diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4cbce33
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
+SOURCES/openldap-2.4.46.tgz
diff --git a/.openldap.metadata b/.openldap.metadata
new file mode 100644
index 0000000..7024dfb
--- /dev/null
+++ b/.openldap.metadata
@@ -0,0 +1,2 @@
+444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
+a9ae2273eb9bdd70090dafe0d018a3132606bef6 SOURCES/openldap-2.4.46.tgz
diff --git a/SOURCES/check-password-makefile.patch b/SOURCES/check-password-makefile.patch
new file mode 100644
index 0000000..f39ba81
--- /dev/null
+++ b/SOURCES/check-password-makefile.patch
@@ -0,0 +1,41 @@
+--- a/Makefile 2009-10-31 18:59:06.000000000 +0100
++++ b/Makefile 2014-12-17 09:42:37.586079225 +0100
+@@ -13,22 +13,11 @@
+ #
+ CONFIG=/etc/openldap/check_password.conf
+
+-OPT=-g -O2 -Wall -fpic \
+- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+- -DCONFIG_FILE="\"$(CONFIG)\"" \
++CFLAGS+=-fpic \
++ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
++ -DCONFIG_FILE="\"$(CONFIG)\"" \
+ -DDEBUG
+
+-# Where to find the OpenLDAP headers.
+-#
+-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
+- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
+-
+-# Where to find the CrackLib headers.
+-#
+-CRACK_INC=
+-
+-INCS=$(LDAP_INC) $(CRACK_INC)
+-
+ LDAP_LIB=-lldap_r -llber
+
+ # Comment out this line if you do NOT want to use the cracklib.
+@@ -45,10 +34,10 @@
+ all: check_password
+
+ check_password.o:
+- $(CC) $(OPT) -c $(INCS) check_password.c
++ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
+
+ check_password: clean check_password.o
+- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
++ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+
+ install: check_password
+ cp -f check_password.so ../../../usr/lib/openldap/modules/
diff --git a/SOURCES/check-password.patch b/SOURCES/check-password.patch
new file mode 100644
index 0000000..7a79e95
--- /dev/null
+++ b/SOURCES/check-password.patch
@@ -0,0 +1,321 @@
+--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
++++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
+@@ -10,7 +10,7 @@
+ #include <slap.h>
+
+ #ifdef HAVE_CRACKLIB
+-#include "crack.h"
++#include <crack.h>
+ #endif
+
+ #if defined(DEBUG)
+@@ -34,18 +34,77 @@
+ #define PASSWORD_TOO_SHORT_SZ \
+ "Password for dn=\"%s\" is too short (%d/6)"
+ #define PASSWORD_QUALITY_SZ \
+- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
++ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
+ #define BAD_PASSWORD_SZ \
+ "Bad password for dn=\"%s\" because %s"
++#define UNKNOWN_ERROR_SZ \
++ "An unknown error occurred, please see your systems administrator"
+
+ typedef int (*validator) (char*);
+-static int read_config_file (char *);
++static int read_config_file ();
+ static validator valid_word (char *);
+ static int set_quality (char *);
+ static int set_cracklib (char *);
+
+ int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+
++struct config_entry {
++ char* key;
++ char* value;
++ char* def_value;
++} config_entries[] = { { "minPoints", NULL, "3"},
++ { "useCracklib", NULL, "1"},
++ { "minUpper", NULL, "0"},
++ { "minLower", NULL, "0"},
++ { "minDigit", NULL, "0"},
++ { "minPunct", NULL, "0"},
++ { NULL, NULL, NULL }};
++
++int get_config_entry_int(char* entry) {
++ struct config_entry* centry = config_entries;
++
++ int i = 0;
++ char* key = centry[i].key;
++ while (key != NULL) {
++ if ( strncmp(key, entry, strlen(key)) == 0 ) {
++ if ( centry[i].value == NULL ) {
++ return atoi(centry[i].def_value);
++ }
++ else {
++ return atoi(centry[i].value);
++ }
++ }
++ i++;
++ key = centry[i].key;
++ }
++
++ return -1;
++}
++
++void dealloc_config_entries() {
++ struct config_entry* centry = config_entries;
++
++ int i = 0;
++ while (centry[i].key != NULL) {
++ if ( centry[i].value != NULL ) {
++ ber_memfree(centry[i].value);
++ }
++ i++;
++ }
++}
++
++char* chomp(char *s)
++{
++ char* t = ber_memalloc(strlen(s)+1);
++ strncpy (t,s,strlen(s)+1);
++
++ if ( t[strlen(t)-1] == '\n' ) {
++ t[strlen(t)-1] = '\0';
++ }
++
++ return t;
++}
++
+ static int set_quality (char *value)
+ {
+ #if defined(DEBUG)
+@@ -84,12 +143,12 @@
+ char * parameter;
+ validator dealer;
+ } list[] = { { "minPoints", set_quality },
+- { "useCracklib", set_cracklib },
+- { "minUpper", set_digit },
+- { "minLower", set_digit },
+- { "minDigit", set_digit },
+- { "minPunct", set_digit },
+- { NULL, NULL } };
++ { "useCracklib", set_cracklib },
++ { "minUpper", set_digit },
++ { "minLower", set_digit },
++ { "minDigit", set_digit },
++ { "minPunct", set_digit },
++ { NULL, NULL } };
+ int index = 0;
+
+ #if defined(DEBUG)
+@@ -98,7 +157,7 @@
+
+ while (list[index].parameter != NULL) {
+ if (strlen(word) == strlen(list[index].parameter) &&
+- strcmp(list[index].parameter, word) == 0) {
++ strcmp(list[index].parameter, word) == 0) {
+ #if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Parameter accepted.");
+ #endif
+@@ -114,13 +173,15 @@
+ return NULL;
+ }
+
+-static int read_config_file (char *keyWord)
++static int read_config_file ()
+ {
+ FILE * config;
+ char * line;
+ int returnValue = -1;
+
+- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
++ line = ber_memcalloc(260, sizeof(char));
++
++ if ( line == NULL ) {
+ return returnValue;
+ }
+
+@@ -133,6 +194,8 @@
+ return returnValue;
+ }
+
++ returnValue = 0;
++
+ while (fgets(line, 256, config) != NULL) {
+ char *start = line;
+ char *word, *value;
+@@ -145,23 +208,40 @@
+
+ while (isspace(*start) && isascii(*start)) start++;
+
+- if (! isascii(*start))
++ /* If we've got punctuation, just skip the line. */
++ if ( ispunct(*start)) {
++#if defined(DEBUG)
++ /* Debug traces to syslog. */
++ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
++#endif
+ continue;
++ }
+
+- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
+- if ((value = strtok(NULL, " \t")) == NULL)
+- continue;
++ if( isascii(*start)) {
++
++ struct config_entry* centry = config_entries;
++ int i = 0;
++ char* keyWord = centry[i].key;
++ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
++ while ( keyWord != NULL ) {
++ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
+
+ #if defined(DEBUG)
+- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
++ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ #endif
+
+- returnValue = (*dealer)(value);
++ centry[i].value = chomp(value);
++ break;
++ }
++ i++;
++ keyWord = centry[i].key;
++ }
++ }
+ }
+ }
+-
+ fclose(config);
+ ber_memfree(line);
++
+ return returnValue;
+ }
+
+@@ -170,7 +250,7 @@
+ if (curlen < nextlen + MEMORY_MARGIN) {
+ #if defined(DEBUG)
+ syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
+- curlen, nextlen + MEMORY_MARGIN);
++ curlen, nextlen + MEMORY_MARGIN);
+ #endif
+ ber_memfree(*target);
+ curlen = nextlen + MEMORY_MARGIN;
+@@ -180,7 +260,7 @@
+ return curlen;
+ }
+
+- int
++int
+ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ {
+
+@@ -210,20 +290,22 @@
+ nLen = strlen (pPasswd);
+ if ( nLen < 6) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+- strlen(PASSWORD_TOO_SHORT_SZ) +
+- strlen(pEntry->e_name.bv_val) + 1);
++ strlen(PASSWORD_TOO_SHORT_SZ) +
++ strlen(pEntry->e_name.bv_val) + 1);
+ sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
+ goto fail;
+ }
+
+- /* Read config file */
+- minQuality = read_config_file("minPoints");
++ if (read_config_file() == -1) {
++ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
++ }
+
+- useCracklib = read_config_file("useCracklib");
+- minUpper = read_config_file("minUpper");
+- minLower = read_config_file("minLower");
+- minDigit = read_config_file("minDigit");
+- minPunct = read_config_file("minPunct");
++ minQuality = get_config_entry_int("minPoints");
++ useCracklib = get_config_entry_int("useCracklib");
++ minUpper = get_config_entry_int("minUpper");
++ minLower = get_config_entry_int("minLower");
++ minDigit = get_config_entry_int("minDigit");
++ minPunct = get_config_entry_int("minPunct");
+
+ /** The password must have at least minQuality strength points with one
+ * point for the first occurrance of a lower, upper, digit and
+@@ -232,8 +314,6 @@
+
+ for ( i = 0; i < nLen; i++ ) {
+
+- if ( nQuality >= minQuality ) break;
+-
+ if ( islower (pPasswd[i]) ) {
+ minLower--;
+ if ( !nLower && (minLower < 1)) {
+@@ -279,12 +359,23 @@
+ }
+ }
+
+- if ( nQuality < minQuality ) {
++ /*
++ * If you have a required field, then it should be required in the strength
++ * checks.
++ */
++
++ if (
++ (minLower > 0 ) ||
++ (minUpper > 0 ) ||
++ (minDigit > 0 ) ||
++ (minPunct > 0 ) ||
++ (nQuality < minQuality)
++ ) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+- strlen(PASSWORD_QUALITY_SZ) +
+- strlen(pEntry->e_name.bv_val) + 2);
++ strlen(PASSWORD_QUALITY_SZ) +
++ strlen(pEntry->e_name.bv_val) + 2);
+ sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
+- nQuality, minQuality);
++ nQuality, minQuality);
+ goto fail;
+ }
+
+@@ -306,7 +397,7 @@
+ for ( j = 0; j < 3; j++ ) {
+
+ snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
+- CRACKLIB_DICTPATH, ext[j]);
++ CRACKLIB_DICTPATH, ext[j]);
+
+ if (( fp = fopen ( filename, "r")) == NULL ) {
+
+@@ -326,9 +417,9 @@
+ r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
+ if ( r != NULL ) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+- strlen(BAD_PASSWORD_SZ) +
+- strlen(pEntry->e_name.bv_val) +
+- strlen(r));
++ strlen(BAD_PASSWORD_SZ) +
++ strlen(pEntry->e_name.bv_val) +
++ strlen(r));
+ sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
+ goto fail;
+ }
+@@ -342,15 +433,15 @@
+ }
+
+ #endif
+-
++ dealloc_config_entries();
+ *ppErrStr = strdup ("");
+ ber_memfree(szErrStr);
+ return (LDAP_SUCCESS);
+
+ fail:
++ dealloc_config_entries();
+ *ppErrStr = strdup (szErrStr);
+ ber_memfree(szErrStr);
+ return (EXIT_FAILURE);
+
+ }
+-
diff --git a/SOURCES/ldap.conf b/SOURCES/ldap.conf
new file mode 100644
index 0000000..02c595f
--- /dev/null
+++ b/SOURCES/ldap.conf
@@ -0,0 +1,28 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE dc=example,dc=com
+#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT 12
+#TIMELIMIT 15
+#DEREF never
+
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT /etc/pki/tls/cert.pem
+
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON on
+
diff --git a/SOURCES/libexec-check-config.sh b/SOURCES/libexec-check-config.sh
new file mode 100755
index 0000000..87e377f
--- /dev/null
+++ b/SOURCES/libexec-check-config.sh
@@ -0,0 +1,91 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function check_config_syntax()
+{
+ retcode=0
+ tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
+ run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
+ if [ $? -ne 0 ]; then
+ error "Checking configuration file failed:"
+ cat $tmp_slaptest >&2
+ retcode=1
+ fi
+ rm $tmp_slaptest
+ return $retcode
+}
+
+function check_certs_perms()
+{
+ retcode=0
+ for cert in `certificates`; do
+ run_as_ldap "/usr/bin/test -e \"$cert\""
+ if [ $? -ne 0 ]; then
+ error "TLS certificate/key/DB '%s' was not found." "$cert"
+ retcoder=1
+ continue
+ fi
+ run_as_ldap "/usr/bin/test -r \"$cert\""
+ if [ $? -ne 0 ]; then
+ error "TLS certificate/key/DB '%s' is not readable." "$cert"
+ retcode=1
+ fi
+ done
+ return $retcode
+}
+
+function check_db_perms()
+{
+ retcode=0
+ for dbdir in `databases`; do
+ [ -d "$dbdir" ] || continue
+ for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
+ run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
+ if [ $? -ne 0 ]; then
+ error "Read/write permissions for DB file '%s' are required." "$dbfile"
+ retcode=1
+ fi
+ done
+ done
+ return $retcode
+}
+
+function check_everything()
+{
+ retcode=0
+ check_config_syntax || retcode=1
+ # TODO: need support for Mozilla NSS, disabling temporarily
+ #check_certs_perms || retcode=1
+ check_db_perms || retcode=1
+ return $retcode
+}
+
+if [ `id -u` -ne 0 ]; then
+ error "You have to be root to run this script."
+ exit 4
+fi
+
+load_sysconfig
+
+if [ -n "$SLAPD_CONFIG_DIR" ]; then
+ if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
+ error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
+ else
+ check_everything
+ exit $?
+ fi
+fi
+
+if [ -n "$SLAPD_CONFIG_FILE" ]; then
+ if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+ error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
+ else
+ error "Warning: Usage of a configuration file is obsolete!"
+ check_everything
+ exit $?
+ fi
+fi
+
+exit 1
diff --git a/SOURCES/libexec-functions b/SOURCES/libexec-functions
new file mode 100644
index 0000000..990d2b8
--- /dev/null
+++ b/SOURCES/libexec-functions
@@ -0,0 +1,134 @@
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+SLAPD_USER=
+SLAPD_CONFIG_FILE=
+SLAPD_CONFIG_DIR=
+SLAPD_CONFIG_CUSTOM=
+SLAPD_GLOBAL_OPTIONS=
+SLAPD_SYSCONFIG_FILE=
+
+function default_config()
+{
+ SLAPD_USER=ldap
+ SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
+ SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
+ SLAPD_CONFIG_CUSTOM=
+ SLAPD_GLOBAL_OPTIONS=
+ SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
+}
+
+function parse_config_options()
+{
+ user=
+ config_file=
+ config_dir=
+ while getopts :u:f:F: opt; do
+ case "$opt" in
+ u)
+ user="$OPTARG"
+ ;;
+ f)
+ config_file="$OPTARG"
+ ;;
+ F)
+ config_dir="$OPTARG"
+ ;;
+ esac
+ done
+
+ if [ -n "$user" ]; then
+ SLAPD_USER="$user"
+ fi
+
+ if [ -n "$config_dir" ]; then
+ SLAPD_CONFIG_DIR="$config_dir"
+ SLAPD_CONFIG_FILE=
+ SLAPD_CONFIG_CUSTOM=1
+ SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
+ elif [ -n "$config_file" ]; then
+ SLAPD_CONFIG_DIR=
+ SLAPD_CONFIG_FILE="$config_file"
+ SLAPD_CONFIG_CUSTOM=1
+ SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
+ fi
+}
+
+function uses_new_config()
+{
+ [ -n "$SLAPD_CONFIG_DIR" ]
+ return $?
