b/SOURCES/slapd.tmpfiles
@@ -0,0 +1,2 @@
+# openldap runtime directory for slapd.arg and slapd.pid
+d /run/openldap 0755 ldap ldap -
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
new file mode 100644
index 0000000..0d45ae7
--- /dev/null
+++ b/SPECS/openldap.spec
@@ -0,0 +1,2286 @@
+%global _hardened_build 1
+
+%global systemctl_bin /usr/bin/systemctl
+%global check_password_version 1.1
+
+%global so_ver 2
+
+Name: openldap
+Version: 2.4.57
+Release: 8%{?dist}
+Summary: LDAP support libraries
+License: OpenLDAP
+URL: http://www.openldap.org/
+
+Source0: https://openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
+Source1: slapd.service
+Source2: slapd.tmpfiles
+Source3: slapd.ldif
+Source4: ldap.conf
+Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz
+Source50: libexec-functions
+Source52: libexec-check-config.sh
+Source53: libexec-upgrade-db.sh
+
+# patches for 2.4
+Patch0: openldap-manpages.patch
+Patch2: openldap-reentrant-gethostby.patch
+Patch3: openldap-smbk5pwd-overlay.patch
+Patch5: openldap-ai-addrconfig.patch
+Patch17: openldap-allop-overlay.patch
+
+# fix back_perl problems with lt_dlopen()
+# might cause crashes because of symbol collisions
+# the proper fix is to link all perl modules against libperl
+# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
+Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
+Patch24: openldap-openssl-manpage-defaultCA.patch
+
+# The below patches come from upstream master and are necessary for Channel Binding
+# (both tls-unique and tls-server-end-point) to work properly.
+# Additionally, for Samba to be able to implement Channel Binding, the PEERCERT option
+# is being included as well.
+Patch50: openldap-cbinding-Add-channel-binding-support.patch
+Patch51: openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch
+Patch52: openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
+Patch53: openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch
+Patch54: openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
+Patch55: openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
+Patch56: openldap-cbinding-Make-prototypes-available-where-needed.patch
+Patch57: openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
+Patch58: openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
+Patch59: openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch
+Patch60: openldap-cbinding-Fix-slaptest-in-test077.patch
+Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch
+Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch
+Patch63: openldap-cbinding-ITS-9215-fix-for-glibc-again.patch
+Patch64: openldap-cbinding-fix-multiprovider-tests.patch
+
+# check-password module specific patches
+Patch90: check-password-makefile.patch
+Patch91: check-password.patch
+
+BuildRequires: make
+BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel
+BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed)
+BuildRequires: gcc
+
+%description
+OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. The openldap package contains configuration files,
+libraries, and documentation for OpenLDAP.
+
+%package devel
+Summary: LDAP development libraries and header files
+Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa}
+
+%description devel
+The openldap-devel package includes the development libraries and
+header files needed for compiling applications that use LDAP
+(Lightweight Directory Access Protocol) internals. LDAP is a set of
+protocols for enabling directory services over the Internet. Install
+this package only if you plan to develop or will need to compile
+customized LDAP clients.
+
+%package compat
+Summary: Package providing legacy non-threded libldap
+Requires: openldap%{?_isa} = %{version}-%{release}
+# since libldap is manually linked from libldap_r, the provides is not generated automatically
+%ifarch armv7hl i686
+Provides: libldap-2.4.so.%{so_ver}
+%else
+Provides: libldap-2.4.so.%{so_ver}()(%{__isa_bits}bit)
+%endif
+
+%description compat
+The openldap-compat package contains non-threaded variant of libldap
+which should not be used. Instead, applications should link to libldap_r
+which provides thread-safe variant with the very same API.
+
+%package servers
+Summary: LDAP server
+License: OpenLDAP
+Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils
+Requires(pre): shadow-utils
+BuildRequires: systemd
+%{?systemd_requires}
+BuildRequires: libdb-devel
+BuildRequires: cracklib-devel
+# migrationtools (slapadd functionality):
+Provides: ldif2ldbm
+
+%description servers
+OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. This package contains the slapd server and related files.
+
+%package clients
+Summary: LDAP client utilities
+Requires: openldap%{?_isa} = %{version}-%{release}
+
+%description clients
+OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. The openldap-clients package contains the client
+programs needed for accessing and modifying OpenLDAP directories.
+
+%prep
+%setup -q -c -a 0 -a 10
+
+pushd openldap-%{version}
+
+AUTOMAKE=%{_bindir}/true autoreconf -fi
+
+%patch0 -p1
+%patch2 -p1
+%patch3 -p1
+%patch5 -p1
+%patch17 -p1
+%patch19 -p1
+%patch24 -p1
+%patch50 -p1
+%patch51 -p1
+%patch52 -p1
+%patch53 -p1
+%patch54 -p1
+%patch55 -p1
+%patch56 -p1
+%patch57 -p1
+%patch58 -p1
+%patch59 -p1
+%patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
+%patch64 -p1
+
+# build smbk5pwd with other overlays
+ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
+mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
+# build allop with other overlays
+ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays
+mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop
+mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5
+
+mv servers/slapd/back-perl/README{,.back_perl}
+
+# fix documentation encoding
+for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do
+	iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8"
+	mv "$filename.utf8" "$filename"
+done
+
+popd
+
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+%patch90 -p1
+%patch91 -p1
+popd
+
+%build
+
+%set_build_flags
+# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
+export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS -DOPENSSL_NO_MD2"
+
+pushd openldap-%{version}
+%configure \
+	--enable-debug \
+	--enable-dynamic \
+	\
+	--enable-dynacl \
+	--enable-cleartext \
+	--enable-crypt \
+	--enable-lmpasswd \
+	--enable-spasswd \
+	--enable-modules \
+	--enable-rewrite \
+	--enable-rlookups \
+	--enable-slapi \
+	--disable-slp \
+	\
+	--enable-backends=mod \
+	--enable-bdb=yes \
+	--enable-hdb=yes \
+	--enable-mdb=yes \
+	--enable-monitor=yes \
+	--disable-ndb \
+	--disable-sql \
+	\
+	--enable-overlays=mod \
+	\
+	--disable-static \
+	\
+	--with-cyrus-sasl \
+	--without-fetch \
+	--with-threads \
+	--with-pic \
+	--with-gnu-ld \
+	\
+	--libexecdir=%{_libdir}
+
+%make_build
+popd
+
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+%make_build LDAP_INC="-I../openldap-%{version}/include \
+ -I../openldap-%{version}/servers/slapd \
+ -I../openldap-%{version}/build-servers/include"
+popd
+
+%install
+
+mkdir -p %{buildroot}%{_libdir}/
+
+pushd openldap-%{version}
+%make_install STRIP=""
+popd
+
+# install check_password module
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+mv check_password.so check_password.so.%{check_password_version}
+ln -s check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/check_password.so
+install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/
+# install -m 644 README %{buildroot}%{_libdir}/openldap
+install -d -m 755 %{buildroot}%{_sysconfdir}/openldap
+cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf <<EOF
+# OpenLDAP pwdChecker library configuration
+
+#useCracklib 1
+#minPoints 3
+#minUpper 0
+#minLower 0
+#minDigit 0
+#minPunct 0
+EOF
+mv README{,.check_pwd}
+popd
+
+# setup directories for TLS certificates
+mkdir -p %{buildroot}%{_sysconfdir}/openldap/certs
+
+# setup data and runtime directories
+mkdir -p %{buildroot}%{_sharedstatedir}
+mkdir -p %{buildroot}%{_localstatedir}
+install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap
+install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap
+
+# setup autocreation of runtime directories on tmpfs
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 %SOURCE2 %{buildroot}%{_tmpfilesdir}/slapd.conf
+
+# install default ldap.conf (customized)
+rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
+install -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
+
+# setup maintainance scripts
+mkdir -p %{buildroot}%{_libexecdir}
+install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
+install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
+install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
+install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
+
+# remove build root from config files and manual pages
+perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
+perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*
+
+# we don't need the default files -- RPM handles changes
+rm -f %{buildroot}%{_sysconfdir}/openldap/*.default
+rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default
+
+# install an init script for the servers
+mkdir -p %{buildroot}%{_unitdir}
+install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service
+
+# move slapd out of _libdir
+mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/
+
+# setup tools as symlinks to slapd
+rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
+rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
+for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done
+
+# re-symlink unversioned libraries, so ldconfig is not confused
+pushd %{buildroot}%{_libdir}
+v=%{version}
+version=$(echo ${v%.[0-9]*})
+for lib in liblber libldap libldap_r libslapi; do
+	rm -f ${lib}.so
+	ln -s ${lib}-${version}.so.%{so_ver} ${lib}.so
+done
+
+# provide only libldap_r and copy it to libldap, make a versioned lib link
+rm -f libldap.so
+ln -s libldap_r.so "%{buildroot}%{_libdir}/libldap.so"
+rm -f libldap-*.so.*
+for lib in $(ls | grep libldap_r-); do
+    IFS='.'
