ZhuningOS/openldap2
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Initialize for openldap2

Browse source
This commit is contained in:
zyppe 2024-02-28 21:00:53 +08:00
commit 72461ef5f4
83 changed files with 10390 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored Normal file
View file

@ -0,0 +1,3 @@
addonschema.tar.gz
openldap-2.4.46.tgz
ppolicy-check-password-1.2.tar.gz

3
.openldap2.metadata Normal file
View file

@ -0,0 +1,3 @@
7320568eb209542bd27b48795b56e6bf8c23f9861eb63fb275faf212753317d7 addonschema.tar.gz
22ebe3866d65a361ec8b57a137e92e62b330945a2378428d93caaf62cbb26866 openldap-2.4.46.tgz
b34809e6c98826fd0812eef18dfe8b97067238b0f9e68cb8448e65822028a6e8 ppolicy-check-password-1.2.tar.gz

66
0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch Normal file
View file

@ -0,0 +1,66 @@
From 348588561c694784a8106871b0d5fe578007ea4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
Date: Fri, 26 Oct 2018 16:40:23 +0200
Subject: [PATCH] ITS#8866 slapo-unique to return filter used in diagnostic
message
---
servers/slapd/overlays/unique.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c
index ed62d03b8..a7723cf5d 100644
--- a/servers/slapd/overlays/unique.c
+++ b/servers/slapd/overlays/unique.c
@@ -965,6 +965,8 @@ unique_search(
slap_callback cb = { NULL, NULL, NULL, NULL }; /* XXX */
unique_counter uq = { NULL, 0 };
int rc;
+ char *errmsg;
+ int errmsgsize;
Debug(LDAP_DEBUG_TRACE, "==> unique_search %s\n", key->bv_val, 0, 0);
@@ -998,24 +1000,29 @@ unique_search(
nop->o_bd = on->on_info->oi_origdb;
rc = nop->o_bd->be_search(nop, &nrs);
filter_free_x(nop, nop->ors_filter, 1);
- op->o_tmpfree( key->bv_val, op->o_tmpmemctx );
if(rc != LDAP_SUCCESS && rc != LDAP_NO_SUCH_OBJECT) {
op->o_bd->bd_info = (BackendInfo *) on->on_info;
send_ldap_error(op, rs, rc, "unique_search failed");
- return(rs->sr_err);
- }
-
- Debug(LDAP_DEBUG_TRACE, "=> unique_search found %d records\n", uq.count, 0, 0);
+ rc = rs->sr_err;
+ } else if(uq.count) {
+ Debug(LDAP_DEBUG_TRACE, "=> unique_search found %d records\n", uq.count, 0, 0);
- if(uq.count) {
+ errmsgsize = sizeof("non-unique attributes found with ") + key->bv_len;
+ errmsg = op->o_tmpalloc(errmsgsize, op->o_tmpmemctx);
+ snprintf( errmsg, errmsgsize, "non-unique attributes found with %s", key->bv_val );
op->o_bd->bd_info = (BackendInfo *) on->on_info;
- send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION,
- "some attributes not unique");
- return(rs->sr_err);
+ send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, errmsg);
+ op->o_tmpfree(errmsg, op->o_tmpmemctx);
+ rc = rs->sr_err;
+ } else {
+ Debug(LDAP_DEBUG_TRACE, "=> unique_search found no records\n", 0, 0, 0);
+ rc = SLAP_CB_CONTINUE;
}
- return(SLAP_CB_CONTINUE);
+ op->o_tmpfree( key->bv_val, op->o_tmpmemctx );
+
+ return(rc);
}
static int
--
2.19.1

22
0003-LDAPI-socket-location.dif Normal file
View file

@ -0,0 +1,22 @@
From 73f1a31ec1d90872ac6f09ffac5adfb199eba963 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Wed, 16 Jun 2010 14:06:42 +0200
Subject: LDAPI socket location
diff --git a/include/ldap_defaults.h b/include/ldap_defaults.h
index 9dba666..b9780bc 100644
--- a/include/ldap_defaults.h
+++ b/include/ldap_defaults.h
@@ -39,7 +39,7 @@
#define LDAP_ENV_PREFIX "LDAP"
/* default ldapi:// socket */
-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi"
/*
* SLAPD DEFINITIONS
--
1.7.10.4