+}
+
+function run_as_ldap()
+{
+ /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
+ return $?
+}
+
+function ldif_unbreak()
+{
+ sed ':a;N;s/\n //;ta;P;D'
+}
+
+function ldif_value()
+{
+ sed 's/^[^:]*: //'
+}
+
+function databases_new()
+{
+ slapcat $SLAPD_GLOBAL_OPTIONS -c \
+ -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
+ ldif_unbreak | \
+ grep '^olcDbDirectory: ' | \
+ ldif_value
+}
+
+function databases_old()
+{
+ awk 'begin { database="" }
+ $1 == "database" { database=$2 }
+ $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
+ "$SLAPD_CONFIG_FILE"
+}
+
+function certificates_new()
+{
+ slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
+ ldif_unbreak | \
+ grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
+ ldif_value
+}
+
+function certificates_old()
+{
+ awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
+ "$SLAPD_CONFIG_FILE"
+}
+
+function certificates()
+{
+ uses_new_config && certificates_new || certificates_old
+}
+
+function databases()
+{
+ uses_new_config && databases_new || databases_old
+}
+
+
+function error()
+{
+ format="$1\n"; shift
+ printf "$format" $@ >&2
+}
+
+function load_sysconfig()
+{
+ [ -r "$SLAPD_SYSCONFIG_FILE" ] || return
+
+ . "$SLAPD_SYSCONFIG_FILE"
+ [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
+}
+
+default_config
diff --git a/SOURCES/libexec-upgrade-db.sh b/SOURCES/libexec-upgrade-db.sh
new file mode 100755
index 0000000..1543c80
--- /dev/null
+++ b/SOURCES/libexec-upgrade-db.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+if [ `id -u` -ne 0 ]; then
+ error "You have to be root to run this command."
+ exit 4
+fi
+
+load_sysconfig
+retcode=0
+
+for dbdir in `databases`; do
+ upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
+ bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
+
+ # skip uninitialized database
+ [ -z "$bdb_files"] || continue
+
+ printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
+
+ # perform the update
+ for command in \
+ "/usr/bin/db_recover -v -h \"$dbdir\"" \
+ "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
+ "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
+ ; do
+ printf "Executing: %s\n" "$command" &>>$upgrade_log
+ run_as_ldap "$command" &>>$upgrade_log
+ result=$?
+ printf "Exit code: %d\n" $result >>"$upgrade_log"
+ if [ $result -ne 0 ]; then
+ printf "Upgrade failed: %d\n" $result
+ retcode=1
+ fi
+ done
+done
+
+exit $retcode
diff --git a/SOURCES/openldap-ai-addrconfig.patch b/SOURCES/openldap-ai-addrconfig.patch
new file mode 100644
index 0000000..0858fac
--- /dev/null
+++ b/SOURCES/openldap-ai-addrconfig.patch
@@ -0,0 +1,20 @@
+use AI_ADDRCONFIG if defined in the environment
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7326
+Resolves: #835013
+
+diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
+index b31e05d..fa361ab 100644
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
+
+ #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
+ memset( &hints, '\0', sizeof(hints) );
+-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
+- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */
++#ifdef AI_ADDRCONFIG
+ hints.ai_flags = AI_ADDRCONFIG;
+ #endif
+ hints.ai_family = ldap_int_inet4or6;
diff --git a/SOURCES/openldap-allop-overlay.patch b/SOURCES/openldap-allop-overlay.patch
new file mode 100644
index 0000000..608ee44
--- /dev/null
+++ b/SOURCES/openldap-allop-overlay.patch
@@ -0,0 +1,40 @@
+Compile AllOp together with other overlays.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1319782
+
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
+ translucent.c \
+ unique.c \
+ valsort.c \
+- smbk5pwd.c
++ smbk5pwd.c \
++ allop.c
+ OBJS = statover.o \
+ @SLAPD_STATIC_OVERLAYS@ \
+ overlays.o
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
+
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -125,6 +126,12 @@ unique.la : unique.lo
+ smbk5pwd.la : smbk5pwd.lo
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
++allop.lo : allop.c
++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++allop.la : allop.lo
++ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local: $(PROGRAMS)
+ @if test -n "$?" ; then \
+ $(MKDIR) $(DESTDIR)$(moduledir); \
diff --git a/SOURCES/openldap-ldapi-sasl.patch b/SOURCES/openldap-ldapi-sasl.patch
new file mode 100644
index 0000000..058cc1c
--- /dev/null
+++ b/SOURCES/openldap-ldapi-sasl.patch
@@ -0,0 +1,55 @@
+From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 7 May 2013 17:02:57 +0200
+Subject: [PATCH] LDAPI SASL fix
+
+Resolves: #960222
+---
+ libraries/libldap/cyrus.c | 19 ++++++++++++++++---
+ 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
+
+diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
+index 28c241b..a9acf36 100644
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
+ struct berval ccred = BER_BVNULL;
+ int saslrc, rc;
+ unsigned credlen;
++ char my_hostname[HOST_NAME_MAX + 1];
++ int free_saslhost = 0;
+
+ Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
+ mechs ? mechs : "<null>", 0, 0 );
+@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
+
+ /* If we don't need to canonicalize just use the host
+ * from the LDAP URI.
++ * Always use the result of gethostname() for LDAPI.
+ */
+- if ( nocanon )
++ if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
++ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
++ rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
++ if (rc == 0) {
++ saslhost = my_hostname;
++ } else {
++ saslhost = "localhost";
++ }
++ } else if ( nocanon )
+ saslhost = ld->ld_defconn->lconn_server->lud_host;
+- else
++ else {
+ saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
+ "localhost" );
++ free_saslhost = 1;
++ }
+ rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
+- if ( !nocanon )
++ if ( free_saslhost )
+ LDAP_FREE( saslhost );
+ }
+
+--
+1.7.11.7
+
diff --git a/SOURCES/openldap-manpages.patch b/SOURCES/openldap-manpages.patch
new file mode 100644
index 0000000..b69a391
--- /dev/null
+++ b/SOURCES/openldap-manpages.patch
@@ -0,0 +1,73 @@
+Various manual pages changes:
+* removes LIBEXECDIR from slapd.8
+* removes references to non-existing manpages (bz 624616)
+
+diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
+index 3def6da..466c772 100644
+--- a/doc/man/man1/ldapmodify.1
++++ b/doc/man/man1/ldapmodify.1
+@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
+ .BR ldap_add_ext (3),
+ .BR ldap_delete_ext (3),
+ .BR ldap_modify_ext (3),
+-.BR ldap_modrdn_ext (3),
+-.BR ldif (5).
++.BR ldif (5)
+ .SH AUTHOR
+ The OpenLDAP Project <http://www.openldap.org/>
+ .SH ACKNOWLEDGEMENTS
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index cfde143..63592cb 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -317,6 +317,7 @@ certificates in separate individual files. The
+ .B TLS_CACERT
+ is always used before
+ .B TLS_CACERTDIR.
++The specified directory must be managed with the OpenSSL c_rehash utility.
+ This parameter is ignored with GnuTLS.
+
+ When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
+index b739f4d..e2a1a00 100644
+--- a/doc/man/man8/slapd.8
++++ b/doc/man/man8/slapd.8
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd
++.B slapd
+ [\c
+ .BR \-4 | \-6 ]
+ [\c
+@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd
++ slapd
+ .ft
+ .fi
+ .LP
+@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++ slapd -f /var/tmp/slapd.conf -d 255
+ .ft
+ .fi
+ .LP
+@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-Tt
++ slapd -Tt
+ .ft
+ .fi
+ .LP
+--
+1.8.1.4
+
diff --git a/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch
new file mode 100644
index 0000000..61e1df5
--- /dev/null
+++ b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch
@@ -0,0 +1,227 @@
+ITS#7595 Add Elliptic Curve support for OpenSSL
+
+Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
+Author: Howard Chu <hyc@openldap.org>
+Date: Sat Sep 7 09:47:19 2013 -0700
+
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+index 9c72e8296..2311c3096 100644
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -922,6 +922,13 @@ are not used.
+ When using Mozilla NSS these parameters are always generated randomly
+ so this directive is ignored.
+ .TP
++.B olcTLSECName: <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange. This is required to enable ECDHE algorithms in
++OpenSSL. This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B olcTLSProtocolMin: <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+index f504adcf9..ef03e0ad8 100644
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -1153,6 +1153,13 @@ are not used.
+ When using Mozilla NSS these parameters are always generated randomly
+ so this directive is ignored.
+ .TP
++.B TLSECName <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange. This is required to enable ECDHE algorithms in
++OpenSSL. This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B TLSProtocolMin <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+diff --git a/include/ldap.h b/include/ldap.h
+index c245651c2..0964a193e 100644
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_NEWCTX 0x600f
+ #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
+ #define LDAP_OPT_X_TLS_PACKAGE 0x6011
++#define LDAP_OPT_X_TLS_ECNAME 0x6012
+
+ #define LDAP_OPT_X_TLS_NEVER 0
+ #define LDAP_OPT_X_TLS_HARD 1
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 66e04ae80..db7193f4f 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -165,6 +165,7 @@ struct ldaptls {
+ char *lt_ciphersuite;
+ char *lt_crlfile;
+ char *lt_randfile; /* OpenSSL only */
++ char *lt_ecname; /* OpenSSL only */
+ int lt_protocol_min;
+ };
+ #endif
+@@ -250,6 +251,7 @@ struct ldapoptions {
+ #define ldo_tls_certfile ldo_tls_info.lt_certfile
+ #define ldo_tls_keyfile ldo_tls_info.lt_keyfile
+ #define ldo_tls_dhfile ldo_tls_info.lt_dhfile
++#define ldo_tls_ecname ldo_tls_info.lt_ecname
+ #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
+ #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
+ #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index d25c190ea..0451b01af 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
+ LDAP_FREE( lo->ldo_tls_dhfile );
+ lo->ldo_tls_dhfile = NULL;
+ }
++ if ( lo->ldo_tls_ecname ) {
++ LDAP_FREE( lo->ldo_tls_ecname );
++ lo->ldo_tls_ecname = NULL;
++ }
+ if ( lo->ldo_tls_cacertfile ) {
+ LDAP_FREE( lo->ldo_tls_cacertfile );
+ lo->ldo_tls_cacertfile = NULL;
+@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
+ lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
+ __atoe( lts.lt_dhfile );
+ }
++ if ( lts.lt_ecname ) {
++ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
++ __atoe( lts.lt_ecname );
++ }
+ #endif
+ lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
+ if ( lo->ldo_tls_ctx == NULL ) {
+@@ -257,6 +265,7 @@ error_exit:
+ LDAP_FREE( lts.lt_crlfile );
+ LDAP_FREE( lts.lt_cacertdir );
+ LDAP_FREE( lts.lt_dhfile );
++ LDAP_FREE( lts.lt_ecname );
+ #endif
+ return rc;
+ }
+@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
+ *(char **)arg = lo->ldo_tls_dhfile ?
+ LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
+ break;
++ case LDAP_OPT_X_TLS_ECNAME:
++ *(char **)arg = lo->ldo_tls_ecname ?
++ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
++ break;
+ case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
+ *(char **)arg = lo->ldo_tls_crlfile ?
+ LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
+@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+ if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
+ lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
++ case LDAP_OPT_X_TLS_ECNAME:
++ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
++ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ return 0;
+ case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
+ if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
+ lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index f24060b7e..1370923af 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ return -1;
+ }
+
+- if ( lo->ldo_tls_dhfile ) {
+- DH *dh = NULL;
++ if ( is_server && lo->ldo_tls_dhfile ) {
++ DH *dh;
+ BIO *bio;
+- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+
+ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ }
+ BIO_free( bio );
+ SSL_CTX_set_tmp_dh( ctx, dh );
++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
++ DH_free( dh );
++ }
++
++#ifdef SSL_OP_SINGLE_ECDH_USE
++ if ( is_server && lo->ldo_tls_ecname ) {
++ EC_KEY *ecdh;
++
++ int nid = OBJ_sn2nid( lt->lt_ecname );
++ if ( nid == NID_undef ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use EC name `%s'.\n",
++ lo->ldo_tls_ecname,0,0);
++ tlso_report_error();
++ return -1;
++ }
++ ecdh = EC_KEY_new_by_curve_name( nid );
++ if ( ecdh == NULL ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not generate key for EC name `%s'.\n",
++ lo->ldo_tls_ecname,0,0);
++ tlso_report_error();
++ return -1;
++ }
++ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
++ EC_KEY_free( ecdh );
+ }
++#endif
+
+ if ( tlso_opt_trace ) {
+ SSL_CTX_set_info_callback( ctx, tlso_info_cb );
+diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
+index 250f14100..8b1e4e582 100644
+--- a/servers/slapd/bconfig.c
++++ b/servers/slapd/bconfig.c
+@@ -194,6 +194,7 @@ enum {
+ CFG_ACL_ADD,
+ CFG_SYNC_SUBENTRY,
+ CFG_LTHREADS,
++ CFG_TLS_ECNAME,
+
+ CFG_LAST
+ };
+@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
+ #endif
+ "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
++ { "TLSECName", NULL, 2, 2, 0,
++#ifdef HAVE_TLS
++ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
++#else
++ ARG_IGNORED, NULL,
++#endif
++ "( OLcfgGlAt:96 NAME 'olcTLSECName' "
++ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "TLSProtocolMin", NULL, 2, 2, 0,
+ #ifdef HAVE_TLS
+ CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
+@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
+ "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
+ "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
+ "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
+- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
++ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
+ "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
+ "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
+ "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
+@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
+ case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
+ case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
+ case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
++ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
+ #ifdef HAVE_GNUTLS
+ case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
+ #endif
diff --git a/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch
new file mode 100644
index 0000000..6c28f3f
--- /dev/null
+++ b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch
@@ -0,0 +1,34 @@
+ITS#7595 don't try to use EC if OpenSSL lacks it
+
+Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
+Author: Howard Chu <hyc@openldap.org>
+Date: Sun Sep 8 06:32:23 2013 -0700
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 1a81bc625..71c2b055c 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ DH_free( dh );
+ }
+
+-#ifdef SSL_OP_SINGLE_ECDH_USE
+ if ( is_server && lo->ldo_tls_ecname ) {
++#ifdef OPENSSL_NO_EC
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: Elliptic Curves not supported.\n", 0,0,0 );
++ return -1;
++#else
+ EC_KEY *ecdh;
+
+ int nid = OBJ_sn2nid( lt->lt_ecname );
+@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
+ EC_KEY_free( ecdh );
+- }
+ #endif
++ }
+
+ if ( tlso_opt_trace ) {
+ SSL_CTX_set_info_callback( ctx, tlso_info_cb );
diff --git a/SOURCES/openldap-openssl-manpage-defaultCA.patch b/SOURCES/openldap-openssl-manpage-defaultCA.patch
new file mode 100644
index 0000000..7ec2caa
--- /dev/null
+++ b/SOURCES/openldap-openssl-manpage-defaultCA.patch
@@ -0,0 +1,48 @@
+Reference default system-wide CA certificates in manpages
+
+OpenSSL, unless explicitly configured, uses system-wide default set of CA
+certificates.