+    read -r -a libsplit <<< "$lib"
+    if [ -z "${libsplit[4]}" ]
+    then
+        so_ver_short="${libsplit[3]}"
+        unset IFS
+        gcc -shared -o "%{buildroot}%{_libdir}/libldap-${version}.so.${so_ver_short}" -Wl,--no-as-needed \
+               -Wl,-soname -Wl,libldap-${version}.so.${so_ver_short} -L "%{buildroot}%{_libdir}" -lldap_r
+    else
+        so_ver_full="${libsplit[3]}.${libsplit[4]}.${libsplit[5]}"
+        unset IFS
+    fi
+done
+ln -s libldap-${version}.so.{${so_ver_short},${so_ver_full}}
+
+popd
+
+# tweak permissions on the libraries to make sure they're correct
+chmod 0755 %{buildroot}%{_libdir}/lib*.so*
+chmod 0644 %{buildroot}%{_libdir}/lib*.*a
+
+# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
+mkdir -p %{buildroot}%{_datadir}
+install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
+install -m 0644 %SOURCE3 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
+install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
+rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf
+rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif
+
+# move doc files out of _sysconfdir
+mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
+mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
+chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
+
+# remove files which we don't want packaged
+rm -f %{buildroot}%{_libdir}/*.la  # because we do not want files in %{_libdir}/openldap/ removed, yet
+
+rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
+rmdir %{buildroot}%{_localstatedir}/openldap-data
+
+%ldconfig_scriptlets
+
+%pre servers
+
+# create ldap user and group
+getent group ldap &>/dev/null || groupadd -r -g 55 ldap
+getent passwd ldap &>/dev/null || \
+	useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap
+
+if [ $1 -eq 2 ]; then
+	# package upgrade
+
+	old_version=$(rpm -q --qf=%%{version} openldap-servers)
+	new_version=%{version}
+
+	if [ "$old_version" != "$new_version" ]; then
+		touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null
+	fi
+fi
+
+exit 0
+
+
+%post servers
+%systemd_post slapd.service
+
+# generate configuration if necessary
+if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
+      ! -f %{_sysconfdir}/openldap/slapd.conf
+   ]]; then
+      # if there is no configuration available, generate one from the defaults
+      mkdir -p %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || :
+      /usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/openldap-servers/slapd.ldif
+      chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/
+      %{systemctl_bin} try-restart slapd.service &>/dev/null
+fi
+
+start_slapd=0
+
+# upgrade the database
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
+	if %{systemctl_bin} --quiet is-active slapd.service; then
+		%{systemctl_bin} stop slapd.service
+		start_slapd=1
+	fi
+
+	%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
+	rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
+fi
+
+# restart after upgrade
+if [ $1 -ge 1 ]; then
+	if [ $start_slapd -eq 1 ]; then
+		%{systemctl_bin} start slapd.service &>/dev/null || :
+	else
+		%{systemctl_bin} condrestart slapd.service &>/dev/null || :
+	fi
+fi
+
+exit 0
+
+%preun servers
+%systemd_preun slapd.service
+
+%postun servers
+%systemd_postun_with_restart slapd.service
+
+%triggerin servers -- libdb
+
+# libdb upgrade (setup for %%triggerun)
+if [ $2 -eq 2 ]; then
+	# we are interested in minor version changes (both versions of libdb are installed at this moment)
+	if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
+		touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+	else
+		rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+	fi
+fi
+
+exit 0
+
+
+%triggerun servers -- libdb
+
+# libdb upgrade (finish %%triggerin)
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then
+	if %{systemctl_bin} --quiet is-active slapd.service; then
+		%{systemctl_bin} stop slapd.service
+		start=1
+	else
+		start=0
+	fi
+
+	%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
+	rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+
+	[ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null
+fi
+
+exit 0
+
+
+%files
+%doc openldap-%{version}/ANNOUNCEMENT
+%doc openldap-%{version}/CHANGES
+%license openldap-%{version}/COPYRIGHT
+%license openldap-%{version}/LICENSE
+%doc openldap-%{version}/README
+%dir %{_sysconfdir}/openldap
+%dir %{_sysconfdir}/openldap/certs
+%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
+%dir %{_libexecdir}/openldap/
+%{_libdir}/liblber-2.4*.so.*
+%{_libdir}/libldap_r-2.4*.so.*
+%{_libdir}/libslapi-2.4*.so.*
+%{_mandir}/man5/ldif.5*
+%{_mandir}/man5/ldap.conf.5*
+
+%files servers
+%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd
+%doc openldap-%{version}/doc/guide/admin/*.html
+%doc openldap-%{version}/doc/guide/admin/*.png
+%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm
+%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
+%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
+%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd
+%doc README.schema
+%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
+%config(noreplace) %{_sysconfdir}/openldap/schema
+%config(noreplace) %{_sysconfdir}/openldap/check_password.conf
+%{_tmpfilesdir}/slapd.conf
+%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
+%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
+%{_unitdir}/slapd.service
+%{_datadir}/openldap-servers/
+%{_libdir}/openldap/accesslog*
+%{_libdir}/openldap/auditlog*
+%{_libdir}/openldap/allop*
+%{_libdir}/openldap/back_dnssrv*
+%{_libdir}/openldap/back_ldap*
+%{_libdir}/openldap/back_meta*
+%{_libdir}/openldap/back_null*
+%{_libdir}/openldap/back_passwd*
+%{_libdir}/openldap/back_relay*
+%{_libdir}/openldap/back_shell*
+%{_libdir}/openldap/back_sock*
+%{_libdir}/openldap/back_perl*
+%{_libdir}/openldap/collect*
+%{_libdir}/openldap/constraint*
+%{_libdir}/openldap/dds*
+%{_libdir}/openldap/deref*
+%{_libdir}/openldap/dyngroup*
+%{_libdir}/openldap/dynlist*
+%{_libdir}/openldap/memberof*
+%{_libdir}/openldap/pcache*
+%{_libdir}/openldap/ppolicy*
+%{_libdir}/openldap/refint*
+%{_libdir}/openldap/retcode*
+%{_libdir}/openldap/rwm*
+%{_libdir}/openldap/seqmod*
+%{_libdir}/openldap/smbk5pwd*
+%{_libdir}/openldap/sssvlv*
+%{_libdir}/openldap/syncprov*
+%{_libdir}/openldap/translucent*
+%{_libdir}/openldap/unique*
+%{_libdir}/openldap/valsort*
+%{_libdir}/openldap/check_password*
+%{_libexecdir}/openldap/functions
+%{_libexecdir}/openldap/check-config.sh
+%{_libexecdir}/openldap/upgrade-db.sh
+%{_sbindir}/sl*
+%{_mandir}/man8/*
+%{_mandir}/man5/slapd*.5*
+%{_mandir}/man5/slapo-*.5*
+# obsolete configuration
+%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
+
+%files clients
+%{_bindir}/*
+%{_mandir}/man1/*
+
+%files devel
+%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc
+%{_libdir}/lib*.so
+%{_includedir}/*
+%{_mandir}/man3/*
+
+
+%files compat
+%{_libdir}/libldap-2.4*.so.*
+
+%changelog
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.57-8
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Mon Jul 12 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-7
+- Fix Channel Binding tests Related: rhbz#1967853
+
+* Thu Jun 24 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-6
+- Fix slapd.tmpfiles complaints. Related: rhbz#1969853
+- Use https:// for source Related: rhbz#1973597
+
+* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.57-5
+- Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065
+
+* Fri Jun  4 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-4
+- Backport Channel Binding support. Related: rhbz#1967853
+- Fix coverity issues. Related: rhbz#1938829
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.57-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.57-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jan 19 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-1
+- Rebase to version 2.4.57 (#1917583)
+
+* Thu Nov 26 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-4
+- Use gcc to link libldap_r to libldap (#1537260)
+
+* Fri Nov 20 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-3
+- Fix 32-bit libraries build (#1537260)
+
+* Fri Nov 20 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-2
+- Drop non-threaded libldap (#1537260)
+
+* Wed Nov 18 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-1
+- Rebase to version 2.4.56 (#1896508)
+
+* Mon Nov 02 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.55-1
+- Rebase to version 2.4.55 (#1891622)
+
+* Tue Oct 13 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.54-1
+- Rebase to version 2.4.54 (#1887581)
+
+* Thu Sep 10 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.53-1
+- Rebase to version 2.4.53 (#1868240)
+
+* Thu Sep 03 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.52-1
+- Rebase to version 2.4.52 (#1868240)
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.50-4
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.50-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.50-2
+- Perl 5.32 rebuild
+
+* Wed Jun 17 2020 Matus Honek <mhonek@redhat.com> - 2.4.50-1
+- Rebase to version 2.4.50 (#1742285)
+
+* Tue Jun 16 2020 Tom Stellard <tstellar@redhat.com> - 2.4.47-5
+- Spec file cleanups
+- Add BuildRequres: gcc [1]
+- make_build [2] and make_install [3]
+- [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/#_buildrequires_and_requires
+- [2] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
+- [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_why_the_makeinstall_macro_should_not_be_used
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.47-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.47-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.47-2
+- Perl 5.30 rebuild
+
+* Wed Feb 13 2019 Matus Honek <mhonek@redhat.com> - 2.4.47-1
+- Rebase to upstream version 2.4.47
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2.4.46-12
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-11
+- Reference default system-wide CA certificates in manpages (#1611591)
+
+* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-10
+- Revert "Fix: Cannot use SSL3 anymore"
+
+* Mon Oct 08 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
+- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623495)
+
+* Tue Aug 14 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
+- Fix: Cannot use SSL3 anymore (#1592431)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul  6 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-6
+- Build with LDAP_USE_NON_BLOCKING_TLS (#1594928)
+- Remove unused leftover MozNSS Compat. Layer references (cont.) (#1557967)
+
+* Fri Jul 06 2018 Petr Pisar <ppisar@redhat.com> - 2.4.46-5
+- Perl 5.28 rebuild
+
+* Wed Jul  4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-4
+- Remove unused leftover MozNSS Compat. Layer references (#1557967)
+
+* Wed Jul  4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-3
+- MozNSS Compat. Layer: Make log messages more clear (#1598103)
+- MozNSS Compat. Layer: Fix memleaks reported by valgrind (#1595203)
+
+* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.46-2
+- Perl 5.28 rebuild
+- MozNSS Compat. Layer: Fix typos, and spelling in the README file header (#1564161)
+
+* Tue Mar 27 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-1
+- Rebase to version OpenLDAP 2.4.46 (#1559652)
+
+* Mon Mar  5 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-14
+- Utilize system-wide crypto-policies (#1483979)
+
+* Thu Mar  1 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-13