131
0005-pie-compile.dif Normal file
View file

@ -0,0 +1,131 @@
From 60edf86023da15db7be5935c85826e16d2b78648 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Fri, 12 Nov 2010 09:39:11 +0100
Subject: pie compile
diff --git a/build/top.mk b/build/top.mk
index 633c9a4..c67289d 100644
--- a/build/top.mk
+++ b/build/top.mk
@@ -107,7 +107,7 @@ LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)
LTSTATIC = @LTSTATIC@
LTLINK = $(LIBTOOL) --mode=link \
- $(CC) $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
+ $(CC) -pie $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS)
LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=compile \
$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
@@ -116,7 +116,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)
LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
+ $(CC) $(LT_CFLAGS) $(PIE_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD)
@@ -206,7 +206,7 @@ SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LI
# Our Defaults
CC = $(AC_CC)
DEFS = $(LDAP_INCPATH) $(XINCPATH) $(XDEFS) $(AC_DEFS) $(DEFINES)
-CFLAGS = $(AC_CFLAGS) $(DEFS)
+CFLAGS = -fPIE $(AC_CFLAGS) $(DEFS)
LDFLAGS = $(LDAP_LIBPATH) $(AC_LDFLAGS) $(XLDFLAGS)
LIBS = $(XLIBS) $(XXLIBS) $(AC_LIBS) $(XXXLIBS)
diff --git a/servers/slapd/back-bdb/Makefile.in b/servers/slapd/back-bdb/Makefile.in
index da7da0c..dcb6d92 100644
--- a/servers/slapd/back-bdb/Makefile.in
+++ b/servers/slapd/back-bdb/Makefile.in
@@ -33,6 +33,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-bdb"
BUILD_MOD = @BUILD_BDB@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_BDB@_DEFS)
MOD_LIBS = $(BDB_LIBS)
diff --git a/servers/slapd/back-hdb/Makefile.in b/servers/slapd/back-hdb/Makefile.in
index 5af828f..6f43f7b 100644
--- a/servers/slapd/back-hdb/Makefile.in
+++ b/servers/slapd/back-hdb/Makefile.in
@@ -37,6 +37,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-hdb"
BUILD_MOD = @BUILD_HDB@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_HDB@_DEFS)
MOD_LIBS = $(BDB_LIBS)
diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in
index 392d92e..3a0663d 100644
--- a/servers/slapd/back-ldap/Makefile.in
+++ b/servers/slapd/back-ldap/Makefile.in
@@ -26,6 +26,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-ldap"
BUILD_MOD = @BUILD_LDAP@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_LDAP@_DEFS)
diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in
index 5e4abc1..1e8c454 100644
--- a/servers/slapd/back-ldif/Makefile.in
+++ b/servers/slapd/back-ldif/Makefile.in
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-ldif"
BUILD_MOD = yes
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(yes_DEFS)
diff --git a/servers/slapd/back-mdb/Makefile.in b/servers/slapd/back-mdb/Makefile.in
index 9b01d2a..e37520a 100644
--- a/servers/slapd/back-mdb/Makefile.in
+++ b/servers/slapd/back-mdb/Makefile.in
@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/libmdb
BUILD_OPT = "--enable-mdb"
BUILD_MOD = @BUILD_MDB@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_MDB@_DEFS)
MOD_LIBS = $(MDB_LIBS)
diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in
index 9aecdbc..11c962c 100644
--- a/servers/slapd/back-monitor/Makefile.in
+++ b/servers/slapd/back-monitor/Makefile.in
@@ -30,6 +30,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-monitor"
BUILD_MOD = @BUILD_MONITOR@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_MONITOR@_DEFS)
diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in
index 90ea4b3..ff2f429 100644
--- a/servers/slapd/back-relay/Makefile.in
+++ b/servers/slapd/back-relay/Makefile.in
@@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries
BUILD_OPT = "--enable-relay"
BUILD_MOD = @BUILD_RELAY@
+PIE_CFLAGS="-fPIE"
+
mod_DEFS = -DSLAPD_IMPORT
MOD_DEFS = $(@BUILD_RELAY@_DEFS)
--
1.7.10.4

33
0006-No-Build-date-and-time-in-binaries.dif Normal file
View file

@ -0,0 +1,33 @@
From a7a37111026ccb9fddfeedc22606b80d8d75557f Mon Sep 17 00:00:00 2001
From: Cristian Rodriguez <cristian.rodriguez@opensuse.org>
Date: Tue, 5 Oct 2010 13:59:40 +0200
Subject: No Build date and time in binaries
This avoids build-compare failures and unhelpful rebuilds/republishes in
the openSUSE buildservice.
diff --git a/build/mkversion b/build/mkversion
index 3fd9565..dd9a998 100755
--- a/build/mkversion
+++ b/build/mkversion
@@ -50,7 +50,7 @@ if test $# != 1 ; then
fi
APPLICATION=$1
-WHOWHERE="$USER@`uname -n`:`pwd`"
+WHOWHERE="opensuse-buildservice@opensuse.org"
cat << __EOF__
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
@@ -72,7 +72,7 @@ static const char copyright[] =
"COPYING RESTRICTIONS APPLY\n";
$static $const char $SYMBOL[] =
-"@(#) \$$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \$\n"
+"@(#) \$$PACKAGE: $APPLICATION $VERSION \$\n"
"\t$WHOWHERE\n";
__EOF__
--
1.7.10.4

