From 1507ff3150b74014c30514b2d82e97359f21c62a Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Nov 18 2009 15:33:17 +0000 Subject: - rebased openldap to 2.4.19 (bugfixing release) - rebased bdb to 4.8.24 - fixed tls connection accepting when TLSVerifyClient = allow - /etc/openldap/ldap.conf removed from files owned by openldap-servers - minor changes in spec file to supress warnings - some changes in init script, so it would be possible to use it when using old configuration style --- diff --git a/.cvsignore b/.cvsignore index 3f18370..69e7188 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ -openldap-2.4.18.tgz -db-4.7.25.tar.gz +openldap-2.4.19.tgz +db-4.8.24.tar.gz diff --git a/ldap.init b/ldap.init index 99be9dc..fe4c75c 100644 --- a/ldap.init +++ b/ldap.init @@ -43,6 +43,7 @@ slapd=/usr/sbin/slapd slaptest=/usr/sbin/slaptest lockfile=/var/lock/subsys/slapd configdir=/etc/openldap/slapd.d/ +configfile=/etc/openldap/slapd.conf pidfile=/var/run/slapd.pid slapd_pidfile=/var/run/openldap/slapd.pid @@ -104,7 +105,6 @@ function checkkeytab() { function configtest() { local user= ldapuid= dbdir= file= - [ -d $configdir ] || exit 6 # Check for simple-but-common errors. user=ldap prog=`basename ${slapd}` @@ -112,11 +112,20 @@ function configtest() { # Unaccessible database files. slaptestflags="" dbdirs="" - for configfile in `ls -1 $configdir/cn\=config/olcDatabase*`; do - dbdirs=$dbdirs" - "`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'` - done + if [ -d $configdir ]; then + for configfile in `ls -1 $configdir/cn\=config/olcDatabase*`; do + dbdirs=$dbdirs" + "`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'` + done + elif [ -f $configfile ]; then + dbdirs=`LANG=C egrep '^directory[[:space:]]+' $configfile | sed 's,^directory[[:space:]]*,,'` + else + exit 6 + fi for dbdir in $dbdirs; do + if [ ! -d $dbdir ]; then + exit 6 + fi for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do echo -n $"$file is not owned by \"$user\"" ; warning ; echo done @@ -134,7 +143,11 @@ function configtest() { echo -n $"$file is not readable by \"$user\"" ; warning ; echo fi # Unaccessible TLS configuration files. - tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'` + if [ -d $configdir ]; then + tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'` + elif [ -f $configfile ]; then + tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]+' $configfile | awk '{print $2}'` + fi for file in $tlsconfigs ; do if ! testasuser $user -r $file ; then echo -n $"$file is not readable by \"$user\"" ; warning ; echo @@ -218,24 +231,39 @@ case "$1" in configtest ;; start) - start + msg=`status -p $pidfile ${slapd} > /dev/null 2>&1` RETVAL=$? + if [ "$RETVAL" = "0" ]; then + echo $msg + RETVAL=1 + else + start + RETVAL=$? + fi ;; stop) - stop + msg=`status -p $pidfile ${slapd} > /dev/null 2>&1` RETVAL=$? + if [ "$RETVAL" != "0" ]; then + echo $msg + RETVAL=7 + else + stop + RETVAL=$? + fi ;; status) status -p $pidfile ${slapd} RETVAL=$? ;; restart|force-reload) + status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 7 stop start RETVAL=$? ;; condrestart|try-restart) - status -p $pidfile ${slapd} || exit 0 + status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 0 stop start ;; diff --git a/openldap-2.4.19-tls-accept.patch b/openldap-2.4.19-tls-accept.patch new file mode 100644 index 0000000..d7484b7 --- /dev/null +++ b/openldap-2.4.19-tls-accept.patch @@ -0,0 +1,29 @@ +--- openldap-2.4.19/servers/slapd/connection.c.orig 2009-11-16 12:54:33.000000000 +0100 ++++ openldap-2.4.19/servers/slapd/connection.c 2009-11-16 13:23:25.000000000 +0100 +@@ -1376,6 +1376,11 @@ connection_read( ber_socket_t s, conn_re + c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 ); + slap_sasl_external( c, c->c_tls_ssf, &authid ); + if ( authid.bv_val ) free( authid.bv_val ); ++ } else if ( rc == 1 ) { /* need to retry */ ++ slapd_set_read( s, 0 ); ++ slapd_set_write( s, 1 ); ++ connection_return( c ); ++ return 0; + } + + /* if success and data is ready, fall thru to data input loop */ +@@ -1875,6 +1880,14 @@ int connection_write(ber_socket_t s) + return -1; + } + ++#ifdef HAVE_TLS ++ if ( c->c_is_tls && c->c_needs_tls_accept ) { ++ connection_return( c ); ++ connection_read_activate( s ); ++ return 0; ++ } ++#endif ++ + c->c_n_write++; + + Debug( LDAP_DEBUG_TRACE, diff --git a/openldap.spec b/openldap.spec index a981efe..0a266b5 100644 --- a/openldap.spec +++ b/openldap.spec @@ -1,9 +1,9 @@ # We distribute own version of Berkeley DB to prevent # problems on db4.rpm upgrade - some versions of db4 do # not work with some versions of OpenLDAP. -%define db_version 4.7.25 +%define db_version 4.8.24 %define ldbm_backend berkeley -%define version 2.4.18 +%define version 2.4.19 %define evolution_connector_prefix %{_libdir}/evolution-openldap %define evolution_connector_includedir %{evolution_connector_prefix}/include %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib} @@ -11,7 +11,7 @@ Summary: LDAP support libraries Name: openldap Version: %{version} -Release: 5%{?dist} +Release: 1%{?dist} License: OpenLDAP Group: System Environment/Daemons Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz @@ -35,16 +35,11 @@ Patch6: openldap-2.3.19-gethostbyXXXX_r.patch Patch9: openldap-2.3.37-smbk5pwd.patch Patch10: openldap-2.4.6-multilib.patch Patch11: openldap-2.4.16-doc-cacertdir.patch -Patch12: openldap-2.4.18-ldif-buf-overflow.patch +Patch12: openldap-2.4.19-tls-accept.patch # Patches for the evolution library Patch200: openldap-2.4.6-evolution-ntlm.patch -# Patches for db4 library -Patch400: patch.4.7.25.1 -Patch401: patch.4.7.25.2 -Patch402: patch.4.7.25.3 - URL: http://www.openldap.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: cyrus-sasl-devel >= 2.1, gdbm-devel, libtool >= 1.5.6-2, krb5-devel @@ -125,12 +120,6 @@ programs needed for accessing and modifying OpenLDAP directories. %prep %setup -q -c -a 1 -pushd db-%{db_version} -%patch400 -p0 -b .patch1 -%patch401 -p0 -b .patch2 -%patch402 -p0 -b .patch3 -popd - pushd openldap-%{version} %patch0 -p1 -b .config %patch1 -p1 -b .ldaprc @@ -142,7 +131,7 @@ pushd openldap-%{version} %patch9 -p1 -b .smbk5pwd %patch10 -p1 -b .multilib %patch11 -p1 -b .cacertdir -%patch12 -p1 -b .malloc +%patch12 -p1 -b .tls-accept cp %{_datadir}/libtool/config/config.{sub,guess} build/ popd @@ -503,7 +492,7 @@ if [ -f /var/lib/ldap/need_db_upgrade ]; then fi if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then -pushd %{_sysconfdir}/pki/tls/certs +pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1 umask 077 cat << EOF | make slapd.pem > /dev/null 2>&1 -- @@ -599,7 +588,6 @@ fi %doc README.schema %ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem %attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/ldap*.conf %attr(0640,root,ldap) %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf %attr(0640,root,ldap) %ghost %{_sysconfdir}/openldap/slapd.conf.bak %attr(0640,ldap,ldap) %ghost %{_sysconfdir}/openldap/slapd.d @@ -645,6 +633,15 @@ fi %attr(0644,root,root) %{evolution_connector_libdir}/*.a %changelog +* Wed Nov 18 2009 Jan Zeleny - 2.4.19-1 +- fixed tls connection accepting when TLSVerifyClient = allow +- /etc/openldap/ldap.conf removed from files owned by openldap-servers +- minor changes in spec file to supress warnings +- some changes in init script, so it would be possible to use it when + using old configuration style +- rebased openldap to 2.4.19 +- rebased bdb to 4.8.24 + * Wed Oct 07 2009 Jan Zeleny 2.4.18-5 - updated smbk5pwd patch to be linked with libldap (#526500) diff --git a/sources b/sources index edaad2d..b0d113a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -fecd7a64b6d9a0eb79b817d2562956ed openldap-2.4.18.tgz -ec2b87e833779681a0c3a814aa71359e db-4.7.25.tar.gz +4a6dab2711fcf141f19bb680bc335887 openldap-2.4.19.tgz +147afdecf438ff99ade105a5272db158 db-4.8.24.tar.gz