+- fix: openldap does not use Fedora build flags
+  + makes use of redhat-rpm-config package
+- Drop superfluous back-sql linking patch
+
+* Wed Feb 28 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-12
+- MozNSS Compat. Layer: fix: libldap tlsmc continues even after it fails to extract CA certificates (#1550110)
+
+* Wed Feb 21 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-11
+- TLS: Use system trusted CA store by default (#1270678, #1537259)
+
+* Sun Feb 11 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-10
+- Complete change: Disable TLSMC in F29+
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.45-9
+- Escape macros in %%changelog
+- Disable TLSMC in F29+
+- Remove obsolete Group tag
+- Don't call ldconfig in servers subpackage
+- Switch to %%ldconfig_scriptlets
+- Remove unneeded Requires(post): systemd-sysv, chkconfig
+- Switch to %%systemd_requires
+- Change BuildRequires: systemd-units to systemd
+
+* Wed Feb  7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-8
+- Drop TCP wrappers support (#1531487)
+
+* Wed Feb  7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
+- MozNSS Compat. Layer fixes (#1400570)
+  - fix incorrect parsing of CACertDir (orig. #1533955)
+  - fix PIN disclaimer not always shown (orig. #1516409)
+  - fix recursive directory deletion (orig. #1516409)
+  - Ensure consistency of a PEM dir before usage (orig. #1516409)
+    + Warn just before use of a PIN about key file extraction
+  - Enable usage of NSS DB with PEM cert/key (orig. #1525485)
+    + Fix a possible invalid dereference (covscan)
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.45-6
+- Rebuilt for switch to libxcrypt
+
+* Wed Dec  6 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-5
+- Fix issues in MozNSS compatibility layer (#1400570)
+  + Force write file with fsync to avoid race conditions
+  + Always filestamp both sql and dbm NSS DB variants to not rely on default DB type prefix
+  + Allow missing cert and key which is a valid usecase
+  + Create extraction folder only in /tmp to simplify selinux rules
+  + Fix Covscan issues
+
+* Fri Nov  3 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-4
+- Build with OpenSSL with MozNSS compatibility layer (#1400570)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jul  7 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-1
+- Rebase to version 2.4.45 (#1458081)
+  * fixes CVE-2017-9287 (#1456712, #1456713)
+- Update the 'sources' file with new SHA512 hashes
+
+* Fri Jul  7 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-12
+- Change Requires to Recommends for nss-tools (#1415086)
+
+* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-11
+- Perl 5.26 rebuild
+
+* Fri Mar 31 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-10
+- NSS: Maximal TLS protocol version should be equal to NSS default (#1435692)
+
+* Thu Mar 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9
+- NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS (#1435692)
+- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435692)
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.44-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
+- NSS: Update list of ciphers (#1387868)
+
+* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6
+- NSS: Use what NSS considers default for DEFAULT cipher string (#1387868)
+
+* Thu Jan 26 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5
+- NSS: fix: incorrect multi-keyword parsing and support new ones (#1243517)
+
+* Mon Jan 23 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-4
+- fix previous commit (#1375432)
+
+* Fri Jan 20 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3
+- fix: Setting olcTLSProtocolMin does not change supported protocols (#1375432)
+- fix: slapd should start after network-online.service (#1336487)
+
+* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-2
+- Perl 5.24 rebuild
+
+* Wed May 11 2016 Matus Honek <mhonek@redhat.com> - 2.4.44-1
+- Update to 2.4.44 (#1305191)
+
+* Tue May  3 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-5
+- Bring back *.la files in %%{_libdir}/openldap/ (#1331484)
+
+* Wed Apr 27 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-4
+- Keep *.so libraries in %%{_libdir}/openldap/ (#1331484)
+- Include AllOp overlay (#1319782)
+
+* Sun Apr 10 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2.4.43-3
+- Ensure all libtool archive files are removed (.la)
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.43-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Dec 02 2015 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 2.4.43-1
+- Update to 2.4.43 (#1253871)
+
+* Thu Jul 16 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.41-1
+- New upstream release 2.4.41 (#1238251)
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.40-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.40-13
+- Perl 5.22 rebuild
+
+* Mon Apr 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-12
+- fix: bring back tmpfiles config (#1215655)
+
+* Mon Mar 30 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-11
+- remove spurious ghosted file
+
+* Fri Feb 20 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-10
+- link against moznss again (#1187742)
+
+* Wed Feb 11 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
+- fix: Unknown Berkeley DB major version in db.h (#1191098)
+
+* Tue Feb 10 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
+- CVE-2015-1545: slapd crashes on search with deref control (#1190645)
+
+* Tue Jan 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-8
+- link against openssl by default
+- simplify package even more by removing certificate generation
+
+* Mon Jan 26 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-7
+- remove tmpfiles config since it's no longer needed
+- fix invalid ldif
+- simplify checking for missing server configuration
+
+* Fri Jan 16 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-6
+- remove openldap-fedora-systemd.patch
+- remove openldap-ldaprc-currentdir.patch
+- remove openldap-userconfig-setgid.patch
+- remove openldap-syncrepl-unset-tls-options.patch
+- remove unneeded configure flags, disable sql backend and aci
+- make mdb default after a new installation
+- remove pid file and args file
+- renumber patches and sources
+
+* Wed Dec 17 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-5
+- harden the build
+- improve check_password
+- provide an unversioned symlink to check_password.so.1.1
+
+* Tue Dec 16 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-4
+- remove openldap.pc
+
+* Tue Dec  9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-3
+- enhancement: generate openldap.pc (#1171493)
+
+* Fri Nov 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-2
+- enhancement: support TLSv1 and later (#1160466)
+
+* Mon Oct  6 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-1
+- new upstream release (#1147877)
+
+* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.39-12
+- Perl 5.20 rebuild
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.4.39-10
+- fix license handling
+
+* Mon Jul 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-9
+- fix: fix typo in generate-server-cert.sh (#1117229)
+
+* Mon Jun  9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-8
+- fix: make default service configuration listen on ldaps:/// as well (#1105634)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri May 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6
+- fix: remove correct tmp file when generating server cert (#1103102)
+
+* Mon Mar 24 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-5
+- re-symlink unversioned libraries, so ldconfig is not confused (#1028557)
+
+* Tue Mar  4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-4
+- don't automatically convert slapd.conf to slapd-config
+
+* Wed Feb 19 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3
+- remove redundant sysconfig-related stuff
+- add documentation reference to service file
+- alias slapd.service as openldap.service
+
+* Tue Feb  4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2
+- CVE-2013-4449: segfault on certain queries with rwm overlay (#1060851)
+
+* Wed Jan 29 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1
+- new upstream release (#1059186)
+
+* Mon Nov 18 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.38-1
+- new upstream release (#1031608)
+
+* Mon Nov 11 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-2
+- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1028935)
+
+* Wed Oct 30 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-1
+- new upstream release (#1023916)
+- fix: missing a linefeed at the end of file /etc/openldap/ldap.conf (#1019836)
+
+* Mon Oct 21 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-4
+- fix: slapd daemon fails to start with segmentation fault on s390x (#1020661)
+
+* Tue Oct 15 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-3
+- rebuilt for libdb-5.3.28
+
+* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
+- fix: CLDAP is broken for IPv6 (#1018688)
+
+* Wed Sep  4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
+- fix: typos in manpages
+
+* Tue Aug 20 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-1
+- new upstream release
+  + compile-in mdb backend
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.35-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 2.4.35-6
+- Perl 5.18 rebuild
+
+* Fri Jun 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-5
+- fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0"
+
+* Thu May 09 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-4
+- do not needlessly run ldconfig after installing openldap-devel
+- fix: LDAPI with GSSAPI does not work if SASL_NOCANON=on (#960222)
+- fix: lt_dlopen() with back_perl (#960048)
+
+* Tue Apr 09 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-3
+- fix: minor documentation fixes
+- set SASL_NOCANON to on by default (#949864)
+- remove trailing spaces
+
+* Fri Apr 05 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-2
+- drop the evolution patch
+
+* Tue Apr 02 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-1
+- new upstream release (#947235)
+- fix: slapd.service should ensure that network is up before starting (#946921)
+- fix: NSS related resource leak (#929357)
+
+* Mon Mar 18 2013 Jan Synáček <jsynacek@redhat.com> 2.4.34-2
+- fix: syncrepl push DELETE operation does not recover (#920482)
+- run autoreconf every build, drop autoreconf patch (#926280)
+
+* Mon Mar 11 2013 Jan Synáček <jsynacek@redhat.com> 2.4.34-1
+- enable perl backend (#820547)
+- package ppolicy-check-password (#829749)
+- add perl specific BuildRequires
+- fix bogus dates
+
+* Wed Mar 06 2013 Jan Vcelak <jvcelak@fedoraproject.org> 2.4.34-1
+- new upstream release (#917603)
+- fix: slapcat segfaults if cn=config.ldif not present (#872784)
+- use systemd-rpm macros in spec file (#850247)
+
+* Thu Jan 31 2013 Jan Synáček <jsynacek@redhat.com> 2.4.33-4
+- rebuild against new cyrus-sasl
+
+* Wed Oct 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-3
+- fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)
+
+* Fri Oct 12 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-2
+- fix: slapd with rwm overlay segfault following ldapmodify (#865685)
+
+* Thu Oct 11 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-1
+- new upstream release:
+  + slapd: ACLs, syncrepl
+  + backends: locking and memory management in MDB
+  + manpages: slapo-refint
+- patch update: MozNSS certificate database in SQL format cannot be used (#860317)