+
+Author: Matus Honek <mhonek@redhat.com>
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an
+ .B ldaps:// URI
+ is selected (by default or otherwise) or when the application
+ negotiates TLS by issuing the LDAP StartTLS operation.
++.LP
++When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
++is set, the system-wide default set of CA certificates is used.
+ .TP
+ .B TLS_CACERT <filename>
+ Specifies the file that contains certificates for all of the Certificate
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -801,6 +801,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor
++\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B olcTLSCipherSuite: <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -1032,6 +1032,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor
++\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B TLSCipherSuite <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.
diff --git a/SOURCES/openldap-reentrant-gethostby.patch b/SOURCES/openldap-reentrant-gethostby.patch
new file mode 100644
index 0000000..140b6e3
--- /dev/null
+++ b/SOURCES/openldap-reentrant-gethostby.patch
@@ -0,0 +1,33 @@
+The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
+example if libldap needs to be initialized from within gethostbyXXXX() (which
+actually happens if nss_ldap is used for hostname resolution and earlier
+modules can't resolve the local host name), so use the reentrant versions of
+the functions, even if we're not being compiled for use in libldap_r
+
+Resolves: #179730
+Author: Jeffery Layton <jlayton@redhat.com>
+
+diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
+index 373c81c..a012062 100644
+--- a/libraries/libldap/util-int.c
++++ b/libraries/libldap/util-int.c
+@@ -52,8 +52,8 @@ extern int h_errno;
+ #ifndef LDAP_R_COMPILE
+ # undef HAVE_REENTRANT_FUNCTIONS
+ # undef HAVE_CTIME_R
+-# undef HAVE_GETHOSTBYNAME_R
+-# undef HAVE_GETHOSTBYADDR_R
++/* # undef HAVE_GETHOSTBYNAME_R */
++/* # undef HAVE_GETHOSTBYADDR_R */
+
+ #else
+ # include <ldap_pvt_thread.h>
+@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
+ #define BUFSTART (1024-32)
+ #define BUFMAX (32*1024-32)
+
+-#if defined(LDAP_R_COMPILE)
++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
+ static char *safe_realloc( char **buf, int len );
+
+ #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))
diff --git a/SOURCES/openldap-smbk5pwd-overlay.patch b/SOURCES/openldap-smbk5pwd-overlay.patch
new file mode 100644
index 0000000..38936cf
--- /dev/null
+++ b/SOURCES/openldap-smbk5pwd-overlay.patch
@@ -0,0 +1,62 @@
+Compile smbk5pwd together with other overlays.
+
+Author: Jan Šafránek <jsafrane@redhat.com>
+Resolves: #550895
+
+Update to link against OpenSSL
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Resolves: #841560
+
+diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
+index f20ad94..b6433ff 100644
+--- a/contrib/slapd-modules/smbk5pwd/README
++++ b/contrib/slapd-modules/smbk5pwd/README
+@@ -1,3 +1,8 @@
++******************************************************************************
++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
++******************************************************************************
++
+ This directory contains a slapd overlay, smbk5pwd, that extends the
+ PasswordModify Extended Operation to update Kerberos keys and Samba
+ password hashes for an LDAP user.
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index 3af20e8..ef73663 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
+ syncprov.c \
+ translucent.c \
+ unique.c \
+- valsort.c
++ valsort.c \
++ smbk5pwd.c
+ OBJS = statover.o \
+ @SLAPD_STATIC_OVERLAYS@ \
+ overlays.o
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -125,6 +126,12 @@ unique.la : unique.lo
+ valsort.la : valsort.lo
+ $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+
++smbk5pwd.lo : smbk5pwd.c
++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++smbk5pwd.la : smbk5pwd.lo
++ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local: $(PROGRAMS)
+ @if test -n "$?" ; then \
+ $(MKDIR) $(DESTDIR)$(moduledir); \
+--
+1.7.10.4
+
diff --git a/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
new file mode 100644
index 0000000..ed4f2ad
--- /dev/null
+++ b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
@@ -0,0 +1,41 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
+
+Proof of concept for fixing http://bugs.debian.org/327585
+(patch ported from freeradius bug http://bugs.debian.org/416266)
+
+Resolves: #960048
+---
+--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200
++++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200
+@@ -117,6 +117,20 @@
+ return -1; /* not found */
+ }
+
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++ lt_dlhandle handle = 0;
++ lt_dladvise advise;
++
++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++ && !lt_dladvise_global (&advise))
++ handle = lt_dlopenadvise (filename, advise);
++
++ lt_dladvise_destroy (&advise);
++
++ return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ module_loaded_t *module;
+@@ -180,7 +194,7 @@
+ * to calling Debug. This is because Debug is a macro that expands
+ * into multiple function calls.
+ */
+- if ((module->lib = lt_dlopenext(file)) == NULL) {
++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ strcpy( ebuf, error );
diff --git a/SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch b/SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch
new file mode 100644
index 0000000..f7a1259
--- /dev/null
+++ b/SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch
@@ -0,0 +1,224 @@
+From f2978fefa13eb92b73922e49d2f6c12b4f92ea85 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Fri, 10 Jan 2020 18:35:02 +0100
+Subject: [PATCH] Use OpenSSL API to verify host
+
+Replace custom hostname and IP address verification with OpenSSL 1.0.2
+APIs.
+---
+ libraries/libldap/tls_o.c | 184 ++++++--------------------------------
+ 1 file changed, 28 insertions(+), 156 deletions(-)
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index e52c5507c..5adf7b74f 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -660,25 +660,15 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
+ return 0;
+ }
+
+-/* what kind of hostname were we given? */
+-#define IS_DNS 0
+-#define IS_IP4 1
+-#define IS_IP6 2
+-
+ static int
+ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ {
+ tlso_session *s = (tlso_session *)sess;
+- int i, ret = LDAP_LOCAL_ERROR;
++ int ret = LDAP_LOCAL_ERROR;
+ X509 *x;
+ const char *name;
+- char *ptr;
+- int ntype = IS_DNS, nlen;
+-#ifdef LDAP_PF_INET6
+- struct in6_addr addr;
+-#else
+- struct in_addr addr;
+-#endif
++ int flags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
++ ASN1_OCTET_STRING *ip;
+
+ if( ldap_int_hostname &&
+ ( !name_in || !strcasecmp( name_in, "localhost" ) ) )
+@@ -687,7 +677,6 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ } else {
+ name = name_in;
+ }
+- nlen = strlen(name);
+
+ x = tlso_get_cert(s);
+ if (!x) {
+@@ -619,150 +619,32 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ return LDAP_SUCCESS;
+ }
+
+-#ifdef LDAP_PF_INET6
+- if (inet_pton(AF_INET6, name, &addr)) {
+- ntype = IS_IP6;
+- } else
+-#endif
+- if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
+- if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
+- }
+-
+- i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
+- if (i >= 0) {
+- X509_EXTENSION *ex;
+- STACK_OF(GENERAL_NAME) *alt;
+-
+- ex = X509_get_ext(x, i);
+- alt = X509V3_EXT_d2i(ex);
+- if (alt) {
+- int n, len2 = 0;
+- char *domain = NULL;
+- GENERAL_NAME *gn;
+-
+- if (ntype == IS_DNS) {
+- domain = strchr(name, '.');
+- if (domain) {
+- len2 = nlen - (domain-name);
+- }
+- }
+- n = sk_GENERAL_NAME_num(alt);
+- for (i=0; i<n; i++) {
+- char *sn;
+- int sl;
+- gn = sk_GENERAL_NAME_value(alt, i);
+- if (gn->type == GEN_DNS) {
+- if (ntype != IS_DNS) continue;
+-
+- sn = (char *) ASN1_STRING_data(gn->d.ia5);
+- sl = ASN1_STRING_length(gn->d.ia5);
+-
+- /* ignore empty */
+- if (sl == 0) continue;
+-
+- /* Is this an exact match? */
+- if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
+- break;
+- }
+-
+- /* Is this a wildcard match? */
+- if (domain && (sn[0] == '*') && (sn[1] == '.') &&
+- (len2 == sl-1) && !strncasecmp(domain, &sn[1], len2))
+- {
+- break;
+- }
+-
+- } else if (gn->type == GEN_IPADD) {
+- if (ntype == IS_DNS) continue;
+-
+- sn = (char *) ASN1_STRING_data(gn->d.ia5);
+- sl = ASN1_STRING_length(gn->d.ia5);
+-
+-#ifdef LDAP_PF_INET6
+- if (ntype == IS_IP6 && sl != sizeof(struct in6_addr)) {
+- continue;
+- } else
+-#endif
+- if (ntype == IS_IP4 && sl != sizeof(struct in_addr)) {
+- continue;
+- }
+- if (!memcmp(sn, &addr, sl)) {
+- break;
+- }
+- }
+- }
+-
+- GENERAL_NAMES_free(alt);
+- if (i < n) { /* Found a match */
+- ret = LDAP_SUCCESS;
+- }
+- }
+- }
+-
+- if (ret != LDAP_SUCCESS) {
+- X509_NAME *xn;
+- X509_NAME_ENTRY *ne;
+- ASN1_OBJECT *obj;
+- ASN1_STRING *cn = NULL;
+- int navas;
+-
+- /* find the last CN */
+- obj = OBJ_nid2obj( NID_commonName );
+- if ( !obj ) goto no_cn; /* should never happen */
+-
+- xn = X509_get_subject_name(x);
+- navas = X509_NAME_entry_count( xn );
+- for ( i=navas-1; i>=0; i-- ) {
+- ne = X509_NAME_get_entry( xn, i );
+- if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) {
+- cn = X509_NAME_ENTRY_get_data( ne );
+- break;
+- }
++ /* attempt to encode name as IP address */
++ ip = a2i_IPADDRESS(name);
++ if (ip == NULL) {
++ ERR_clear_error();
++ /* it's a hostname */
++ if (X509_check_host(x, name, strlen(name), flags, NULL) == 1) {
++ ret = LDAP_SUCCESS;
+ }
+-
+- if( !cn )
+- {
+-no_cn:
+- Debug( LDAP_DEBUG_ANY,
+- "TLS: unable to get common name from peer certificate.\n",
+- 0, 0, 0 );
+- ret = LDAP_CONNECT_ERROR;
+- if ( ld->ld_error ) {
+- LDAP_FREE( ld->ld_error );
+- }
+- ld->ld_error = LDAP_STRDUP(
+- _("TLS: unable to get CN from peer certificate"));
+-
+- } else if ( cn->length == nlen &&
+- strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
++ } else {
++ /* It's an IPv4 or IPv6 address */
++ if (X509_check_ip(x, ASN1_STRING_data(ip),
++ ASN1_STRING_length(ip), 0) == 1) {
+ ret = LDAP_SUCCESS;
+-
+- } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
+- char *domain = strchr(name, '.');
+- if( domain ) {
+- int dlen;
+-
+- dlen = nlen - (domain-name);
+-
+- /* Is this a wildcard match? */
+- if ((dlen == cn->length-1) &&
+- !strncasecmp(domain, (char *) &cn->data[1], dlen)) {
+- ret = LDAP_SUCCESS;
+- }
+- }
+ }
++ ASN1_OCTET_STRING_free(ip);
++ }
+
+- if( ret == LDAP_LOCAL_ERROR ) {
+- Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+- "common name in certificate (%.*s).\n",
+- name, cn->length, cn->data );
+- ret = LDAP_CONNECT_ERROR;
+- if ( ld->ld_error ) {
+- LDAP_FREE( ld->ld_error );
+- }
+- ld->ld_error = LDAP_STRDUP(
+- _("TLS: hostname does not match CN in peer certificate"));
++ if( ret == LDAP_LOCAL_ERROR ) {
++ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
++ "peer certificate.\n", name, 0, 0);
++ ret = LDAP_CONNECT_ERROR;
++ if ( ld->ld_error ) {
++ LDAP_FREE( ld->ld_error );
+ }
++ ld->ld_error = LDAP_STRDUP(
++ _("TLS: hostname does not match peer certificate"));
+ }
+ X509_free(x);
+ return ret;
diff --git a/SOURCES/slapd.ldif b/SOURCES/slapd.ldif
new file mode 100644
index 0000000..a4ae4c0
--- /dev/null
+++ b/SOURCES/slapd.ldif
@@ -0,0 +1,158 @@
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+#
+# TLS settings
+#
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by oclTLSCACertificatePath one has to include them explicitly:
+#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
+#
+# Private cert and key are not pregenerated.