+- fix: slapd.service should not use /tmp (#859019)
+
+* Fri Sep 14 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-3
+- fix: some TLS ciphers cannot be enabled (#852338)
+- fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476)
+- fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded (#852786)
+- fix: MozNSS certificate database in SQL format cannot be used (#857373)
+- fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)
+
+* Mon Aug 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-2
+- enhancement: TLS, prefer private keys from authenticated slots
+- enhancement: TLS, allow certificate specification including token name
+- resolve TLS failures in replication in 389 Directory Server
+
+* Wed Aug 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-1
+- new upstream release
+  + library: double free, SASL handling
+  + tools: read SASL_NOCANON from config file
+  + slapd: config index renumbering, duplicate error response
+  + backends: various fixes in mdb, bdb/hdb, ldap
+  + accesslog, syncprov: fix memory leaks in with replication
+  + sha2: portability, thread safety, support SSHA256,384,512
+  + documentation fixes
+
+* Sat Jul 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-7
+- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)
+
+* Fri Jul 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-6
+- multilib fix: move libslapi from openldap-servers to openldap package
+
+* Thu Jul 19 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-5
+- fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013)
+- fix: smbk5pwd module computes invalid LM hashes (#841560)
+
+* Wed Jul 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-4
+- modify the package build process
+  + fix autoconfig files to detect Mozilla NSS library using pkg-config
+  + remove compiler flags which are not needed currently
+  + build server, client and library together
+  + avoid stray dependencies by using --as-needed linker flag
+  + enable SLAPI interface in slapd
+
+* Wed Jun 27 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-3
+- update fix: count constraint broken when using multiple modifications (#795766)
+- fix: invalid order of TLS shutdown operations (#808464)
+- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
+- fix: reading pin from file can make all TLS connections hang (#829317)
+- CVE-2012-2668: cipher suite selection by name can be ignored (#825875)
+- fix: slapd fails to start on reboot (#829272)
+- fix: default cipher suite is always selected (#828790)
+- fix: less influence between individual TLS contexts:
+  - replication with TLS does not work (#795763)
+  - possibly others
+
+* Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2
+- fix: nss-tools package is required by the base package, not the server subpackage
+- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536)
+
+* Tue Apr 24 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-1
+- new upstream release
+  + library: IPv6 url detection
+  + library: rebinding to failed connections
+  + server: various fixes in mdb backend
+  + server: various fixes in replication
+  + server: various fixes in overlays and minor backends
+  + documentation fixes
+- remove patches which were merged upstream
+
+* Thu Apr 05 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.30-3
+- rebuild due to libdb rebase
+
+* Mon Mar 26 2012 Jan Synáček <jsynacek@redhat.com> 2.4.30-2
+- fix: Re-binding to a failed connection can segfault (#784989)
+
+* Thu Mar 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.30-1
+- new upstream release
+  + server: fixes in mdb backend
+  + server: fixes in manual pages
+  + server: fixes in syncprov, syncrepl, and pcache
+- removed patches which were merged upstream
+
+* Wed Feb 22 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-4
+- fix: missing options in manual pages of client tools (#796232)
+- fix: SASL_NOCANON option missing in ldap.conf manual page (#732915)
+
+* Tue Feb 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-3
+- fix: ldap_result does not succeed for sssd (#771484)
+- Jan Synáček <jsynacek@redhat.com>:
+  + fix: count constraint broken when using multiple modifications (#795766)
+
+* Mon Feb 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-2
+- fix update: provide ldif2ldbm, not ldib2ldbm (#437104)
+- Jan Synáček <jsynacek@redhat.com>:
+  + unify systemctl binary paths throughout the specfile and make them usrmove compliant
+  + make path to chkconfig binary usrmove compliant
+
+* Wed Feb 15 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-1
+- new upstream release
+  + MozNSS fixes
+  + connection handling fixes
+  + server: buxfixes in mdb backend
+  + server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm)
+- openldap-servers now provide ldib2ldbm (#437104)
+- certificates management improvements
+  + create empty Mozilla NSS certificate database during installation
+  + enable builtin Root CA in generated database (#789088)
+  + generate server certificate using Mozilla NSS tools instead of OpenSSL tools
+  + fix: correct path to check-config.sh in service file (Jan Synáček <jsynacek@redhat.com>)
+- temporarily disable certificates checking in check-config.sh script
+- fix: check-config.sh get stuck when executing command as a ldap user
+
+* Tue Jan 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.28-3
+- fix: replication (syncrepl) with TLS causes segfault (#783431)
+- fix: slapd segfaults when PEM certificate is used and key is not set (#772890)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.28-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Nov 30 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.28-1
+- new upstream release
+  + server: support for delta-syncrepl in multi master replication
+  + server: add experimental backend - MDB
+  + server: dynamic configuration for passwd, perl, shell, sock, and sql backends
+  + server: support passwords in APR1
+  + library: support for Wahl (draft)
+  + a lot of bugfixes
+- remove patches which were merged upstream
+- compile backends as modules (except BDB, HDB, and monitor)
+- reload systemd daemon after installation
+
+* Tue Nov 01 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-6
+- package cleanup:
+  + hardened build: switch from LDFLAGS to RPM macros
+  + remove old provides and obsoletes
+  + add new slapd maintainance scripts
+  + drop defattr macros, clean up permissions in specfile
+  + fix rpmlint warnings: macros in comments/changelog
+  + fix rpmlint warnings: non UTF-8 documentation
+  + rename environment file to be more consistent (ldap -> slapd)
+- replace sysv initscript with systemd service file (#
+- new format of environment file due to switch to systemd
+  (automatic conversion is performed)
+- patch OpenLDAP to skip empty command line arguments
+  (arguments expansion in systemd works different than in shell)
+- CVE-2011-4079: one-byte buffer overflow in slapd (#749324)
+
+* Thu Oct 06 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-5
+- rebuild: openldap does not work after libdb rebase (#743824)
+- regression fix: openldap built without tcp_wrappers (#743213)
+
+* Wed Sep 21 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-4
+- new feature update: honor priority/weight with ldap_domain2hostlist (#733078)
+
+* Mon Sep 12 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-3
+- fix: SSL_ForceHandshake function is not thread safe (#701678)
+- fix: allow unsetting of tls_* syncrepl options (#734187)
+
+* Wed Aug 24 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-2
+- security hardening: library needs partial RELRO support added (#733071)
+- fix: NSS_Init* functions are not thread safe (#731112)
+- fix: incorrect behavior of allow/try options of VerifyCert and TLS_REQCERT (#725819)
+- fix: memleak - free the return of tlsm_find_and_verify_cert_key (#725818)
+- fix: conversion of constraint overlay settings to cn=config is incorrect (#733067)
+- fix: DDS overlay tolerance parametr doesn't function and breakes default TTL (#733069)
+- manpage fix: errors in manual page slapo-unique (#733070)
+- fix: matching wildcard hostnames in certificate Subject field does not work (#733073)
+- new feature: honor priority/weight with ldap_domain2hostlist (#733078)
+- manpage fix: wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage (#717722)
+
+* Sun Aug 14 2011 Rex Dieter <rdieter@fedoraproject.org> - 2.4.26-1.1
+- Rebuilt for rpm (#728707)
+
+* Wed Jul 20 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-1
+- rebase to new upstream release
+- fix: memleak in tlsm_auth_cert_handler (#717730)
+
+* Mon Jun 27 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.25-1
+- rebase to new upstream release
+- change default database type from BDB to HDB
+- enable ldapi:/// interface by default
+- set cn=config management ACLs for root user, SASL external schema (#712495)
+- fix: server scriptlets require initscripts package (#716857)
+- fix: connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT
+  is set to 'never' (#716854)
+- fix: segmentation fault caused by double-free in ldapexop (#699683)
+- fix: segmentation fault of client tool when input line in LDIF file
+  is splitted but indented incorrectly (#716855)
+- fix: segmentation fault of client tool when LDIF input file is not terminated
+  by a new line character (#716858)
+
+* Fri Mar 18 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.24-2
+- new: system resource limiting for slapd using ulimit
+- fix update: openldap can't use TLS after a fork() (#636956)
+- fix: possible null pointer dereference in NSS implementation
+- fix: openldap-servers upgrade hangs or do not upgrade the database (#664433)
+
+* Mon Feb 14 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.24-1
+- rebase to 2.4.24
+- BDB backend switch from DB4 to DB5
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.23-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Feb 02 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-8
+- fix update: openldap can't use TLS after a fork() (#636956)
+
+* Tue Jan 25 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-7
+- fix: openldap can't use TLS after a fork() (#636956)
+- fix: openldap-server upgrade gets stuck when the database is damaged (#664433)
+
+* Thu Jan 20 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-6
+- fix: some server certificates refused with inadequate type error (#668899)
+- fix: default encryption strength dropped in switch to using NSS (#669446)
+- systemd compatibility: add configuration file (#656647, #668223)
+
+* Thu Jan 06 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-5
+- initscript: slaptest with '-u' to skip database opening (#667768)
+- removed slurpd options from sysconfig/ldap
+- fix: verification of self issued certificates (#657984)
+
+* Mon Nov 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-4
+- Mozilla NSS - implement full non-blocking semantics
+  ldapsearch -Z hangs server if starttls fails (#652822)
+- updated list of all overlays in slapd.conf (#655899)
+- fix database upgrade process (#656257)
+
+* Thu Nov 18 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-3
+- add support for multiple prefixed Mozilla NSS database files in TLS_CACERTDIR
+- reject non-file keyfiles in TLS_CACERTDIR (#652315)
+- TLS_CACERTDIR precedence over TLS_CACERT (#652304)
+- accept only files in hash.0 format in TLS_CACERTDIR (#650288)
+- improve SSL/TLS trace messages (#652818)
+
+* Mon Nov 01 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-2
+- fix possible infinite loop when checking permissions of TLS files (#641946)
+- removed outdated autofs.schema (#643045)
+- removed outdated README.upgrade
+- removed relics of migrationtools
+
+* Fri Aug 27 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-1
+- rebase to 2.4.23
+- embeded db4 library removed
+- removed bogus links in "SEE ALSO" in several man-pages (#624616)
+
+* Thu Jul 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.22-7
+- Mozilla NSS - delay token auth until needed (#616552)
+- Mozilla NSS - support use of self signed CA certs as server certs (#614545)
+
+* Tue Jul 20 2010 Jan Vcelak <jvcelak@redhat.com> - 2.4.22-6
+- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
+- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)
+- obsolete configuration file moved to /usr/share/openldap-servers (#612602)
+
+* Thu Jul 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-5
+- another shot at previous fix
+
+* Thu Jul 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-4
+- fixed issue with owner of /usr/lib/ldap/__db.* (#609523)
+
+* Thu Jun  3 2010 Rich Megginson <rmeggins@redhat.com> - 2.4.22-3
+- added ldif.h to the public api in the devel package
+- added -lldif to the public api
+- added HAVE_MOZNSS and other flags to use Mozilla NSS for crypto
+
+* Tue May 18 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-2
+- rebuild with connectionless support (#587722)
+- updated autofs schema (#584808)
+
+* Tue May 04 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-1
+- rebased to 2.4.22 (mostly bugfixes, added back-ldif, back-null testing support)
+- due to some possible issues pointed out in last update testing phase, I'm
+  pulling back the last change (slapd can't be moved since it depends on /usr
+  possibly mounted from network)
+
+* Fri Mar 19 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-6
+- moved slapd to start earlier during boot sequence
+
+* Tue Mar 16 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-5
+- minor corrections of init script (#571235, #570057, #573804)
+
+* Wed Feb 24 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-4
+- fixed SIGSEGV when deleting data using hdb (#562227)
+
+* Mon Feb 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-3
+- fixed broken link /usr/sbin/slapschema (#559873)
+
+* Tue Jan 19 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-2
+- removed some static libraries from openldap-devel (#556090)
+
+* Mon Jan 11 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-1
+- rebased openldap to 2.4.21
+- rebased bdb to 4.8.26
+
+* Mon Nov 23 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-3
+- minor corrections in init script
+
+* Mon Nov 16 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-2
+- fixed tls connection accepting when TLSVerifyClient = allow
+- /etc/openldap/ldap.conf removed from files owned by openldap-servers
+- minor changes in spec file to supress warnings
+- some changes in init script, so it would be possible to use it when
+  using old configuration style
+
+* Fri Nov 06 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-1
+- rebased openldap to 2.4.19
+- rebased bdb to 4.8.24
+
+* Wed Oct 07 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-4
+- updated smbk5pwd patch to be linked with libldap (#526500)
+- the last buffer overflow patch replaced with the one from upstream
+- added /etc/openldap/slapd.d and /etc/openldap/slapd.conf.bak
+  to files owned by openldap-servers
+
+* Thu Sep 24 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-3
+- cleanup of previous patch fixing buffer overflow
+
+* Tue Sep 22 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-2
+- changed configuration approach. Instead od slapd.conf slapd
+  is using slapd.d directory now
+- fix of some issues caused by renaming of init script
+- fix of buffer overflow issue in ldif.c pointed out by new glibc
+
+* Fri Sep 18 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-1
+- rebase of openldap to 2.4.18
+
+* Wed Sep 16 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-7
+- updated documentation (hashing the cacert dir)
+
+* Wed Sep 16 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-6
+- updated init script to be LSB-compliant (#523434)
+- init script renamed to slapd
+
+* Thu Aug 27 2009 Tomas Mraz <tmraz@redhat.com> - 2.4.16-5
+- rebuilt with new openssl
+
+* Tue Aug 25 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-4
+- updated %%pre script to correctly install openldap group
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.16-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jul 01 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-1
+- rebase of openldap to 2.4.16
+- fixed minor issue in spec file (output looking interactive
+  when installing servers)
+
+* Tue Jun 09 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.15-4
+- added $SLAPD_URLS variable to init script (#504504)
+
+* Thu Apr 09 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.15-3
+- extended previous patch (#481310) to remove options cfMP
+  from some client tools
+- correction of patch setugid (#494330)
+
+* Thu Mar 26 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.15-2
+- removed -f option from some client tools (#481310)
+
+* Wed Feb 25 2009 Jan Safranek <jsafranek@redhat.com> 2.4.15-1
+- new upstream release
+
+* Tue Feb 17 2009 Jan Safranek <jsafranek@redhat.com> 2.4.14-1
+- new upstream release
+- upgraded to db-4.7.25
+
+* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> 2.4.12-3
+- rebuild with new openssl
+
+* Mon Dec 15 2008 Caolán McNamara <caolanm@redhat.com> 2.4.12-2
+- rebuild for libltdl, i.e. copy config.sub|guess from new location
+
+* Wed Oct 15 2008 Jan Safranek <jsafranek@redhat.com> 2.4.12-1
+- new upstream release
+
+* Mon Oct 13 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-3
+- add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins
+  to set non-default slapd shutdown timeout
+- add checkpoint to default slapd.conf file (#458679)
+
+* Mon Sep  1 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-2
+- provide ldif2ldbm functionality for migrationtools
+- rediff all patches to get rid of patch fuzz
+
+* Mon Jul 21 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-1
+- new upstream release
+- apply official bdb-4.6.21 patches
+
+* Wed Jul  2 2008 Jan Safranek <jsafranek@redhat.com> 2.4.10-2
+- fix CVE-2008-2952 (#453728)
+
+* Thu Jun 12 2008 Jan Safranek <jsafranek@redhat.com> 2.4.10-1
+- new upstream release
+
+* Wed May 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.9-5
+- use /sbin/nologin as shell of ldap user (#447919)
+
+* Tue May 13 2008 Jan Safranek <jsafranek@redhat.com> 2.4.9-4
+- new upstream release
+- removed unnecessary MigrationTools patches
+
+* Thu Apr 10 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-4
+- bdb upgraded to 4.6.21
+- reworked upgrade logic again to run db_upgrade when bdb version
+  changes
+
+* Wed Mar  5 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-3
+- reworked the upgrade logic, slapcat/slapadd of the whole database
+  is needed only if minor version changes (2.3.x -> 2.4.y)
+- do not try to save database in LDIF format, if openldap-servers package
+  is  being removed (it's up to the admin to do so manually)
+
+* Thu Feb 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-2
+- migration tools carved out to standalone package "migrationtools"
+  (#236697)
+
+* Fri Feb 22 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-1
+- new upstream release
+
+* Fri Feb  8 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-7
+- fix CVE-2008-0658 (#432014)
+
+* Mon Jan 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-6
+- init script fixes
+
+* Mon Jan 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-5
+- init script made LSB-compliant (#247012)
+
+* Fri Jan 25 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-4
+- fixed rpmlint warnings and errors
+  - /etc/openldap/schema/README moved to /usr/share/doc/openldap
+
+* Tue Jan 22 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-3
+- obsoleting compat-openldap properly again :)
+
+* Tue Jan 22 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-2
+- obsoleting compat-openldap properly (#429591)
+
+* Mon Jan 14 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-1
+- new upstream version (openldap-2.4.7)
+
+* Mon Dec  3 2007 Jan Safranek <jsafranek@redhat.com> 2.4.6-1
+- new upstream version (openldap-2.4)
+- deprecating compat- package
+
+* Mon Nov  5 2007 Jan Safranek <jsafranek@redhat.com> 2.3.39-1
+- new upstream release
+
+* Tue Oct 23 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-4
+- fixed multilib issues - all platform independent files have the
+  same content now (#342791)
+
+* Thu Oct  4 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-3
+- BDB downgraded back to 4.4.20 because 4.6.18 is not supported by
+  openldap (#314821)
+
+* Mon Sep 17 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-2
+- skeleton /etc/sysconfig/ldap added
+- new SLAPD_LDAP option to turn off listening on ldap:/// (#292591)
+- fixed checking of SSL (#292611)
+- fixed upgrade with empty database
+
+* Thu Sep  6 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-1
+- new upstream version
+- added images to the guide.html (#273581)
+
+* Wed Aug 22 2007 Jan Safranek <jsafranek@redhat.com> 2.3.37-3
+- just rebuild
+
+* Thu Aug  2 2007 Jan Safranek <jsafranek@redhat.com> 2.3.37-2
+- do not use specific automake and autoconf
+- do not distinguish between NPTL and non-NPTL platforms, we have NPTL
+  everywhere
+- db-4.6.18 integrated
+- updated openldap-servers License: field to reference BDB license
+
+* Tue Jul 31 2007 Jan Safranek <jsafranek@redhat.com> 2.3.37-1
+- new upstream version
+
+* Fri Jul 20 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-7
+- MigrationTools-47 integrated
+
+* Wed Jul  4 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-6
+- fix compat-slapcat compilation. Now it can be found in
+  /usr/lib/compat-openldap/slapcat, because the tool checks argv[0]
+  (#246581)
+
+* Fri Jun 29 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-5
+- smbk5pwd added (#220895)
+- correctly distribute modules between servers and servers-sql packages
+
+* Mon Jun 25 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-4
+- Fix initscript return codes (#242667)
+- Provide overlays (as modules; #246036, #245896)
+- Add available modules to config file
+
+* Tue May 22 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-3
+- do not create script in /tmp on startup (bz#188298)
+- add compat-slapcat to openldap-compat (bz#179378)
+- do not import ddp services with migrate_services.pl
+  (bz#201183)
+- sort the hosts by adders, preventing duplicities
+  in migrate*nis*.pl (bz#201540)
+- start slupd for each replicated database (bz#210155)
+- add ldconfig to devel post/postun (bz#240253)
+- include misc.schema in default slapd.conf (bz#147805)
+
+* Mon Apr 23 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-2
+- slapadd during package update is now quiet (bz#224581)
+- use _localstatedir instead of var/ during build (bz#220970)
+- bind-libbind-devel removed from BuildRequires (bz#216851)
+- slaptest is now quiet during service ldap start, if
+  there is no error/warning (bz#143697)
+- libldap_r.so now links with pthread (bz#198226)
+- do not strip binaries to produce correct .debuginfo packages
+  (bz#152516)
+
+* Mon Feb 19 2007 Jay Fenlason <fenlason<redhat.com> 2.3.34-1
+- New upstream release
+- Upgrade the scripts for migrating the database so that they might
+  actually work.