+#olcTLSCertificateFile:
+#olcTLSCertificateKeyFile:
+#
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#olcTLSCipherSuite: PROFILE=SYSTEM
+
+
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+# Require integrity protection (prevent hijacking)
+# Require 112-bit (3DES or better) encryption for updates
+# Require 64-bit encryption for simple bind
+#
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+# - modulepath is architecture dependent value (32/64-bit system)
+# - back_sql.la backend requires openldap-servers-sql package
+# - dyngroup.la and dynlist.la cannot be used at the same time
+#
+
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath: /usr/lib/openldap
+#olcModulepath: /usr/lib64/openldap
+#olcModuleload: accesslog.la
+#olcModuleload: auditlog.la
+#olcModuleload: back_dnssrv.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_mdb.la
+#olcModuleload: back_meta.la
+#olcModuleload: back_null.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_relay.la
+#olcModuleload: back_shell.la
+#olcModuleload: back_sock.la
+#olcModuleload: collect.la
+#olcModuleload: constraint.la
+#olcModuleload: dds.la
+#olcModuleload: deref.la
+#olcModuleload: dyngroup.la
+#olcModuleload: dynlist.la
+#olcModuleload: memberof.la
+#olcModuleload: pcache.la
+#olcModuleload: ppolicy.la
+#olcModuleload: refint.la
+#olcModuleload: retcode.la
+#olcModuleload: rwm.la
+#olcModuleload: seqmod.la
+#olcModuleload: smbk5pwd.la
+#olcModuleload: sssvlv.la
+#olcModuleload: syncprov.la
+#olcModuleload: translucent.la
+#olcModuleload: unique.la
+#olcModuleload: valsort.la
+
+
+#
+# Schema settings
+#
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+
+#
+# Frontend settings
+#
+
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+# Root DSE: allow anyone to read it
+# Subschema (sub)entry DSE: allow anyone to read it
+# Other DSEs:
+# Allow self write access
+# Allow authenticated users read access
+# Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+# by self write
+# by users read
+# by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn. (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+#
+# Configuration database
+#
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+
+#
+# Server status monitoring
+#
+
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
+
+#
+# Backend database definitions
+#
+
+dn: olcDatabase=mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcSuffix: dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+olcDbDirectory: /var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service
new file mode 100644
index 0000000..30821fd
--- /dev/null
+++ b/SOURCES/slapd.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenLDAP Server Daemon
+After=syslog.target network-online.target
+Documentation=man:slapd
+Documentation=man:slapd-config
+Documentation=man:slapd-hdb
+Documentation=man:slapd-mdb
+Documentation=file:///usr/share/doc/openldap-servers/guide.html
+
+[Service]
+Type=forking
+ExecStartPre=/usr/libexec/openldap/check-config.sh
+ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
+
+[Install]
+WantedBy=multi-user.target
+Alias=openldap.service
diff --git a/SOURCES/slapd.tmpfiles b/SOURCES/slapd.tmpfiles
new file mode 100644
index 0000000..56aa32e
--- /dev/null
+++ b/SOURCES/slapd.tmpfiles
@@ -0,0 +1,2 @@
+# openldap runtime directory for slapd.arg and slapd.pid
+d /var/run/openldap 0755 ldap ldap -
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
new file mode 100644
index 0000000..61140f2
--- /dev/null
+++ b/SPECS/openldap.spec
@@ -0,0 +1,2127 @@
+%global _hardened_build 1
+
+%global systemctl_bin /usr/bin/systemctl
+%global check_password_version 1.1
+
+Name: openldap
+Version: 2.4.46
+Release: 11%{?dist}
+Summary: LDAP support libraries
+License: OpenLDAP
+URL: http://www.openldap.org/
+
+Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
+Source1: slapd.service
+Source2: slapd.tmpfiles
+Source3: slapd.ldif
+Source4: ldap.conf
+Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz
+Source50: libexec-functions
+Source52: libexec-check-config.sh
+Source53: libexec-upgrade-db.sh
+
+# patches for 2.4
+Patch0: openldap-manpages.patch
+Patch2: openldap-reentrant-gethostby.patch
+Patch3: openldap-smbk5pwd-overlay.patch
+Patch5: openldap-ai-addrconfig.patch
+Patch17: openldap-allop-overlay.patch
+
+# fix back_perl problems with lt_dlopen()
+# might cause crashes because of symbol collisions
+# the proper fix is to link all perl modules against libperl
+# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
+Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
+# ldapi sasl fix pending upstream inclusion
+Patch20: openldap-ldapi-sasl.patch
+Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
+Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
+Patch24: openldap-openssl-manpage-defaultCA.patch
+Patch25: openldap-tlso-use-openssl-api-to-verify-host.patch
+
+# check-password module specific patches
+Patch90: check-password-makefile.patch
+Patch91: check-password.patch
+
+BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel
+BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed)
+
+%description
+OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. The openldap package contains configuration files,
+libraries, and documentation for OpenLDAP.
+
+%package devel
+Summary: LDAP development libraries and header files
+Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa}
+
+%description devel
+The openldap-devel package includes the development libraries and
+header files needed for compiling applications that use LDAP
+(Lightweight Directory Access Protocol) internals. LDAP is a set of
+protocols for enabling directory services over the Internet. Install
+this package only if you plan to develop or will need to compile
+customized LDAP clients.
+
+%package servers
+Summary: LDAP server
+License: OpenLDAP
+Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils
+Requires(pre): shadow-utils
+BuildRequires: systemd
+%{?systemd_requires}
+BuildRequires: libdb-devel
+BuildRequires: cracklib-devel
+# migrationtools (slapadd functionality):
+Provides: ldif2ldbm
+
+%description servers
+OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. This package contains the slapd server and related files.
+
+%package clients
+Summary: LDAP client utilities
+Requires: openldap%{?_isa} = %{version}-%{release}
+
+%description clients
+OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
+Protocol) applications and development tools. LDAP is a set of
+protocols for accessing directory services (usually phone book style
+information, but other information is possible) over the Internet,
+similar to the way DNS (Domain Name System) information is propagated
+over the Internet. The openldap-clients package contains the client
+programs needed for accessing and modifying OpenLDAP directories.
+
+%prep
+%setup -q -c -a 0 -a 10
+
+pushd openldap-%{version}
+
+AUTOMAKE=%{_bindir}/true autoreconf -fi
+
+%patch0 -p1
+%patch2 -p1
+%patch3 -p1
+%patch5 -p1
+%patch17 -p1
+%patch19 -p1
+%patch20 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+
+# build smbk5pwd with other overlays
+ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
+mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
+# build allop with other overlays
+ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays
+mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop
+mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5
+
+mv servers/slapd/back-perl/README{,.back_perl}
+
+# fix documentation encoding
+for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do
+ iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8"
+ mv "$filename.utf8" "$filename"
+done
+
+popd
+
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+%patch90 -p1
+%patch91 -p1
+popd
+
+%build
+
+%set_build_flags
+# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
+export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS"
+
+pushd openldap-%{version}
+%configure \
+ --enable-debug \
+ --enable-dynamic \
+ \
+ --enable-dynacl \
+ --enable-cleartext \
+ --enable-crypt \
+ --enable-lmpasswd \
+ --enable-spasswd \
+ --enable-modules \
+ --enable-rewrite \
+ --enable-rlookups \
+ --enable-slapi \
+ --disable-slp \
+ \
+ --enable-backends=mod \
+ --enable-bdb=yes \
+ --enable-hdb=yes \
+ --enable-mdb=yes \
+ --enable-monitor=yes \
+ --disable-ndb \
+ --disable-sql \
+ \
+ --enable-overlays=mod \
+ \
+ --disable-static \
+ \
+ --with-cyrus-sasl \
+ --without-fetch \
+ --with-threads \
+ --with-pic \
+ --with-gnu-ld \
+ \
+ --libexecdir=%{_libdir}
+
+make %{_smp_mflags}
+popd
+
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+make LDAP_INC="-I../openldap-%{version}/include \
+ -I../openldap-%{version}/servers/slapd \
+ -I../openldap-%{version}/build-servers/include"
+popd
+
+%install
+
+mkdir -p %{buildroot}%{_libdir}/
+
+pushd openldap-%{version}
+make install DESTDIR=%{buildroot} STRIP=""
+popd
+
+# install check_password module
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+mv check_password.so check_password.so.%{check_password_version}
+ln -s check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/check_password.so
+install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/
+# install -m 644 README %{buildroot}%{_libdir}/openldap
+install -d -m 755 %{buildroot}%{_sysconfdir}/openldap
+cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf <<EOF
+# OpenLDAP pwdChecker library configuration
+
+#useCracklib 1
+#minPoints 3
+#minUpper 0
+#minLower 0
+#minDigit 0
+#minPunct 0
+EOF
+mv README{,.check_pwd}
+popd
+
+# setup directories for TLS certificates
+mkdir -p %{buildroot}%{_sysconfdir}/openldap/certs
+
+# setup data and runtime directories
+mkdir -p %{buildroot}%{_sharedstatedir}
+mkdir -p %{buildroot}%{_localstatedir}
+install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap
+install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap
+
+# setup autocreation of runtime directories on tmpfs
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 %SOURCE2 %{buildroot}%{_tmpfilesdir}/slapd.conf
+
+# install default ldap.conf (customized)
+rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
+install -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
+
+# setup maintainance scripts
+mkdir -p %{buildroot}%{_libexecdir}
+install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
+install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
+install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
+install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
+
+# remove build root from config files and manual pages
+perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
+perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*
+
+# we don't need the default files -- RPM handles changes
+rm -f %{buildroot}%{_sysconfdir}/openldap/*.default
+rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default
+
+# install an init script for the servers
+mkdir -p %{buildroot}%{_unitdir}
+install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service
+
+# move slapd out of _libdir
+mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/
+
+# setup tools as symlinks to slapd
+rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
+rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
+for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done
+
+# re-symlink unversioned libraries, so ldconfig is not confused
+pushd %{buildroot}%{_libdir}
+v=%{version}
+version=$(echo ${v%.[0-9]*})
+for lib in liblber libldap libldap_r libslapi; do
+ rm -f ${lib}.so
+ ln -s ${lib}-${version}.so.2 ${lib}.so
+done
+popd
+
+# tweak permissions on the libraries to make sure they're correct
+chmod 0755 %{buildroot}%{_libdir}/lib*.so*
+chmod 0644 %{buildroot}%{_libdir}/lib*.*a
+
+# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
+mkdir -p %{buildroot}%{_datadir}
+install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
+install -m 0644 %SOURCE3 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
+install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
+rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf
+rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif
+
+# move doc files out of _sysconfdir
+mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
+mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
+chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
+
+# remove files which we don't want packaged
+rm -f %{buildroot}%{_libdir}/*.la # because we do not want files in %{_libdir}/openldap/ removed, yet
+
+rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
+rmdir %{buildroot}%{_localstatedir}/openldap-data
+
+%ldconfig_scriptlets
+
+%pre servers
+
+# create ldap user and group
+getent group ldap &>/dev/null || groupadd -r -g 55 ldap
+getent passwd ldap &>/dev/null || \
+ useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap
+
+if [ $1 -eq 2 ]; then
+ # package upgrade
+
+ old_version=$(rpm -q --qf=%%{version} openldap-servers)
+ new_version=%{version}
+
+ if [ "$old_version" != "$new_version" ]; then
+ touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null
+ fi
+fi
+
+exit 0
+
+
+%post servers
+%systemd_post slapd.service
+
+# generate configuration if necessary
+if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
+ ! -f %{_sysconfdir}/openldap/slapd.conf
+ ]]; then
+ # if there is no configuration available, generate one from the defaults
+ mkdir -p %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || :
+ /usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/openldap-servers/slapd.ldif
+ chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/
+ %{systemctl_bin} try-restart slapd.service &>/dev/null
+fi
+
+start_slapd=0
+
+# upgrade the database
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
+ if %{systemctl_bin} --quiet is-active slapd.service; then
+ %{systemctl_bin} stop slapd.service
+ start_slapd=1
+ fi
+
+ %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
+ rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
+fi
+
+# restart after upgrade
+if [ $1 -ge 1 ]; then
+ if [ $start_slapd -eq 1 ]; then
+ %{systemctl_bin} start slapd.service &>/dev/null || :
+ else
+ %{systemctl_bin} condrestart slapd.service &>/dev/null || :
+ fi
+fi
+
+exit 0
+
+%preun servers
+%systemd_preun slapd.service
+
+%postun servers
+%systemd_postun_with_restart slapd.service
+
+%triggerin servers -- libdb
+
+# libdb upgrade (setup for %%triggerun)
+if [ $2 -eq 2 ]; then
+ # we are interested in minor version changes (both versions of libdb are installed at this moment)
+ if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
+ touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+ else
+ rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+ fi
+fi
+
+exit 0
+
+
+%triggerun servers -- libdb
+
+# libdb upgrade (finish %%triggerin)
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then
+ if %{systemctl_bin} --quiet is-active slapd.service; then
+ %{systemctl_bin} stop slapd.service
+ start=1
+ else
+ start=0
+ fi
+
+ %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
+ rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+
+ [ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null
+fi
+
+exit 0
+
+
+%files
+%doc openldap-%{version}/ANNOUNCEMENT
+%doc openldap-%{version}/CHANGES
+%license openldap-%{version}/COPYRIGHT
+%license openldap-%{version}/LICENSE
+%doc openldap-%{version}/README
+%dir %{_sysconfdir}/openldap
+%dir %{_sysconfdir}/openldap/certs
+%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
+%dir %{_libexecdir}/openldap/
+%{_libdir}/liblber-2.4*.so.*
+%{_libdir}/libldap-2.4*.so.*
+%{_libdir}/libldap_r-2.4*.so.*
+%{_libdir}/libslapi-2.4*.so.*
+%{_mandir}/man5/ldif.5*
+%{_mandir}/man5/ldap.conf.5*
+
+%files servers
+%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd
+%doc openldap-%{version}/doc/guide/admin/*.html
+%doc openldap-%{version}/doc/guide/admin/*.png
+%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm
+%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
+%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
+%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd
+%doc README.schema
+%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
+%config(noreplace) %{_sysconfdir}/openldap/schema
+%config(noreplace) %{_sysconfdir}/openldap/check_password.conf
+%{_tmpfilesdir}/slapd.conf
+%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
+%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
+%{_unitdir}/slapd.service
+%{_datadir}/openldap-servers/
+%{_libdir}/openldap/accesslog*
+%{_libdir}/openldap/auditlog*
+%{_libdir}/openldap/allop*
+%{_libdir}/openldap/back_dnssrv*
+%{_libdir}/openldap/back_ldap*
+%{_libdir}/openldap/back_meta*
+%{_libdir}/openldap/back_null*
+%{_libdir}/openldap/back_passwd*
+%{_libdir}/openldap/back_relay*
+%{_libdir}/openldap/back_shell*
+%{_libdir}/openldap/back_sock*
+%{_libdir}/openldap/back_perl*
+%{_libdir}/openldap/collect*
+%{_libdir}/openldap/constraint*
+%{_libdir}/openldap/dds*
+%{_libdir}/openldap/deref*
+%{_libdir}/openldap/dyngroup*
+%{_libdir}/openldap/dynlist*
+%{_libdir}/openldap/memberof*
+%{_libdir}/openldap/pcache*
+%{_libdir}/openldap/ppolicy*
+%{_libdir}/openldap/refint*
+%{_libdir}/openldap/retcode*
+%{_libdir}/openldap/rwm*
+%{_libdir}/openldap/seqmod*
+%{_libdir}/openldap/smbk5pwd*
+%{_libdir}/openldap/sssvlv*
+%{_libdir}/openldap/syncprov*
+%{_libdir}/openldap/translucent*
+%{_libdir}/openldap/unique*
+%{_libdir}/openldap/valsort*
+%{_libdir}/openldap/check_password*
+%{_libexecdir}/openldap/functions
+%{_libexecdir}/openldap/check-config.sh
+%{_libexecdir}/openldap/upgrade-db.sh
+%{_sbindir}/sl*
+%{_mandir}/man8/*
+%{_mandir}/man5/slapd*.5*
+%{_mandir}/man5/slapo-*.5*
+# obsolete configuration
+%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
+
+%files clients
+%{_bindir}/*
+%{_mandir}/man1/*
+
+%files devel
+%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc
+%{_libdir}/lib*.so
+%{_includedir}/*
+%{_mandir}/man3/*
+
+%changelog
+* Wed Jan 15 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-11