+- change bind-libbind-devel to bind-devel in BuildPreReq
+
+* Mon Dec  4 2006 Thomas Woerner <twoerner@redhat.com> 2.3.30-1.1
+- tcp_wrappers has a new devel and libs sub package, therefore changing build
+  requirement for tcp_wrappers to tcp_wrappers-devel
+
+* Wed Nov 15 2006 Jay Fenlason <fenlason@redhat.com> 2.3.30-1
+- New upstream version
+
+* Wed Oct 25 2006 Jay Fenlason <fenlason@redhat.com> 2.3.28-1
+- New upstream version
+
+* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 2.3.27-4
+- rebuilt for unwind info generation, broken in gcc-4.1.1-21
+
+* Mon Sep 18 2006 Jay Fenlason <fenlason@redhat.com> 2.3.27-3
+- Include --enable-multimaster to close
+  bz#185821: adding slapd_multimaster to the configure options
+- Upgade guide.html to the correct one for openladp-2.3.27, closing
+  bz#190383: openldap 2.3 packages contain the administrator's guide for 2.2
+- Remove the quotes from around the slaptestflags in ldap.init
+  This closes one part of
+  bz#204593: service ldap fails after having added entries to ldap
+- include __db.* in the list of files to check ownership of in
+  ldap.init, as suggested in
+  bz#199322: RFE: perform cleanup in ldap.init
+
+* Fri Aug 25 2006 Jay Fenlason <fenlason@redhat.com> 2.3.27-2
+- New upstream release
+- Include the gethostbyname_r patch so that nss_ldap won't hang
+  on recursive attemts to ldap_initialize.
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 2.3.24-2.1
+- rebuild
+
+* Wed Jun 7 2006 Jay Fenlason <fenlason@redhat.com> 2.3.24-2
+- New upstream version
+
+* Thu Apr 27 2006 Jay Fenlason <fenlason@redhat.com> 2.3.21-2
+- Upgrade to 2.3.21
+- Add two upstream patches for db-4.4.20
+
+* Mon Feb 13 2006 Jay Fenlason <fenlason@redhat.com> 2.3.19-4
+- Re-fix ldap.init
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 2.3.19-3.1
+- bump again for double-long bug on ppc(64)
+
+* Thu Feb 9 2006 Jay Fenlason <fenlason@redhat.com> 2.3.19-3
+- Modify the ldap.init script to call runuser correctly.
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 2.3.19-2.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Tue Jan 10 2006 Jay Fenlason <fenlason@redhat.com> 2.3.19-2
+- Upgrade to 2.3.19, which upstream now considers stable
+- Modify the -config.patch, ldap.init, and this spec file to put the
+  pid file and args file in an ldap-owned openldap subdirectory under
+  /var/run.
+- Move back_sql* out of _sbindir/openldap , which requires
+  hand-moving slapd and slurpd to _sbindir, and recreating symlinks
+  by hand.
+- Retire openldap-2.3.11-ads.patch, which went upstream.
+- Update the ldap.init script to run slaptest as the ldap user rather
+  than as root.  This solves
+  bz#150172 Startup failure after database problem
+- Add to the servers post and preun scriptlets so that on preun, the
+  database is slapcatted to /var/lib/ldap/upgrade.ldif and the
+  database files are saved to /var/lib/ldap/rpmorig.  On post, if
+  /var/lib/ldap/upgrade.ldif exists, it is slapadded.  This means that
+  on upgrades from 2.3.16-2 to higher versions, the database files may
+  be automatically upgraded.  Unfortunatly, because of the changes to
+  the preun scriptlet, users have to do the slapcat, etc by hand when
+  upgrading to 2.3.16-2.  Also note that the /var/lib/ldap/rpmorig
+  files need to be removed by hand because automatically removing your
+  emergency fallback files is a bad idea.
+- Upgrade internal bdb to db-4.4.20.  For a clean upgrade, this will
+  require that users slapcat their databases into a temp file, move
+  /var/lib/ldap someplace safe, upgrade the openldap rpms, then
+  slapadd the temp file.
+
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Mon Nov 21 2005 Jay Fenlason <fenlason@redhat.com> 2.3.11-3
+- Remove Requires: cyrus-sasl and cyrus-sasl-md5 from openldap- and
+  compat-openldap- to close
+  bz#173313 Remove exlicit 'Requires: cyrus-sasl" + 'Requires: cyrus-sasl-md5'
+
+* Thu Nov 10 2005 Jay Fenlason <fenlason@redhat.com> 2.3.11-2
+- Upgrade to 2.3.11, which upstream now considers stable.
+- Switch compat-openldap to 2.2.29
+- remove references to nss_ldap_build from the spec file
+- remove references to 2.0 and 2.1 from the spec file.
+- reorganize the build() function slightly in the spec file to limit the
+  number of redundant and conflicting options passedto configure.
+- Remove the attempt to hardlink ldapmodify and ldapadd together, since
+  the current make install make ldapadd a symlink to ldapmodify.
+- Include the -ads patches to allow SASL binds to an Active Directory
+  server to work.  Nalin <nalin@redhat.com> wrote the patch, based on my
+  broken first attempt.
+
+* Thu Nov 10 2005 Tomas Mraz <tmraz@redhat.com> 2.2.29-3
+- rebuilt against new openssl
+
+* Mon Oct 10 2005 Jay Fenlason <fenlason@redhat.com> 2.2.29-2
+- New upstream version.
+
+* Thu Sep 29 2005 Jay Fenlason <fenlason@redhat.com> 2.2.28-2
+- Upgrade to nev upstream version.  This makes the 2.2.*-hop patch obsolete.
+
+* Mon Aug 22 2005 Jay Fenlason <fenlason@redhat.com> 2.2.26-2
+- Move the slapd.pem file to /etc/pki/tls/certs
+  and edit the -config patch to match to close
+  bz#143393  Creates certificates + keys at an insecure/bad place
+- also use _sysconfdir instead of hard-coding /etc
+
+* Thu Aug 11 2005 Jay Fenlason <fenlason@redhat.com>
+- Add the tls-fix-connection-test patch to close
+  bz#161991 openldap password disclosure issue
+- add the hop patches to prevent infinite looping when chasing referrals.
+  OpenLDAP ITS #3578
+
+* Fri Aug  5 2005 Nalin Dahyabhai <nalin@redhat.com>
+- fix typo in ldap.init (call $klist instead of klist, from Charles Lopes)
+
+* Thu May 19 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.26-1
+- run slaptest with the -u flag if no id2entry db files are found, because
+  you can't check for read-write access to a non-existent database (#156787)
+- add _sysconfdir/openldap/cacerts, which authconfig sets as the
+  TLS_CACERTDIR path in /etc/openldap/ldap.conf now
+- use a temporary wrapper script to launch slapd, in case we have arguments
+  with embedded whitespace (#158111)
+
+* Wed May  4 2005 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.2.26 (stable 20050429)
+- enable the lmpasswd scheme
+- print a warning if slaptest fails, slaptest -u succeeds, and one of the
+  directories listed as the storage location for a given suffix in slapd.conf
+  contains a readable file named __db.001 (#118678)
+
+* Tue Apr 26 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.25-1
+- update to 2.2.25 (release)
+
+* Tue Apr 26 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.24-1
+- update to 2.2.24 (stable 20050318)
+- export KRB5_KTNAME in the init script, in case it was set in the sysconfig
+  file but not exported
+
+* Tue Mar  1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-4
+- prefer libresolv to libbind
+
+* Tue Mar  1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-3
+- add bind-libbind-devel and libtool-ltdl-devel buildprereqs
+
+* Tue Mar  1 2005 Tomas Mraz <tmraz@redhat.com> 2.2.23-2
+- rebuild with openssl-0.9.7e
+
+* Mon Jan 31 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-1
+- update to 2.2.23 (stable-20050125)
+- update notes on upgrading from earlier versions
+- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files
+
+* Tue Jan  4 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.20-1
+- update to 2.2.20 (stable-20050103)
+- warn about unreadable krb5 keytab files containing "ldap" keys
+- warn about unreadable TLS-related files
+- own a ref to subdirectories which we create under _libdir/tls
+
+* Tue Nov  2 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.17-0
+- rebuild
+
+* Thu Sep 30 2004 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.2.17 (stable-20040923) (#135188)
+- move nptl libraries into arch-specific subdirectories on x86 boxes
+- require a newer glibc which can provide nptl libpthread on i486/i586
+
+* Tue Aug 24 2004 Nalin Dahyabhai <nalin@redhat.com>
+- move slapd startup to earlier in the boot sequence (#103160)
+- update to 2.2.15 (stable-20040822)
+- change version number on compat-openldap to include the non-compat version
+  from which it's compiled, otherwise would have to start 2.2.15 at release 3
+  so that it upgrades correctly
+
+* Thu Aug 19 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-2
+- build a separate, static set of libraries for openldap-devel with the
+  non-standard ntlm bind patch applied, for use by the evolution-connector
+  package (#125579), and installing them under
+  evolution_connector_prefix)
+- provide openldap-evolution-devel = version-release in openldap-devel
+  so that evolution-connector's source package can require a version of
+  openldap-devel which provides what it wants
+
+* Mon Jul 26 2004 Nalin Dahyabhai <nalin@redhat.com>
+- update administrator guide
+
+* Wed Jun 16 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-1
+- add compat-openldap subpackage
+- default to bdb, as upstream does, gambling that we're only going to be
+  on systems with nptl now
+
+* Tue Jun 15 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-0
+- preliminary 2.2.13 update
+- move ucdata to the -servers subpackage where it belongs
+
+* Tue Jun 15 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.30-1
+- build experimental sql backend as a loadable module
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue May 18 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.30-0
+- update to 2.1.30
+
+* Thu May 13 2004 Thomas Woerner <twoerner@redhat.com> 2.1.29-3
+- removed rpath
+- added pie patch: slapd and slurpd are now pie
+- requires libtool >= 1.5.6-2 (PIC libltdl.a)
+
+* Fri Apr 16 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.29-2
+- move rfc documentation from main to -devel (#121025)
+
+* Wed Apr 14 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.29-1
+- rebuild
+
+* Tue Apr  6 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.29-0
+- update to 2.1.29 (stable 20040329)
+
+* Mon Mar 29 2004 Nalin Dahyabhai <nalin@redhat.com>
+- don't build servers with --with-kpasswd, that option hasn't been recognized
+  since 2.1.23
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> 2.1.25-5.1
+- rebuilt
+
+* Mon Feb 23 2004 Tim Waugh <twaugh@redhat.com> 2.1.25-5
+- Use ':' instead of '.' as separator for chown.