+- Use OpenSSL-1.0.2+ API for host name verification (#1788572)
+
+* Sun Aug 18 2019 Matus Honek <mhonek@redhat.com> - 2.4.46-10
+- Do not fallback to checking CN when no SAN matched (#1740070)
+
+* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
+- Reference default system-wide CA certificates in manpages (#1611624)
+
+* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
+- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623497)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 6 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-6
+- Build with LDAP_USE_NON_BLOCKING_TLS (#1594928)
+- Remove unused leftover MozNSS Compat. Layer references (cont.) (#1557967)
+
+* Fri Jul 06 2018 Petr Pisar <ppisar@redhat.com> - 2.4.46-5
+- Perl 5.28 rebuild
+
+* Wed Jul 4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-4
+- Remove unused leftover MozNSS Compat. Layer references (#1557967)
+
+* Wed Jul 4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-3
+- MozNSS Compat. Layer: Make log messages more clear (#1598103)
+- MozNSS Compat. Layer: Fix memleaks reported by valgrind (#1595203)
+
+* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.46-2
+- Perl 5.28 rebuild
+- MozNSS Compat. Layer: Fix typos, and spelling in the README file header (#1564161)
+
+* Tue Mar 27 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-1
+- Rebase to version OpenLDAP 2.4.46 (#1559652)
+
+* Mon Mar 5 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-14
+- Utilize system-wide crypto-policies (#1483979)
+
+* Thu Mar 1 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-13
+- fix: openldap does not use Fedora build flags
+ + makes use of redhat-rpm-config package
+- Drop superfluous back-sql linking patch
+
+* Wed Feb 28 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-12
+- MozNSS Compat. Layer: fix: libldap tlsmc continues even after it fails to extract CA certificates (#1550110)
+
+* Wed Feb 21 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-11
+- TLS: Use system trusted CA store by default (#1270678, #1537259)
+
+* Sun Feb 11 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-10
+- Complete change: Disable TLSMC in F29+
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.45-9
+- Escape macros in %%changelog
+- Disable TLSMC in F29+
+- Remove obsolete Group tag
+- Don't call ldconfig in servers subpackage
+- Switch to %%ldconfig_scriptlets
+- Remove unneeded Requires(post): systemd-sysv, chkconfig
+- Switch to %%systemd_requires
+- Change BuildRequires: systemd-units to systemd
+
+* Wed Feb 7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-8
+- Drop TCP wrappers support (#1531487)
+
+* Wed Feb 7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
+- MozNSS Compat. Layer fixes (#1400570)
+ - fix incorrect parsing of CACertDir (orig. #1533955)
+ - fix PIN disclaimer not always shown (orig. #1516409)
+ - fix recursive directory deletion (orig. #1516409)
+ - Ensure consistency of a PEM dir before usage (orig. #1516409)
+ + Warn just before use of a PIN about key file extraction
+ - Enable usage of NSS DB with PEM cert/key (orig. #1525485)
+ + Fix a possible invalid dereference (covscan)
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.45-6
+- Rebuilt for switch to libxcrypt
+
+* Wed Dec 6 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-5
+- Fix issues in MozNSS compatibility layer (#1400570)
+ + Force write file with fsync to avoid race conditions
+ + Always filestamp both sql and dbm NSS DB variants to not rely on default DB type prefix
+ + Allow missing cert and key which is a valid usecase
+ + Create extraction folder only in /tmp to simplify selinux rules
+ + Fix Covscan issues
+
+* Fri Nov 3 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-4
+- Build with OpenSSL with MozNSS compatibility layer (#1400570)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jul 7 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-1
+- Rebase to version 2.4.45 (#1458081)
+ * fixes CVE-2017-9287 (#1456712, #1456713)
+- Update the 'sources' file with new SHA512 hashes
+
+* Fri Jul 7 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-12
+- Change Requires to Recommends for nss-tools (#1415086)
+
+* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-11
+- Perl 5.26 rebuild
+
+* Fri Mar 31 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-10
+- NSS: Maximal TLS protocol version should be equal to NSS default (#1435692)
+
+* Thu Mar 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9
+- NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS (#1435692)
+- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435692)
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.44-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
+- NSS: Update list of ciphers (#1387868)
+
+* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6
+- NSS: Use what NSS considers default for DEFAULT cipher string (#1387868)
+
+* Thu Jan 26 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5
+- NSS: fix: incorrect multi-keyword parsing and support new ones (#1243517)
+
+* Mon Jan 23 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-4
+- fix previous commit (#1375432)
+
+* Fri Jan 20 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3
+- fix: Setting olcTLSProtocolMin does not change supported protocols (#1375432)
+- fix: slapd should start after network-online.service (#1336487)
+
+* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-2
+- Perl 5.24 rebuild
+
+* Wed May 11 2016 Matus Honek <mhonek@redhat.com> - 2.4.44-1
+- Update to 2.4.44 (#1305191)
+
+* Tue May 3 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-5
+- Bring back *.la files in %%{_libdir}/openldap/ (#1331484)
+
+* Wed Apr 27 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-4
+- Keep *.so libraries in %%{_libdir}/openldap/ (#1331484)
+- Include AllOp overlay (#1319782)
+
+* Sun Apr 10 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2.4.43-3
+- Ensure all libtool archive files are removed (.la)
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.43-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Dec 02 2015 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 2.4.43-1
+- Update to 2.4.43 (#1253871)
+
+* Thu Jul 16 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.41-1
+- New upstream release 2.4.41 (#1238251)
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.40-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.40-13
+- Perl 5.22 rebuild
+
+* Mon Apr 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-12
+- fix: bring back tmpfiles config (#1215655)
+
+* Mon Mar 30 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-11
+- remove spurious ghosted file
+
+* Fri Feb 20 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-10
+- link against moznss again (#1187742)
+
+* Wed Feb 11 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
+- fix: Unknown Berkeley DB major version in db.h (#1191098)
+
+* Tue Feb 10 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
+- CVE-2015-1545: slapd crashes on search with deref control (#1190645)
+
+* Tue Jan 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-8
+- link against openssl by default
+- simplify package even more by removing certificate generation
+
+* Mon Jan 26 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-7
+- remove tmpfiles config since it's no longer needed
+- fix invalid ldif
+- simplify checking for missing server configuration
+
+* Fri Jan 16 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-6
+- remove openldap-fedora-systemd.patch
+- remove openldap-ldaprc-currentdir.patch
+- remove openldap-userconfig-setgid.patch
+- remove openldap-syncrepl-unset-tls-options.patch
+- remove unneeded configure flags, disable sql backend and aci
+- make mdb default after a new installation
+- remove pid file and args file
+- renumber patches and sources
+
+* Wed Dec 17 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-5
+- harden the build
+- improve check_password
+- provide an unversioned symlink to check_password.so.1.1
+
+* Tue Dec 16 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-4
+- remove openldap.pc
+
+* Tue Dec 9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-3
+- enhancement: generate openldap.pc (#1171493)
+
+* Fri Nov 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-2
+- enhancement: support TLSv1 and later (#1160466)
+
+* Mon Oct 6 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-1
+- new upstream release (#1147877)
+
+* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.39-12
+- Perl 5.20 rebuild
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.4.39-10
+- fix license handling
+
+* Mon Jul 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-9
+- fix: fix typo in generate-server-cert.sh (#1117229)
+
+* Mon Jun 9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-8
+- fix: make default service configuration listen on ldaps:/// as well (#1105634)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri May 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6
+- fix: remove correct tmp file when generating server cert (#1103102)
+
+* Mon Mar 24 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-5
+- re-symlink unversioned libraries, so ldconfig is not confused (#1028557)
+
+* Tue Mar 4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-4
+- don't automatically convert slapd.conf to slapd-config
+
+* Wed Feb 19 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3
+- remove redundant sysconfig-related stuff
+- add documentation reference to service file
+- alias slapd.service as openldap.service
+
+* Tue Feb 4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2
+- CVE-2013-4449: segfault on certain queries with rwm overlay (#1060851)
+
+* Wed Jan 29 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1
+- new upstream release (#1059186)
+
+* Mon Nov 18 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.38-1
+- new upstream release (#1031608)
+
+* Mon Nov 11 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-2
+- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1028935)
+
+* Wed Oct 30 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-1
+- new upstream release (#1023916)
+- fix: missing a linefeed at the end of file /etc/openldap/ldap.conf (#1019836)
+
+* Mon Oct 21 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-4
+- fix: slapd daemon fails to start with segmentation fault on s390x (#1020661)
+
+* Tue Oct 15 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-3
+- rebuilt for libdb-5.3.28
+
+* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
+- fix: CLDAP is broken for IPv6 (#1018688)
+
+* Wed Sep 4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
+- fix: typos in manpages
+
+* Tue Aug 20 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-1
+- new upstream release
+ + compile-in mdb backend
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.35-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 2.4.35-6
+- Perl 5.18 rebuild
+
+* Fri Jun 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-5
+- fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0"
+
+* Thu May 09 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-4
+- do not needlessly run ldconfig after installing openldap-devel
+- fix: LDAPI with GSSAPI does not work if SASL_NOCANON=on (#960222)
+- fix: lt_dlopen() with back_perl (#960048)
+
+* Tue Apr 09 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-3
+- fix: minor documentation fixes
+- set SASL_NOCANON to on by default (#949864)
+- remove trailing spaces
+
+* Fri Apr 05 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-2
+- drop the evolution patch
+
+* Tue Apr 02 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-1
+- new upstream release (#947235)
+- fix: slapd.service should ensure that network is up before starting (#946921)
+- fix: NSS related resource leak (#929357)
+
+* Mon Mar 18 2013 Jan Synáček <jsynacek@redhat.com> 2.4.34-2
+- fix: syncrepl push DELETE operation does not recover (#920482)
+- run autoreconf every build, drop autoreconf patch (#926280)
+
+* Mon Mar 11 2013 Jan Synáček <jsynacek@redhat.com> 2.4.34-1
+- enable perl backend (#820547)
+- package ppolicy-check-password (#829749)
+- add perl specific BuildRequires
+- fix bogus dates
+
+* Wed Mar 06 2013 Jan Vcelak <jvcelak@fedoraproject.org> 2.4.34-1
+- new upstream release (#917603)
+- fix: slapcat segfaults if cn=config.ldif not present (#872784)
+- use systemd-rpm macros in spec file (#850247)
+
+* Thu Jan 31 2013 Jan Synáček <jsynacek@redhat.com> 2.4.33-4
+- rebuild against new cyrus-sasl
+
+* Wed Oct 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-3
+- fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)
+
+* Fri Oct 12 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-2
+- fix: slapd with rwm overlay segfault following ldapmodify (#865685)
+
+* Thu Oct 11 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-1
+- new upstream release:
+ + slapd: ACLs, syncrepl
+ + backends: locking and memory management in MDB
+ + manpages: slapo-refint
+- patch update: MozNSS certificate database in SQL format cannot be used (#860317)
+- fix: slapd.service should not use /tmp (#859019)
+
+* Fri Sep 14 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-3
+- fix: some TLS ciphers cannot be enabled (#852338)
+- fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476)
+- fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded (#852786)
+- fix: MozNSS certificate database in SQL format cannot be used (#857373)
+- fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)
+
+* Mon Aug 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-2
+- enhancement: TLS, prefer private keys from authenticated slots
+- enhancement: TLS, allow certificate specification including token name
+- resolve TLS failures in replication in 389 Directory Server
+
+* Wed Aug 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-1
+- new upstream release
+ + library: double free, SASL handling
+ + tools: read SASL_NOCANON from config file
+ + slapd: config index renumbering, duplicate error response
+ + backends: various fixes in mdb, bdb/hdb, ldap
+ + accesslog, syncprov: fix memory leaks in with replication
+ + sha2: portability, thread safety, support SSHA256,384,512
+ + documentation fixes
+
+* Sat Jul 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-7
+- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)
+
+* Fri Jul 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-6
+- multilib fix: move libslapi from openldap-servers to openldap package
+
+* Thu Jul 19 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-5
+- fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013)
+- fix: smbk5pwd module computes invalid LM hashes (#841560)
+
+* Wed Jul 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-4
+- modify the package build process
+ + fix autoconfig files to detect Mozilla NSS library using pkg-config
+ + remove compiler flags which are not needed currently
+ + build server, client and library together
+ + avoid stray dependencies by using --as-needed linker flag
+ + enable SLAPI interface in slapd
+
+* Wed Jun 27 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-3
+- update fix: count constraint broken when using multiple modifications (#795766)
+- fix: invalid order of TLS shutdown operations (#808464)
+- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
+- fix: reading pin from file can make all TLS connections hang (#829317)
+- CVE-2012-2668: cipher suite selection by name can be ignored (#825875)
+- fix: slapd fails to start on reboot (#829272)
+- fix: default cipher suite is always selected (#828790)
+- fix: less influence between individual TLS contexts:
+ - replication with TLS does not work (#795763)
+ - possibly others
+
+* Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2
+- fix: nss-tools package is required by the base package, not the server subpackage
+- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536)
+
+* Tue Apr 24 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-1
+- new upstream release
+ + library: IPv6 url detection
+ + library: rebinding to failed connections
+ + server: various fixes in mdb backend
+ + server: various fixes in replication
+ + server: various fixes in overlays and minor backends
+ + documentation fixes
+- remove patches which were merged upstream
+
+* Thu Apr 05 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.30-3
+- rebuild due to libdb rebase
+
+* Mon Mar 26 2012 Jan Synáček <jsynacek@redhat.com> 2.4.30-2
+- fix: Re-binding to a failed connection can segfault (#784989)
+
+* Thu Mar 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.30-1
+- new upstream release
+ + server: fixes in mdb backend
+ + server: fixes in manual pages
+ + server: fixes in syncprov, syncrepl, and pcache
+- removed patches which were merged upstream
+
+* Wed Feb 22 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-4
+- fix: missing options in manual pages of client tools (#796232)
+- fix: SASL_NOCANON option missing in ldap.conf manual page (#732915)
+
+* Tue Feb 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-3
+- fix: ldap_result does not succeed for sssd (#771484)
+- Jan Synáček <jsynacek@redhat.com>:
+ + fix: count constraint broken when using multiple modifications (#795766)
+
+* Mon Feb 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-2
+- fix update: provide ldif2ldbm, not ldib2ldbm (#437104)
+- Jan Synáček <jsynacek@redhat.com>:
+ + unify systemctl binary paths throughout the specfile and make them usrmove compliant
+ + make path to chkconfig binary usrmove compliant
+
+* Wed Feb 15 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-1
+- new upstream release
+ + MozNSS fixes
+ + connection handling fixes
+ + server: buxfixes in mdb backend
+ + server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm)
+- openldap-servers now provide ldib2ldbm (#437104)
+- certificates management improvements
+ + create empty Mozilla NSS certificate database during installation
+ + enable builtin Root CA in generated database (#789088)
+ + generate server certificate using Mozilla NSS tools instead of OpenSSL tools
+ + fix: correct path to check-config.sh in service file (Jan Synáček <jsynacek@redhat.com>)
+- temporarily disable certificates checking in check-config.sh script
+- fix: check-config.sh get stuck when executing command as a ldap user
+
+* Tue Jan 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.28-3
+- fix: replication (syncrepl) with TLS causes segfault (#783431)
+- fix: slapd segfaults when PEM certificate is used and key is not set (#772890)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.28-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Nov 30 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.28-1
+- new upstream release
+ + server: support for delta-syncrepl in multi master replication
+ + server: add experimental backend - MDB
+ + server: dynamic configuration for passwd, perl, shell, sock, and sql backends
+ + server: support passwords in APR1
+ + library: support for Wahl (draft)
+ + a lot of bugfixes
+- remove patches which were merged upstream
+- compile backends as modules (except BDB, HDB, and monitor)
+- reload systemd daemon after installation
+
+* Tue Nov 01 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-6
+- package cleanup:
+ + hardened build: switch from LDFLAGS to RPM macros
+ + remove old provides and obsoletes
+ + add new slapd maintainance scripts
+ + drop defattr macros, clean up permissions in specfile
+ + fix rpmlint warnings: macros in comments/changelog
+ + fix rpmlint warnings: non UTF-8 documentation
+ + rename environment file to be more consistent (ldap -> slapd)
+- replace sysv initscript with systemd service file (#
+- new format of environment file due to switch to systemd
+ (automatic conversion is performed)
+- patch OpenLDAP to skip empty command line arguments
+ (arguments expansion in systemd works different than in shell)
+- CVE-2011-4079: one-byte buffer overflow in slapd (#749324)
+
+* Thu Oct 06 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-5
+- rebuild: openldap does not work after libdb rebase (#743824)
+- regression fix: openldap built without tcp_wrappers (#743213)
+
+* Wed Sep 21 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-4
+- new feature update: honor priority/weight with ldap_domain2hostlist (#733078)
+
+* Mon Sep 12 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-3
+- fix: SSL_ForceHandshake function is not thread safe (#701678)
+- fix: allow unsetting of tls_* syncrepl options (#734187)
+
+* Wed Aug 24 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-2
+- security hardening: library needs partial RELRO support added (#733071)
+- fix: NSS_Init* functions are not thread safe (#731112)
+- fix: incorrect behavior of allow/try options of VerifyCert and TLS_REQCERT (#725819)
+- fix: memleak - free the return of tlsm_find_and_verify_cert_key (#725818)
+- fix: conversion of constraint overlay settings to cn=config is incorrect (#733067)
+- fix: DDS overlay tolerance parametr doesn't function and breakes default TTL (#733069)
+- manpage fix: errors in manual page slapo-unique (#733070)
+- fix: matching wildcard hostnames in certificate Subject field does not work (#733073)
+- new feature: honor priority/weight with ldap_domain2hostlist (#733078)
+- manpage fix: wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage (#717722)
+
+* Sun Aug 14 2011 Rex Dieter <rdieter@fedoraproject.org> - 2.4.26-1.1
+- Rebuilt for rpm (#728707)
+
+* Wed Jul 20 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-1
+- rebase to new upstream release
+- fix: memleak in tlsm_auth_cert_handler (#717730)
+
+* Mon Jun 27 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.25-1
+- rebase to new upstream release
+- change default database type from BDB to HDB
+- enable ldapi:/// interface by default
+- set cn=config management ACLs for root user, SASL external schema (#712495)
+- fix: server scriptlets require initscripts package (#716857)
+- fix: connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT
+ is set to 'never' (#716854)
+- fix: segmentation fault caused by double-free in ldapexop (#699683)
+- fix: segmentation fault of client tool when input line in LDIF file
+ is splitted but indented incorrectly (#716855)
+- fix: segmentation fault of client tool when LDIF input file is not terminated
+ by a new line character (#716858)
+
+* Fri Mar 18 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.24-2
+- new: system resource limiting for slapd using ulimit
+- fix update: openldap can't use TLS after a fork() (#636956)
+- fix: possible null pointer dereference in NSS implementation
+- fix: openldap-servers upgrade hangs or do not upgrade the database (#664433)
+
+* Mon Feb 14 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.24-1
+- rebase to 2.4.24
+- BDB backend switch from DB4 to DB5
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.23-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Feb 02 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-8
+- fix update: openldap can't use TLS after a fork() (#636956)
+
+* Tue Jan 25 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-7
+- fix: openldap can't use TLS after a fork() (#636956)
+- fix: openldap-server upgrade gets stuck when the database is damaged (#664433)
+
+* Thu Jan 20 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-6
+- fix: some server certificates refused with inadequate type error (#668899)
+- fix: default encryption strength dropped in switch to using NSS (#669446)
+- systemd compatibility: add configuration file (#656647, #668223)
+
+* Thu Jan 06 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-5
+- initscript: slaptest with '-u' to skip database opening (#667768)
+- removed slurpd options from sysconfig/ldap
+- fix: verification of self issued certificates (#657984)
+
+* Mon Nov 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-4
+- Mozilla NSS - implement full non-blocking semantics
+ ldapsearch -Z hangs server if starttls fails (#652822)
+- updated list of all overlays in slapd.conf (#655899)
+- fix database upgrade process (#656257)
+
+* Thu Nov 18 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-3
+- add support for multiple prefixed Mozilla NSS database files in TLS_CACERTDIR
+- reject non-file keyfiles in TLS_CACERTDIR (#652315)
+- TLS_CACERTDIR precedence over TLS_CACERT (#652304)
+- accept only files in hash.0 format in TLS_CACERTDIR (#650288)
+- improve SSL/TLS trace messages (#652818)
+
+* Mon Nov 01 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-2
+- fix possible infinite loop when checking permissions of TLS files (#641946)
+- removed outdated autofs.schema (#643045)
+- removed outdated README.upgrade
+- removed relics of migrationtools
+
+* Fri Aug 27 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-1
+- rebase to 2.4.23
+- embeded db4 library removed
+- removed bogus links in "SEE ALSO" in several man-pages (#624616)
+
+* Thu Jul 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.22-7
+- Mozilla NSS - delay token auth until needed (#616552)
+- Mozilla NSS - support use of self signed CA certs as server certs (#614545)
+
+* Tue Jul 20 2010 Jan Vcelak <jvcelak@redhat.com> - 2.4.22-6
+- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
+- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)
+- obsolete configuration file moved to /usr/share/openldap-servers (#612602)
+
+* Thu Jul 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-5
+- another shot at previous fix
+
+* Thu Jul 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-4
+- fixed issue with owner of /usr/lib/ldap/__db.* (#609523)
+
+* Thu Jun 3 2010 Rich Megginson <rmeggins@redhat.com> - 2.4.22-3
+- added ldif.h to the public api in the devel package
+- added -lldif to the public api
+- added HAVE_MOZNSS and other flags to use Mozilla NSS for crypto
+
+* Tue May 18 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-2
+- rebuild with connectionless support (#587722)
+- updated autofs schema (#584808)
+
+* Tue May 04 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.22-1
+- rebased to 2.4.22 (mostly bugfixes, added back-ldif, back-null testing support)
+- due to some possible issues pointed out in last update testing phase, I'm
+ pulling back the last change (slapd can't be moved since it depends on /usr
+ possibly mounted from network)
+
+* Fri Mar 19 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-6
+- moved slapd to start earlier during boot sequence
+
+* Tue Mar 16 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-5
+- minor corrections of init script (#571235, #570057, #573804)
+
+* Wed Feb 24 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-4
+- fixed SIGSEGV when deleting data using hdb (#562227)
+
+* Mon Feb 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-3
+- fixed broken link /usr/sbin/slapschema (#559873)
+
+* Tue Jan 19 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-2
+- removed some static libraries from openldap-devel (#556090)
+
+* Mon Jan 11 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-1
+- rebased openldap to 2.4.21
+- rebased bdb to 4.8.26
+
+* Mon Nov 23 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-3
+- minor corrections in init script
+
+* Mon Nov 16 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-2
+- fixed tls connection accepting when TLSVerifyClient = allow
+- /etc/openldap/ldap.conf removed from files owned by openldap-servers
+- minor changes in spec file to supress warnings
+- some changes in init script, so it would be possible to use it when
+ using old configuration style
+
+* Fri Nov 06 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-1
+- rebased openldap to 2.4.19
+- rebased bdb to 4.8.24
+
+* Wed Oct 07 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-4
+- updated smbk5pwd patch to be linked with libldap (#526500)
+- the last buffer overflow patch replaced with the one from upstream
+- added /etc/openldap/slapd.d and /etc/openldap/slapd.conf.bak
+ to files owned by openldap-servers
+
+* Thu Sep 24 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-3
+- cleanup of previous patch fixing buffer overflow
+
+* Tue Sep 22 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-2
+- changed configuration approach. Instead od slapd.conf slapd
+ is using slapd.d directory now
+- fix of some issues caused by renaming of init script
+- fix of buffer overflow issue in ldif.c pointed out by new glibc
+
+* Fri Sep 18 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-1
+- rebase of openldap to 2.4.18
+
+* Wed Sep 16 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-7
+- updated documentation (hashing the cacert dir)
+
+* Wed Sep 16 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-6
+- updated init script to be LSB-compliant (#523434)
+- init script renamed to slapd
+
+* Thu Aug 27 2009 Tomas Mraz <tmraz@redhat.com> - 2.4.16-5
+- rebuilt with new openssl
+
+* Tue Aug 25 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-4
+- updated %%pre script to correctly install openldap group
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.16-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jul 01 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-1
+- rebase of openldap to 2.4.16
+- fixed minor issue in spec file (output looking interactive
+ when installing servers)
+
+* Tue Jun 09 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.15-4
+- added $SLAPD_URLS variable to init script (#504504)
+
+* Thu Apr 09 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.15-3
+- extended previous patch (#481310) to remove options cfMP
+ from some client tools
+- correction of patch setugid (#494330)
+
+* Thu Mar 26 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.15-2
+- removed -f option from some client tools (#481310)
+
+* Wed Feb 25 2009 Jan Safranek <jsafranek@redhat.com> 2.4.15-1
+- new upstream release
+
+* Tue Feb 17 2009 Jan Safranek <jsafranek@redhat.com> 2.4.14-1
+- new upstream release
+- upgraded to db-4.7.25
+
+* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> 2.4.12-3
+- rebuild with new openssl
+
+* Mon Dec 15 2008 Caolán McNamara <caolanm@redhat.com> 2.4.12-2
+- rebuild for libltdl, i.e. copy config.sub|guess from new location
+
+* Wed Oct 15 2008 Jan Safranek <jsafranek@redhat.com> 2.4.12-1
+- new upstream release
+
+* Mon Oct 13 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-3
+- add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins
+ to set non-default slapd shutdown timeout
+- add checkpoint to default slapd.conf file (#458679)
+
+* Mon Sep 1 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-2
+- provide ldif2ldbm functionality for migrationtools
+- rediff all patches to get rid of patch fuzz
+
+* Mon Jul 21 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-1
+- new upstream release
+- apply official bdb-4.6.21 patches
+
+* Wed Jul 2 2008 Jan Safranek <jsafranek@redhat.com> 2.4.10-2
+- fix CVE-2008-2952 (#453728)
+
+* Thu Jun 12 2008 Jan Safranek <jsafranek@redhat.com> 2.4.10-1
+- new upstream release
+
+* Wed May 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.9-5
+- use /sbin/nologin as shell of ldap user (#447919)
+
+* Tue May 13 2008 Jan Safranek <jsafranek@redhat.com> 2.4.9-4
+- new upstream release
+- removed unnecessary MigrationTools patches
+
+* Thu Apr 10 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-4
+- bdb upgraded to 4.6.21
+- reworked upgrade logic again to run db_upgrade when bdb version
+ changes
+
+* Wed Mar 5 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-3
+- reworked the upgrade logic, slapcat/slapadd of the whole database
+ is needed only if minor version changes (2.3.x -> 2.4.y)
+- do not try to save database in LDIF format, if openldap-servers package
+ is being removed (it's up to the admin to do so manually)
+
+* Thu Feb 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-2
+- migration tools carved out to standalone package "migrationtools"
+ (#236697)
+
+* Fri Feb 22 2008 Jan Safranek <jsafranek@redhat.com> 2.4.8-1
+- new upstream release
+
+* Fri Feb 8 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-7
+- fix CVE-2008-0658 (#432014)
+
+* Mon Jan 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-6
+- init script fixes
+
+* Mon Jan 28 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-5
+- init script made LSB-compliant (#247012)
+
+* Fri Jan 25 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-4
+- fixed rpmlint warnings and errors
+ - /etc/openldap/schema/README moved to /usr/share/doc/openldap
+
+* Tue Jan 22 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-3
+- obsoleting compat-openldap properly again :)
+
+* Tue Jan 22 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-2
+- obsoleting compat-openldap properly (#429591)
+
+* Mon Jan 14 2008 Jan Safranek <jsafranek@redhat.com> 2.4.7-1
+- new upstream version (openldap-2.4.7)
+
+* Mon Dec 3 2007 Jan Safranek <jsafranek@redhat.com> 2.4.6-1
+- new upstream version (openldap-2.4)
+- deprecating compat- package
+
+* Mon Nov 5 2007 Jan Safranek <jsafranek@redhat.com> 2.3.39-1
+- new upstream release
+
+* Tue Oct 23 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-4
+- fixed multilib issues - all platform independent files have the
+ same content now (#342791)
+
+* Thu Oct 4 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-3
+- BDB downgraded back to 4.4.20 because 4.6.18 is not supported by
+ openldap (#314821)
+
+* Mon Sep 17 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-2
+- skeleton /etc/sysconfig/ldap added
+- new SLAPD_LDAP option to turn off listening on ldap:/// (#292591)
+- fixed checking of SSL (#292611)
+- fixed upgrade with empty database
+
+* Thu Sep 6 2007 Jan Safranek <jsafranek@redhat.com> 2.3.38-1
+- new upstream version
+- added images to the guide.html (#273581)
+
+* Wed Aug 22 2007 Jan Safranek <jsafranek@redhat.com> 2.3.37-3
+- just rebuild
+
+* Thu Aug 2 2007 Jan Safranek <jsafranek@redhat.com> 2.3.37-2
+- do not use specific automake and autoconf
+- do not distinguish between NPTL and non-NPTL platforms, we have NPTL
+ everywhere
+- db-4.6.18 integrated
+- updated openldap-servers License: field to reference BDB license
+
+* Tue Jul 31 2007 Jan Safranek <jsafranek@redhat.com> 2.3.37-1
+- new upstream version
+
+* Fri Jul 20 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-7
+- MigrationTools-47 integrated
+
+* Wed Jul 4 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-6
+- fix compat-slapcat compilation. Now it can be found in
+ /usr/lib/compat-openldap/slapcat, because the tool checks argv[0]
+ (#246581)
+
+* Fri Jun 29 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-5
+- smbk5pwd added (#220895)
+- correctly distribute modules between servers and servers-sql packages
+
+* Mon Jun 25 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-4
+- Fix initscript return codes (#242667)
+- Provide overlays (as modules; #246036, #245896)
+- Add available modules to config file
+
+* Tue May 22 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-3
+- do not create script in /tmp on startup (bz#188298)
+- add compat-slapcat to openldap-compat (bz#179378)
+- do not import ddp services with migrate_services.pl
+ (bz#201183)
+- sort the hosts by adders, preventing duplicities
+ in migrate*nis*.pl (bz#201540)
+- start slupd for each replicated database (bz#210155)
+- add ldconfig to devel post/postun (bz#240253)
+- include misc.schema in default slapd.conf (bz#147805)
+
+* Mon Apr 23 2007 Jan Safranek <jsafranek@redhat.com> 2.3.34-2
+- slapadd during package update is now quiet (bz#224581)
+- use _localstatedir instead of var/ during build (bz#220970)
+- bind-libbind-devel removed from BuildRequires (bz#216851)
+- slaptest is now quiet during service ldap start, if
+ there is no error/warning (bz#143697)
+- libldap_r.so now links with pthread (bz#198226)
+- do not strip binaries to produce correct .debuginfo packages
+ (bz#152516)
+
+* Mon Feb 19 2007 Jay Fenlason <fenlason<redhat.com> 2.3.34-1
+- New upstream release
+- Upgrade the scripts for migrating the database so that they might
+ actually work.