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Feb 10 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-4
+- remove 'reload' from the init script -- it never worked as intended (#115310)
+
+* Wed Feb  4 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-3
+- commit that last fix correctly this time
+
+* Tue Feb  3 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-2
+- fix incorrect use of find when attempting to detect a common permissions
+  error in the init script (#114866)
+
+* Fri Jan 16 2004 Nalin Dahyabhai <nalin@redhat.com>
+- add bug fix patch for DB 4.2.52
+
+* Thu Jan  8 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-1
+- change logging facility used from daemon to local4 (#112730, reversing #11047)
+  BEHAVIOR CHANGE - SHOULD BE MENTIONED IN THE RELEASE NOTES.
+
+* Wed Jan  7 2004 Nalin Dahyabhai <nalin@redhat.com>
+- incorporate fix for logic quasi-bug in slapd's SASL auxprop code (Dave Jones)
+
+* Thu Dec 18 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.25, now marked STABLE
+
+* Thu Dec 11 2003 Jeff Johnson <jbj@jbj.org> 2.1.22-9
+- update to db-4.2.52.
+
+* Thu Oct 23 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-8
+- add another section to the ABI note for the TLS libdb so that it's marked as
+  not needing an executable stack (from Arjan Van de Ven)
+
+* Thu Oct 16 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-7
+- force bundled libdb to not use O_DIRECT by making it forget that we have it
+
+* Wed Oct 15 2003 Nalin Dahyabhai <nalin@redhat.com>
+- build bundled libdb for slapd dynamically to make the package smaller,
+  among other things
+- on tls-capable arches, build libdb both with and without shared posix
+  mutexes, otherwise just without
+- disable posix mutexes unconditionally for db 4.0, which shouldn't need
+  them for the migration cases where it's used
+- update to MigrationTools 45
+
+* Thu Sep 25 2003 Jeff Johnson <jbj@jbj.org> 2.1.22-6.1
+- upgrade db-4.1.25 to db-4.2.42.
+
+* Fri Sep 12 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-6
+- drop rfc822-MailMember.schema, merged into upstream misc.schema at some point
+
+* Wed Aug 27 2003 Nalin Dahyabhai <nalin@redhat.com>
+- actually require newer libtool, as was intended back in 2.1.22-0, noted as
+  missed by Jim Richardson
+
+* Fri Jul 25 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-5
+- enable rlookups, they don't cost anything unless also enabled in slapd's
+  configuration file
+
+* Tue Jul 22 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-4
+- rebuild
+
+* Thu Jul 17 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-3
+- rebuild
+
+* Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-2
+- rebuild
+
+* Tue Jul 15 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-1
+- build
+
+* Mon Jul 14 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-0
+- 2.1.22 now badged stable
+- be more aggressive in what we index by default
+- use/require libtool 1.5
+
+* Mon Jun 30 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.22
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Jun  3 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-1
+- update to 2.1.21
+- enable ldap, meta, monitor, null, rewrite in slapd
+
+* Mon May 19 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-1
+- update to 2.1.20
+
+* Thu May  8 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-1
+- update to 2.1.19
+
+* Mon May  5 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.17-1
+- switch to db with crypto
+
+* Fri May  2 2003 Nalin Dahyabhai <nalin@redhat.com>
+- install the db utils for the bundled libdb as %%{_sbindir}/slapd_db_*
+- install slapcat/slapadd from 2.0.x for migration purposes
+
+* Wed Apr 30 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.17
+- disable the shell backend, not expected to work well with threads
+- drop the kerberosSecurityObject schema, the krbName attribute it
+  contains is only used if slapd is built with v2 kbind support
+
+* Mon Feb 10 2003 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-8
+- back down to db 4.0.x, which 2.0.x can compile with in ldbm-over-db setups
+- tweak SuSE patch to fix a few copy-paste errors and a NULL dereference
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Tue Jan  7 2003 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-6
+- rebuild
+
+* Mon Dec 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-5
+- rebuild
+
+* Fri Dec 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-4
+- check for setgid as well
+
+* Thu Dec 12 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-3
+- rebuild
+
+* Thu Dec 12 2002 Nalin Dahyabhai <nalin@redhat.com>
+- incorporate fixes from SuSE's security audit, except for fixes to ITS 1963,
+  1936, 2007, 2009, which were included in 2.0.26.
+- add two more patches for db 4.1.24 from sleepycat's updates page
+- use openssl pkgconfig data, if any is available
+
+* Mon Nov 11 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-2
+- add patches for db 4.1.24 from sleepycat's updates page
+
+* Mon Nov  4 2002 Nalin Dahyabhai <nalin@redhat.com>
+- add a sample TLSCACertificateFile directive to the default slapd.conf
+
+* Tue Sep 24 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-1
+- update to 2.0.27
+
+* Fri Sep 20 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.26-1
+- update to 2.0.26, db 4.1.24.NC
+
+* Fri Sep 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.25-2
+- change LD_FLAGS to refer to /usr/kerberos/_libdir instead of
+  /usr/kerberos/lib, which might not be right on some arches
+
+* Mon Aug 26 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.25-1
+- update to 2.0.25 "stable", ldbm-over-gdbm (putting off migration of LDBM
+  slapd databases until we move to 2.1.x)
+- use %%{_smp_mflags} when running make
+- update to MigrationTools 44
+- enable dynamic module support in slapd
+
+* Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-5
+- rebuild in new environment
+
+* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-3
+- use the gdbm backend again
+
+* Mon Feb 18 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-2
+- make slapd.conf read/write by root, read by ldap
+
+* Sun Feb 17 2002 Nalin Dahyabhai <nalin@redhat.com>
+- fix corner case in sendbuf fix
+- 2.0.23 now marked "stable"
+
+* Tue Feb 12 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-1
+- update to 2.0.23
+
+* Fri Feb  8 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.22-2
+- switch to an internalized Berkeley DB as the ldbm back-end  (NOTE: this breaks
+  access to existing on-disk directory data)
+- add slapcat/slapadd with gdbm for migration purposes
+- remove Kerberos dependency in client libs (the direct Kerberos dependency
+  is used by the server for checking {kerberos} passwords)
+
+* Fri Feb  1 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.22-1
+- update to 2.0.22
+
+* Sat Jan 26 2002 Florian La Roche <Florian.LaRoche@redhat.de> 2.0.21-5
+- prereq chkconfig for server subpackage
+
+* Fri Jan 25 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.21-4
+- update migration tools to version 40
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.21-3
+- free ride through the build system
+
+* Wed Jan 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.21-2
+- update to 2.0.21, now earmarked as STABLE
+
+* Wed Jan 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.20-2
+- temporarily disable optimizations for ia64 arches
+- specify pthreads at configure-time instead of letting configure guess
+
+* Mon Jan 14 2002 Nalin Dahyabhai <nalin@redhat.com>
+- and one for Raw Hide
+
+* Mon Jan 14 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.20-0.7
+- build for RHL 7/7.1
+
+* Mon Jan 14 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.20-1
+- update to 2.0.20 (security errata)
+
+* Thu Dec 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.19-1
+- update to 2.0.19
+
+* Tue Nov  6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.18-2
+- fix the commented-out replication example in slapd.conf
+
+* Fri Oct 26 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.18-1
+- update to 2.0.18
+
+* Mon Oct 15 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.17-1
+- update to 2.0.17
+
+* Wed Oct 10 2001 Nalin Dahyabhai <nalin@redhat.com>
+- disable kbind support (deprecated, and I suspect unused)
+- configure with --with-kerberos=k5only instead of --with-kerberos=k5
+- build slapd with threads
+
+* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.15-2
+- rebuild, 2.0.15 is now designated stable
+
+* Fri Sep 21 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.15-1
+- update to 2.0.15
+
+* Mon Sep 10 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.14-1
+- update to 2.0.14
+
+* Fri Aug 31 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.12-1
+- update to 2.0.12 to pull in fixes for setting of default TLS options, among
+  other things
+- update to migration tools 39
+- drop tls patch, which was fixed better in this release
+
+* Tue Aug 21 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.11-13
+- install saucer correctly
+
+* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- try to fix ldap_set_options not being able to set global options related
+  to TLS correctly
+
+* Thu Aug  9 2001 Nalin Dahyabhai <nalin@redhat.com>
+- don't attempt to create a cert at install-time, it's usually going
+  to get the wrong CN (#51352)
+
+* Mon Aug  6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add a build-time requirement on pam-devel
+- add a build-time requirement on a sufficiently-new libtool to link
+  shared libraries to other shared libraries (which is needed in order
+  for prelinking to work)
+
+* Fri Aug  3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- require cyrus-sasl-md5 (support for DIGEST-MD5 is required for RFC
+  compliance) by name (follows from #43079, which split cyrus-sasl's
+  cram-md5 and digest-md5 modules out into cyrus-sasl-md5)
+
+* Fri Jul 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- enable passwd back-end (noted by Alan Sparks and Sergio Kessler)
+
+* Wed Jul 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- start to prep for errata release
+
+* Fri Jul  6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- link libldap with liblber
+
+* Wed Jul  4 2001 Than Ngo <than@redhat.com> 2.0.11-6
+- add symlink liblber.so libldap.so and libldap_r.so in /usr/lib
+