+- change bind-libbind-devel to bind-devel in BuildPreReq
+
+* Mon Dec 4 2006 Thomas Woerner <twoerner@redhat.com> 2.3.30-1.1
+- tcp_wrappers has a new devel and libs sub package, therefore changing build
+ requirement for tcp_wrappers to tcp_wrappers-devel
+
+* Wed Nov 15 2006 Jay Fenlason <fenlason@redhat.com> 2.3.30-1
+- New upstream version
+
+* Wed Oct 25 2006 Jay Fenlason <fenlason@redhat.com> 2.3.28-1
+- New upstream version
+
+* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 2.3.27-4
+- rebuilt for unwind info generation, broken in gcc-4.1.1-21
+
+* Mon Sep 18 2006 Jay Fenlason <fenlason@redhat.com> 2.3.27-3
+- Include --enable-multimaster to close
+ bz#185821: adding slapd_multimaster to the configure options
+- Upgade guide.html to the correct one for openladp-2.3.27, closing
+ bz#190383: openldap 2.3 packages contain the administrator's guide for 2.2
+- Remove the quotes from around the slaptestflags in ldap.init
+ This closes one part of
+ bz#204593: service ldap fails after having added entries to ldap
+- include __db.* in the list of files to check ownership of in
+ ldap.init, as suggested in
+ bz#199322: RFE: perform cleanup in ldap.init
+
+* Fri Aug 25 2006 Jay Fenlason <fenlason@redhat.com> 2.3.27-2
+- New upstream release
+- Include the gethostbyname_r patch so that nss_ldap won't hang
+ on recursive attemts to ldap_initialize.
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 2.3.24-2.1
+- rebuild
+
+* Wed Jun 7 2006 Jay Fenlason <fenlason@redhat.com> 2.3.24-2
+- New upstream version
+
+* Thu Apr 27 2006 Jay Fenlason <fenlason@redhat.com> 2.3.21-2
+- Upgrade to 2.3.21
+- Add two upstream patches for db-4.4.20
+
+* Mon Feb 13 2006 Jay Fenlason <fenlason@redhat.com> 2.3.19-4
+- Re-fix ldap.init
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 2.3.19-3.1
+- bump again for double-long bug on ppc(64)
+
+* Thu Feb 9 2006 Jay Fenlason <fenlason@redhat.com> 2.3.19-3
+- Modify the ldap.init script to call runuser correctly.
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 2.3.19-2.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Tue Jan 10 2006 Jay Fenlason <fenlason@redhat.com> 2.3.19-2
+- Upgrade to 2.3.19, which upstream now considers stable
+- Modify the -config.patch, ldap.init, and this spec file to put the
+ pid file and args file in an ldap-owned openldap subdirectory under
+ /var/run.
+- Move back_sql* out of _sbindir/openldap , which requires
+ hand-moving slapd and slurpd to _sbindir, and recreating symlinks
+ by hand.
+- Retire openldap-2.3.11-ads.patch, which went upstream.
+- Update the ldap.init script to run slaptest as the ldap user rather
+ than as root. This solves
+ bz#150172 Startup failure after database problem
+- Add to the servers post and preun scriptlets so that on preun, the
+ database is slapcatted to /var/lib/ldap/upgrade.ldif and the
+ database files are saved to /var/lib/ldap/rpmorig. On post, if
+ /var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that
+ on upgrades from 2.3.16-2 to higher versions, the database files may
+ be automatically upgraded. Unfortunatly, because of the changes to
+ the preun scriptlet, users have to do the slapcat, etc by hand when
+ upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig
+ files need to be removed by hand because automatically removing your
+ emergency fallback files is a bad idea.
+- Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will
+ require that users slapcat their databases into a temp file, move
+ /var/lib/ldap someplace safe, upgrade the openldap rpms, then
+ slapadd the temp file.
+
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Mon Nov 21 2005 Jay Fenlason <fenlason@redhat.com> 2.3.11-3
+- Remove Requires: cyrus-sasl and cyrus-sasl-md5 from openldap- and
+ compat-openldap- to close
+ bz#173313 Remove exlicit 'Requires: cyrus-sasl" + 'Requires: cyrus-sasl-md5'
+
+* Thu Nov 10 2005 Jay Fenlason <fenlason@redhat.com> 2.3.11-2
+- Upgrade to 2.3.11, which upstream now considers stable.
+- Switch compat-openldap to 2.2.29
+- remove references to nss_ldap_build from the spec file
+- remove references to 2.0 and 2.1 from the spec file.
+- reorganize the build() function slightly in the spec file to limit the
+ number of redundant and conflicting options passedto configure.
+- Remove the attempt to hardlink ldapmodify and ldapadd together, since
+ the current make install make ldapadd a symlink to ldapmodify.
+- Include the -ads patches to allow SASL binds to an Active Directory
+ server to work. Nalin <nalin@redhat.com> wrote the patch, based on my
+ broken first attempt.
+
+* Thu Nov 10 2005 Tomas Mraz <tmraz@redhat.com> 2.2.29-3
+- rebuilt against new openssl
+
+* Mon Oct 10 2005 Jay Fenlason <fenlason@redhat.com> 2.2.29-2
+- New upstream version.
+
+* Thu Sep 29 2005 Jay Fenlason <fenlason@redhat.com> 2.2.28-2
+- Upgrade to nev upstream version. This makes the 2.2.*-hop patch obsolete.
+
+* Mon Aug 22 2005 Jay Fenlason <fenlason@redhat.com> 2.2.26-2
+- Move the slapd.pem file to /etc/pki/tls/certs
+ and edit the -config patch to match to close
+ bz#143393 Creates certificates + keys at an insecure/bad place
+- also use _sysconfdir instead of hard-coding /etc
+
+* Thu Aug 11 2005 Jay Fenlason <fenlason@redhat.com>
+- Add the tls-fix-connection-test patch to close
+ bz#161991 openldap password disclosure issue
+- add the hop patches to prevent infinite looping when chasing referrals.
+ OpenLDAP ITS #3578
+
+* Fri Aug 5 2005 Nalin Dahyabhai <nalin@redhat.com>
+- fix typo in ldap.init (call $klist instead of klist, from Charles Lopes)
+
+* Thu May 19 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.26-1
+- run slaptest with the -u flag if no id2entry db files are found, because
+ you can't check for read-write access to a non-existent database (#156787)
+- add _sysconfdir/openldap/cacerts, which authconfig sets as the
+ TLS_CACERTDIR path in /etc/openldap/ldap.conf now
+- use a temporary wrapper script to launch slapd, in case we have arguments
+ with embedded whitespace (#158111)
+
+* Wed May 4 2005 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.2.26 (stable 20050429)
+- enable the lmpasswd scheme
+- print a warning if slaptest fails, slaptest -u succeeds, and one of the
+ directories listed as the storage location for a given suffix in slapd.conf
+ contains a readable file named __db.001 (#118678)
+
+* Tue Apr 26 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.25-1
+- update to 2.2.25 (release)
+
+* Tue Apr 26 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.24-1
+- update to 2.2.24 (stable 20050318)
+- export KRB5_KTNAME in the init script, in case it was set in the sysconfig
+ file but not exported
+
+* Tue Mar 1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-4
+- prefer libresolv to libbind
+
+* Tue Mar 1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-3
+- add bind-libbind-devel and libtool-ltdl-devel buildprereqs
+
+* Tue Mar 1 2005 Tomas Mraz <tmraz@redhat.com> 2.2.23-2
+- rebuild with openssl-0.9.7e
+
+* Mon Jan 31 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-1
+- update to 2.2.23 (stable-20050125)
+- update notes on upgrading from earlier versions
+- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files
+
+* Tue Jan 4 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.20-1
+- update to 2.2.20 (stable-20050103)
+- warn about unreadable krb5 keytab files containing "ldap" keys
+- warn about unreadable TLS-related files
+- own a ref to subdirectories which we create under _libdir/tls
+
+* Tue Nov 2 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.17-0
+- rebuild
+
+* Thu Sep 30 2004 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.2.17 (stable-20040923) (#135188)
+- move nptl libraries into arch-specific subdirectories on x86 boxes
+- require a newer glibc which can provide nptl libpthread on i486/i586
+
+* Tue Aug 24 2004 Nalin Dahyabhai <nalin@redhat.com>
+- move slapd startup to earlier in the boot sequence (#103160)
+- update to 2.2.15 (stable-20040822)
+- change version number on compat-openldap to include the non-compat version
+ from which it's compiled, otherwise would have to start 2.2.15 at release 3
+ so that it upgrades correctly
+
+* Thu Aug 19 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-2
+- build a separate, static set of libraries for openldap-devel with the
+ non-standard ntlm bind patch applied, for use by the evolution-connector
+ package (#125579), and installing them under
+ evolution_connector_prefix)
+- provide openldap-evolution-devel = version-release in openldap-devel
+ so that evolution-connector's source package can require a version of
+ openldap-devel which provides what it wants
+
+* Mon Jul 26 2004 Nalin Dahyabhai <nalin@redhat.com>
+- update administrator guide
+
+* Wed Jun 16 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-1
+- add compat-openldap subpackage
+- default to bdb, as upstream does, gambling that we're only going to be
+ on systems with nptl now
+
+* Tue Jun 15 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-0
+- preliminary 2.2.13 update
+- move ucdata to the -servers subpackage where it belongs
+
+* Tue Jun 15 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.30-1
+- build experimental sql backend as a loadable module
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue May 18 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.30-0
+- update to 2.1.30
+
+* Thu May 13 2004 Thomas Woerner <twoerner@redhat.com> 2.1.29-3
+- removed rpath
+- added pie patch: slapd and slurpd are now pie
+- requires libtool >= 1.5.6-2 (PIC libltdl.a)
+
+* Fri Apr 16 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.29-2
+- move rfc documentation from main to -devel (#121025)
+
+* Wed Apr 14 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.29-1
+- rebuild
+
+* Tue Apr 6 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.29-0
+- update to 2.1.29 (stable 20040329)
+
+* Mon Mar 29 2004 Nalin Dahyabhai <nalin@redhat.com>
+- don't build servers with --with-kpasswd, that option hasn't been recognized
+ since 2.1.23
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> 2.1.25-5.1
+- rebuilt
+
+* Mon Feb 23 2004 Tim Waugh <twaugh@redhat.com> 2.1.25-5
+- Use ':' instead of '.' as separator for chown.
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Feb 10 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-4
+- remove 'reload' from the init script -- it never worked as intended (#115310)
+
+* Wed Feb 4 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-3
+- commit that last fix correctly this time
+
+* Tue Feb 3 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-2
+- fix incorrect use of find when attempting to detect a common permissions
+ error in the init script (#114866)
+
+* Fri Jan 16 2004 Nalin Dahyabhai <nalin@redhat.com>
+- add bug fix patch for DB 4.2.52
+
+* Thu Jan 8 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.25-1
+- change logging facility used from daemon to local4 (#112730, reversing #11047)
+ BEHAVIOR CHANGE - SHOULD BE MENTIONED IN THE RELEASE NOTES.
+
+* Wed Jan 7 2004 Nalin Dahyabhai <nalin@redhat.com>
+- incorporate fix for logic quasi-bug in slapd's SASL auxprop code (Dave Jones)
+
+* Thu Dec 18 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.25, now marked STABLE
+
+* Thu Dec 11 2003 Jeff Johnson <jbj@jbj.org> 2.1.22-9
+- update to db-4.2.52.
+
+* Thu Oct 23 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-8
+- add another section to the ABI note for the TLS libdb so that it's marked as
+ not needing an executable stack (from Arjan Van de Ven)
+
+* Thu Oct 16 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-7
+- force bundled libdb to not use O_DIRECT by making it forget that we have it
+
+* Wed Oct 15 2003 Nalin Dahyabhai <nalin@redhat.com>
+- build bundled libdb for slapd dynamically to make the package smaller,
+ among other things
+- on tls-capable arches, build libdb both with and without shared posix
+ mutexes, otherwise just without
+- disable posix mutexes unconditionally for db 4.0, which shouldn't need
+ them for the migration cases where it's used
+- update to MigrationTools 45
+
+* Thu Sep 25 2003 Jeff Johnson <jbj@jbj.org> 2.1.22-6.1
+- upgrade db-4.1.25 to db-4.2.42.
+
+* Fri Sep 12 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-6
+- drop rfc822-MailMember.schema, merged into upstream misc.schema at some point
+
+* Wed Aug 27 2003 Nalin Dahyabhai <nalin@redhat.com>
+- actually require newer libtool, as was intended back in 2.1.22-0, noted as
+ missed by Jim Richardson
+
+* Fri Jul 25 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-5
+- enable rlookups, they don't cost anything unless also enabled in slapd's
+ configuration file
+
+* Tue Jul 22 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-4
+- rebuild
+
+* Thu Jul 17 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-3
+- rebuild
+
+* Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-2
+- rebuild
+
+* Tue Jul 15 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-1
+- build
+
+* Mon Jul 14 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-0
+- 2.1.22 now badged stable
+- be more aggressive in what we index by default
+- use/require libtool 1.5
+
+* Mon Jun 30 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.22
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Jun 3 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-1
+- update to 2.1.21
+- enable ldap, meta, monitor, null, rewrite in slapd
+
+* Mon May 19 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-1
+- update to 2.1.20
+
+* Thu May 8 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-1
+- update to 2.1.19
+
+* Mon May 5 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.17-1
+- switch to db with crypto
+
+* Fri May 2 2003 Nalin Dahyabhai <nalin@redhat.com>
+- install the db utils for the bundled libdb as %%{_sbindir}/slapd_db_*
+- install slapcat/slapadd from 2.0.x for migration purposes
+
+* Wed Apr 30 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.17
+- disable the shell backend, not expected to work well with threads
+- drop the kerberosSecurityObject schema, the krbName attribute it
+ contains is only used if slapd is built with v2 kbind support
+
+* Mon Feb 10 2003 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-8
+- back down to db 4.0.x, which 2.0.x can compile with in ldbm-over-db setups
+- tweak SuSE patch to fix a few copy-paste errors and a NULL dereference
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Tue Jan 7 2003 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-6
+- rebuild
+
+* Mon Dec 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-5
+- rebuild
+
+* Fri Dec 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-4
+- check for setgid as well
+
+* Thu Dec 12 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-3
+- rebuild
+
+* Thu Dec 12 2002 Nalin Dahyabhai <nalin@redhat.com>
+- incorporate fixes from SuSE's security audit, except for fixes to ITS 1963,
+ 1936, 2007, 2009, which were included in 2.0.26.
+- add two more patches for db 4.1.24 from sleepycat's updates page
+- use openssl pkgconfig data, if any is available
+
+* Mon Nov 11 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-2
+- add patches for db 4.1.24 from sleepycat's updates page
+
+* Mon Nov 4 2002 Nalin Dahyabhai <nalin@redhat.com>
+- add a sample TLSCACertificateFile directive to the default slapd.conf
+
+* Tue Sep 24 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.27-1
+- update to 2.0.27
+
+* Fri Sep 20 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.26-1
+- update to 2.0.26, db 4.1.24.NC
+
+* Fri Sep 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.25-2
+- change LD_FLAGS to refer to /usr/kerberos/_libdir instead of
+ /usr/kerberos/lib, which might not be right on some arches
+
+* Mon Aug 26 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.25-1
+- update to 2.0.25 "stable", ldbm-over-gdbm (putting off migration of LDBM
+ slapd databases until we move to 2.1.x)
+- use %%{_smp_mflags} when running make
+- update to MigrationTools 44
+- enable dynamic module support in slapd
+
+* Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-5
+- rebuild in new environment
+
+* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-3
+- use the gdbm backend again
+
+* Mon Feb 18 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-2
+- make slapd.conf read/write by root, read by ldap
+
+* Sun Feb 17 2002 Nalin Dahyabhai <nalin@redhat.com>
+- fix corner case in sendbuf fix
+- 2.0.23 now marked "stable"
+
+* Tue Feb 12 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.23-1
+- update to 2.0.23
+
+* Fri Feb 8 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.22-2
+- switch to an internalized Berkeley DB as the ldbm back-end (NOTE: this breaks
+ access to existing on-disk directory data)
+- add slapcat/slapadd with gdbm for migration purposes
+- remove Kerberos dependency in client libs (the direct Kerberos dependency
+ is used by the server for checking {kerberos} passwords)
+
+* Fri Feb 1 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.22-1
+- update to 2.0.22
+
+* Sat Jan 26 2002 Florian La Roche <Florian.LaRoche@redhat.de> 2.0.21-5
+- prereq chkconfig for server subpackage
+
+* Fri Jan 25 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.21-4
+- update migration tools to version 40
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.21-3
+- free ride through the build system
+
+* Wed Jan 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.21-2
+- update to 2.0.21, now earmarked as STABLE
+
+* Wed Jan 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.20-2
+- temporarily disable optimizations for ia64 arches
+- specify pthreads at configure-time instead of letting configure guess
+
+* Mon Jan 14 2002 Nalin Dahyabhai <nalin@redhat.com>
+- and one for Raw Hide
+
+* Mon Jan 14 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.20-0.7
+- build for RHL 7/7.1
+
+* Mon Jan 14 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.20-1
+- update to 2.0.20 (security errata)
+
+* Thu Dec 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.19-1
+- update to 2.0.19
+
+* Tue Nov 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.18-2
+- fix the commented-out replication example in slapd.conf
+
+* Fri Oct 26 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.18-1
+- update to 2.0.18
+
+* Mon Oct 15 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.17-1
+- update to 2.0.17
+
+* Wed Oct 10 2001 Nalin Dahyabhai <nalin@redhat.com>
+- disable kbind support (deprecated, and I suspect unused)
+- configure with --with-kerberos=k5only instead of --with-kerberos=k5
+- build slapd with threads
+
+* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.15-2
+- rebuild, 2.0.15 is now designated stable
+
+* Fri Sep 21 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.15-1
+- update to 2.0.15
+
+* Mon Sep 10 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.14-1
+- update to 2.0.14
+
+* Fri Aug 31 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.12-1
+- update to 2.0.12 to pull in fixes for setting of default TLS options, among
+ other things
+- update to migration tools 39
+- drop tls patch, which was fixed better in this release
+
+* Tue Aug 21 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.11-13
+- install saucer correctly
+
+* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- try to fix ldap_set_options not being able to set global options related
+ to TLS correctly
+
+* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
+- don't attempt to create a cert at install-time, it's usually going
+ to get the wrong CN (#51352)
+
+* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add a build-time requirement on pam-devel
+- add a build-time requirement on a sufficiently-new libtool to link
+ shared libraries to other shared libraries (which is needed in order
+ for prelinking to work)
+
+* Fri Aug 3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- require cyrus-sasl-md5 (support for DIGEST-MD5 is required for RFC
+ compliance) by name (follows from #43079, which split cyrus-sasl's
+ cram-md5 and digest-md5 modules out into cyrus-sasl-md5)
+
+* Fri Jul 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- enable passwd back-end (noted by Alan Sparks and Sergio Kessler)
+
+* Wed Jul 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- start to prep for errata release
+
+* Fri Jul 6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- link libldap with liblber
+
+* Wed Jul 4 2001 Than Ngo <than@redhat.com> 2.0.11-6
+- add symlink liblber.so libldap.so and libldap_r.so in /usr/lib
+
+* Tue Jul 3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- move shared libraries to /lib
+- redo init script for better internationalization (#26154)
+- don't use ldaprc files in the current directory (#38402) (patch from
+ hps@intermeta.de)
+- add BuildPrereq on tcp wrappers since we configure with
+ --enable-wrappers (#43707)
+- don't overflow debug buffer in mail500 (#41751)
+- don't call krb5_free_creds instead of krb5_free_cred_contents any
+ more (#43159)
+
+* Mon Jul 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- make config files noreplace (#42831)
+
+* Tue Jun 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- actually change the default config to use the dummy cert
+- update to MigrationTools 38
+
+* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- build dummy certificate in %%post, use it in default config
+- configure-time shenanigans to help a confused configure script
+
+* Wed Jun 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- tweak migrate_automount and friends so that they can be run from anywhere
+
+* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.11
+
+* Wed May 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.10
+
+* Mon May 21 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.9
+
+* Tue May 15 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.8
+- drop patch which came from upstream
+
+* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Thu Feb 8 2001 Nalin Dahyabhai <nalin@redhat.com>
+- back out pidfile patches, which interact weirdly with Linux threads
+- mark non-standard schema as such by moving them to a different directory
+
+* Mon Feb 5 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to MigrationTools 36, adds netgroup support
+
+* Mon Jan 29 2001 Nalin Dahyabhai <nalin@redhat.com>
+- fix thinko in that last patch
+
+* Thu Jan 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- try to work around some buffering problems
+
+* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- gettextize the init script
+
+* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- gettextize the init script
+
+* Fri Jan 12 2001 Nalin Dahyabhai <nalin@redhat.com>
+- move the RFCs to the base package (#21701)
+- update to MigrationTools 34
+
+* Wed Jan 10 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add support for additional OPTIONS, SLAPD_OPTIONS, and SLURPD_OPTIONS in
+ a /etc/sysconfig/ldap file (#23549)
+
+* Fri Dec 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change automount object OID from 1.3.6.1.1.1.2.9 to 1.3.6.1.1.1.2.13,
+ per mail from the ldap-nis mailing list
+
+* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- force -fPIC so that shared libraries don't fall over
+
+* Mon Dec 4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add Norbert Klasen's patch (via Del) to fix searches using ldaps URLs
+ (OpenLDAP ITS #889)
+- add "-h ldaps:///" to server init when TLS is enabled, in order to support
+ ldaps in addition to the regular STARTTLS (suggested by Del)
+
+* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- correct mismatched-dn-cn bug in migrate_automount.pl
+
+* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to the correct OIDs for automount and automountInformation
+- add notes on upgrading
+
+* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.7
+- drop chdir patch (went mainstream)
+
+* Thu Nov 2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change automount object classes from auxiliary to structural
+
+* Tue Oct 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to Migration Tools 27
+- change the sense of the last simple patch
+
+* Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- reorganize the patch list to separate MigrationTools and OpenLDAP patches
+- switch to Luke Howard's rfc822MailMember schema instead of the aliases.schema
+- configure slapd to run as the non-root user "ldap" (#19370)
+- chdir() before chroot() (we don't use chroot, though) (#19369)
+- disable saving of the pid file because the parent thread which saves it and
+ the child thread which listens have different pids
+
+* Wed Oct 11 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add missing required attributes to conversion scripts to comply with schema
+- add schema for mail aliases, autofs, and kerberosSecurityObject rooted in
+ our own OID tree to define attributes and classes migration scripts expect
+- tweak automounter migration script
+
+* Mon Oct 9 2000 Nalin Dahyabhai <nalin@redhat.com>
+- try adding the suffix first when doing online migrations
+- force ldapadd to use simple authentication in migration scripts
+- add indexing of a few attributes to the default configuration
+- add commented-out section on using TLS to default configuration
+
+* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.6
+- add buildprereq on cyrus-sasl-devel, krb5-devel, openssl-devel
+- take the -s flag off of slapadd invocations in migration tools
+- add the cosine.schema to the default server config, needed by inetorgperson
+
+* Wed Oct 4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add the nis.schema and inetorgperson.schema to the default server config
+- make ldapadd a hard link to ldapmodify because they're identical binaries
+
+* Fri Sep 22 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.4
+
+* Fri Sep 15 2000 Nalin Dahyabhai <nalin@redhat.com>
+- remove prereq on /etc/init.d (#17531)
+- update to 2.0.3
+- add saucer to the included clients
+
+* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.1
+
+* Fri Sep 1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.0.0
+- patch to build against MIT Kerberos 1.1 and later instead of 1.0.x
+
+* Tue Aug 22 2000 Nalin Dahyabhai <nalin@redhat.com>
+- remove that pesky default password
+- change "Copyright:" to "License:"
+
+* Sun Aug 13 2000 Nalin Dahyabhai <nalin@redhat.com>
+- adjust permissions in files lists
+- move libexecdir from %%{_prefix}/sbin to %%{_sbindir}
+
+* Fri Aug 11 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add migrate_automount.pl to the migration scripts set
+
+* Tue Aug 8 2000 Nalin Dahyabhai <nalin@redhat.com>
+- build a semistatic slurpd with threads, everything else without
+- disable reverse lookups, per email on OpenLDAP mailing lists
+- make sure the execute bits are set on the shared libraries
+
+* Mon Jul 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change logging facility used from local4 to daemon (#11047)
+
+* Thu Jul 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- split off clients and servers to shrink down the package and remove the
+ base package's dependency on Perl
+- make certain that the binaries have sane permissions
+
+* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move the init script back
+
+* Thu Jul 13 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak the init script to only source /etc/sysconfig/network if it's found
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Mon Jul 10 2000 Nalin Dahyabhai <nalin@redhat.com>
+- switch to gdbm; I'm getting off the db merry-go-round
+- tweak the init script some more
+- add instdir to @INC in migration scripts
+
+* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak init script to return error codes properly
+- change initscripts dependency to one on /etc/init.d
+
+* Tue Jul 4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- prereq initscripts
+- make migration scripts use mktemp
+
+* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- do condrestart in post and stop in preun
+- move init script to /etc/init.d
+
+* Fri Jun 16 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.2.11
+- add condrestart logic to init script
+- munge migration scripts so that you don't have to be
+ /usr/share/openldap/migration to run them
+- add code to create pid files in /var/run
+
+* Mon Jun 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- FHS tweaks
+- fix for compiling with libdb2
+
+* Thu May 4 2000 Bill Nottingham <notting@redhat.com>
+- minor tweak so it builds on ia64
+
+* Wed May 3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- more minimalistic fix for bug #11111 after consultation with OpenLDAP team
+- backport replacement for the ldapuser patch
+
+* Tue May 2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix segfaults from queries with commas in them in in.xfingerd (bug #11111)
+
+* Tue Apr 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.2.10
+- add revamped version of patch from kos@bastard.net to allow execution as
+ any non-root user
+- remove test suite from %%build because of weirdness in the build system
+
+* Wed Apr 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move the defaults for databases and whatnot to /var/lib/ldap (bug #10714)
+- fix some possible string-handling problems
+
+* Mon Feb 14 2000 Bill Nottingham <notting@redhat.com>
+- start earlier, stop later.
+
+* Thu Feb 3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- auto rebuild in new environment (release 4)
+
+* Tue Feb 1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add -D_REENTRANT to make threaded stuff more stable, even though it looks
+ like the sources define it, too
+- mark *.ph files in migration tools as config files
+
+* Fri Jan 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.2.9
+
+* Mon Sep 13 1999 Bill Nottingham <notting@redhat.com>
+- strip files
+
+* Sat Sep 11 1999 Bill Nottingham <notting@redhat.com>
+- update to 1.2.7
+- fix some bugs from bugzilla (#4885, #4887, #4888, #4967)
+- take include files out of base package
+
+* Fri Aug 27 1999 Jeff Johnson <jbj@redhat.com>
+- missing ;; in init script reload) (#4734).
+
+* Tue Aug 24 1999 Cristian Gafton <gafton@redhat.com>
+- move stuff from /usr/libexec to /usr/sbin
+- relocate config dirs to /etc/openldap
+
+* Mon Aug 16 1999 Bill Nottingham <notting@redhat.com>
+- initscript munging
+
+* Wed Aug 11 1999 Cristian Gafton <gafton@redhat.com>
+- add the migration tools to the package
+
+* Fri Aug 06 1999 Cristian Gafton <gafton@redhat.com>
+- upgrade to 1.2.6
+- add rc.d script
+- split -devel package
+
+* Sun Feb 07 1999 Preston Brown <pbrown@redhat.com>
+- upgrade to latest stable (1.1.4), it now uses configure macro.
+
+* Fri Jan 15 1999 Bill Nottingham <notting@redhat.com>
+- build on arm, glibc2.1
+
+* Wed Oct 28 1998 Preston Brown <pbrown@redhat.com>
+- initial cut.
+- patches for signal handling on the alpha