+* Tue Jul  3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- move shared libraries to /lib
+- redo init script for better internationalization (#26154)
+- don't use ldaprc files in the current directory (#38402) (patch from
+  hps@intermeta.de)
+- add BuildPrereq on tcp wrappers since we configure with
+  --enable-wrappers (#43707)
+- don't overflow debug buffer in mail500 (#41751)
+- don't call krb5_free_creds instead of krb5_free_cred_contents any
+  more (#43159)
+
+* Mon Jul  2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- make config files noreplace (#42831)
+
+* Tue Jun 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- actually change the default config to use the dummy cert
+- update to MigrationTools 38
+
+* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- build dummy certificate in %%post, use it in default config
+- configure-time shenanigans to help a confused configure script
+
+* Wed Jun 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- tweak migrate_automount and friends so that they can be run from anywhere
+
+* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.11
+
+* Wed May 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.10
+
+* Mon May 21 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.9
+
+* Tue May 15 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.8
+- drop patch which came from upstream
+
+* Fri Mar  2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Thu Feb  8 2001 Nalin Dahyabhai <nalin@redhat.com>
+- back out pidfile patches, which interact weirdly with Linux threads
+- mark non-standard schema as such by moving them to a different directory
+
+* Mon Feb  5 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to MigrationTools 36, adds netgroup support
+
+* Mon Jan 29 2001 Nalin Dahyabhai <nalin@redhat.com>
+- fix thinko in that last patch
+
+* Thu Jan 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- try to work around some buffering problems
+
+* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- gettextize the init script
+
+* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- gettextize the init script
+
+* Fri Jan 12 2001 Nalin Dahyabhai <nalin@redhat.com>
+- move the RFCs to the base package (#21701)
+- update to MigrationTools 34
+
+* Wed Jan 10 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add support for additional OPTIONS, SLAPD_OPTIONS, and SLURPD_OPTIONS in
+  a /etc/sysconfig/ldap file (#23549)
+
+* Fri Dec 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change automount object OID from 1.3.6.1.1.1.2.9 to 1.3.6.1.1.1.2.13,
+  per mail from the ldap-nis mailing list
+
+* Tue Dec  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- force -fPIC so that shared libraries don't fall over
+
+* Mon Dec  4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add Norbert Klasen's patch (via Del) to fix searches using ldaps URLs
+  (OpenLDAP ITS #889)
+- add "-h ldaps:///" to server init when TLS is enabled, in order to support
+  ldaps in addition to the regular STARTTLS (suggested by Del)
+
+* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- correct mismatched-dn-cn bug in migrate_automount.pl
+
+* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to the correct OIDs for automount and automountInformation
+- add notes on upgrading
+
+* Tue Nov  7 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.7
+- drop chdir patch (went mainstream)
+
+* Thu Nov  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change automount object classes from auxiliary to structural
+
+* Tue Oct 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to Migration Tools 27
+- change the sense of the last simple patch
+
+* Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- reorganize the patch list to separate MigrationTools and OpenLDAP patches
+- switch to Luke Howard's rfc822MailMember schema instead of the aliases.schema
+- configure slapd to run as the non-root user "ldap" (#19370)
+- chdir() before chroot() (we don't use chroot, though) (#19369)
+- disable saving of the pid file because the parent thread which saves it and
+  the child thread which listens have different pids
+
+* Wed Oct 11 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add missing required attributes to conversion scripts to comply with schema
+- add schema for mail aliases, autofs, and kerberosSecurityObject rooted in
+  our own OID tree to define attributes and classes migration scripts expect
+- tweak automounter migration script
+
+* Mon Oct  9 2000 Nalin Dahyabhai <nalin@redhat.com>
+- try adding the suffix first when doing online migrations
+- force ldapadd to use simple authentication in migration scripts
+- add indexing of a few attributes to the default configuration
+- add commented-out section on using TLS to default configuration
+
+* Thu Oct  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.6
+- add buildprereq on cyrus-sasl-devel, krb5-devel, openssl-devel
+- take the -s flag off of slapadd invocations in migration tools
+- add the cosine.schema to the default server config, needed by inetorgperson
+
+* Wed Oct  4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add the nis.schema and inetorgperson.schema to the default server config
+- make ldapadd a hard link to ldapmodify because they're identical binaries
+
+* Fri Sep 22 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.4
+
+* Fri Sep 15 2000 Nalin Dahyabhai <nalin@redhat.com>
+- remove prereq on /etc/init.d (#17531)
+- update to 2.0.3
+- add saucer to the included clients
+
+* Wed Sep  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.1
+
+* Fri Sep  1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.0
+- patch to build against MIT Kerberos 1.1 and later instead of 1.0.x
+
+* Tue Aug 22 2000 Nalin Dahyabhai <nalin@redhat.com>
+- remove that pesky default password
+- change "Copyright:" to "License:"
+
+* Sun Aug 13 2000 Nalin Dahyabhai <nalin@redhat.com>
+- adjust permissions in files lists
+- move libexecdir from %%{_prefix}/sbin to %%{_sbindir}
+
+* Fri Aug 11 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add migrate_automount.pl to the migration scripts set
+
+* Tue Aug  8 2000 Nalin Dahyabhai <nalin@redhat.com>
+- build a semistatic slurpd with threads, everything else without
+- disable reverse lookups, per email on OpenLDAP mailing lists
+- make sure the execute bits are set on the shared libraries
+
+* Mon Jul 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change logging facility used from local4 to daemon (#11047)
+
+* Thu Jul 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- split off clients and servers to shrink down the package and remove the
+  base package's dependency on Perl
+- make certain that the binaries have sane permissions
+
+* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move the init script back
+
+* Thu Jul 13 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak the init script to only source /etc/sysconfig/network if it's found
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Mon Jul 10 2000 Nalin Dahyabhai <nalin@redhat.com>
+- switch to gdbm; I'm getting off the db merry-go-round
+- tweak the init script some more
+- add instdir to @INC in migration scripts
+
+* Thu Jul  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak init script to return error codes properly
+- change initscripts dependency to one on /etc/init.d
+
+* Tue Jul  4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- prereq initscripts
+- make migration scripts use mktemp
+
+* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- do condrestart in post and stop in preun
+- move init script to /etc/init.d
+
+* Fri Jun 16 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.2.11
+- add condrestart logic to init script
+- munge migration scripts so that you don't have to be
+  /usr/share/openldap/migration to run them
+- add code to create pid files in /var/run
+
+* Mon Jun  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- FHS tweaks
+- fix for compiling with libdb2
+
+* Thu May  4 2000 Bill Nottingham <notting@redhat.com>
+- minor tweak so it builds on ia64
+
+* Wed May  3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- more minimalistic fix for bug #11111 after consultation with OpenLDAP team
+- backport replacement for the ldapuser patch
+
+* Tue May  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix segfaults from queries with commas in them in in.xfingerd (bug #11111)
+
+* Tue Apr 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.2.10
+- add revamped version of patch from kos@bastard.net to allow execution as
+  any non-root user
+- remove test suite from %%build because of weirdness in the build system
+
+* Wed Apr 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move the defaults for databases and whatnot to /var/lib/ldap (bug #10714)
+- fix some possible string-handling problems
+
+* Mon Feb 14 2000 Bill Nottingham <notting@redhat.com>
+- start earlier, stop later.
+
+* Thu Feb  3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- auto rebuild in new environment (release 4)
+
+* Tue Feb  1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add -D_REENTRANT to make threaded stuff more stable, even though it looks
+  like the sources define it, too
+- mark *.ph files in migration tools as config files
+
+* Fri Jan 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.2.9
+
+* Mon Sep 13 1999 Bill Nottingham <notting@redhat.com>
+- strip files
+
+* Sat Sep 11 1999 Bill Nottingham <notting@redhat.com>
+- update to 1.2.7
+- fix some bugs from bugzilla (#4885, #4887, #4888, #4967)
+- take include files out of base package
+
+* Fri Aug 27 1999 Jeff Johnson <jbj@redhat.com>
+- missing ;; in init script reload) (#4734).
+
+* Tue Aug 24 1999 Cristian Gafton <gafton@redhat.com>
+- move stuff from /usr/libexec to /usr/sbin
+- relocate config dirs to /etc/openldap
+
+* Mon Aug 16 1999 Bill Nottingham <notting@redhat.com>
+- initscript munging
+
+* Wed Aug 11 1999 Cristian Gafton <gafton@redhat.com>
+- add the migration tools to the package
+
+* Fri Aug 06 1999 Cristian Gafton <gafton@redhat.com>
+- upgrade to 1.2.6
+- add rc.d script
+- split -devel package
+
+* Sun Feb 07 1999 Preston Brown <pbrown@redhat.com>
+- upgrade to latest stable (1.1.4), it now uses configure macro.
+
+* Fri Jan 15 1999 Bill Nottingham <notting@redhat.com>
+- build on arm, glibc2.1
+
+* Wed Oct 28 1998 Preston Brown <pbrown@redhat.com>
+- initial cut.
+- patches for signal handling on the alpha