29
0007-Recover-on-DB-version-change.dif Normal file
View file

@ -0,0 +1,29 @@
From 895fa6d9b49344e1a92f7df3ed65458519e22f98 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Tue, 5 Oct 2010 14:20:22 +0200
Subject: Recover on DB version change
If the libdb Version changed try to recover the database. Note: This will
only succeed if only the format of transaction logs changed.
diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c
index ac5a6d5..fea5cb4 100644
--- a/servers/slapd/back-bdb/init.c
+++ b/servers/slapd/back-bdb/init.c
@@ -330,6 +330,13 @@ shm_retry:
rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome,
flags | do_recover, bdb->bi_dbenv_mode );
+ if ( rc == DB_VERSION_MISMATCH ) {
+ Debug( LDAP_DEBUG_ANY,
+ LDAP_XSTRING(bdb_db_open) ": bdb version change detected "
+ "trying to recover\n", 0, 0, 0 );
+ rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome,
+ flags | DB_RECOVER, bdb->bi_dbenv_mode );
+ }
if ( rc ) {
/* Regular open failed, probably a missing shm environment.
* Start over, do a recovery.
--
1.7.10.4

29
0008-In-monitor-backend-do-not-return-Connection0-entries.patch Normal file
View file

@ -0,0 +1,29 @@
From d4b247e43fe1ea1b3713f3d8f493422d5adcc537 Mon Sep 17 00:00:00 2001
From: HouzuoGuo <guohouzuo@gmail.com>
Date: Fri, 13 Mar 2015 16:14:10 +0100
Subject: [PATCH] In monitor backend, do not return Connection0 entries as they
are created for internal use only.
---
servers/slapd/back-monitor/conn.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c
index c1995b0..2d27738 100644
--- a/servers/slapd/back-monitor/conn.c
+++ b/servers/slapd/back-monitor/conn.c
@@ -454,6 +454,11 @@ monitor_subsys_conn_create(
c != NULL;
c = connection_next( c, &connindex ) )
{
+ /* Connection 0 is created by connection_client_setup for internal use only */
+ if (c->c_connid == 0) {
+ continue;
+ }
+
monitor_entry_t *mp;
if ( conn_create( mi, c, &e, ms ) != SLAP_CB_CONTINUE
--
2.1.4

73
0009-Fix-ldap-host-lookup-ipv6.patch Normal file
View file

@ -0,0 +1,73 @@
The patch was written by Christian Kornacker on 2014-01-08 to fix an issue with unresponsive
LDAP host lookups in IPv6 environment.
---
libraries/libldap/util-int.c | 39 +++++++++++++++++++++++++++++++++++++--
1 file changed, 37 insertions(+), 2 deletions(-)
Index: openldap-2.4.41/libraries/libldap/util-int.c
===================================================================
--- openldap-2.4.41.orig/libraries/libldap/util-int.c
+++ openldap-2.4.41/libraries/libldap/util-int.c
@@ -731,10 +731,16 @@ static char *safe_realloc( char **buf, i
char * ldap_pvt_get_fqdn( char *name )
{
- char *fqdn, *ha_buf;
+ int rc;
+ char *fqdn;
char hostbuf[MAXHOSTNAMELEN+1];
+#ifdef HAVE_GETADDRINFO
+ struct addrinfo hints, *res;
+#else
+ char *ha_buf;
struct hostent *hp, he_buf;
- int rc, local_h_errno;
+ int local_h_errno;
+#endif
if( name == NULL ) {
if( gethostname( hostbuf, MAXHOSTNAMELEN ) == 0 ) {
@@ -745,6 +751,33 @@ char * ldap_pvt_get_fqdn( char *name )
}
}
+#ifdef HAVE_GETADDRINFO
+ memset( &hints, '\0', sizeof( hints ) );
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags |= AI_CANONNAME;
+
+ /* most getaddrinfo(3) use non-threadsafe resolver libraries */
+ LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex);
+
+ rc = getaddrinfo( name, NULL, &hints, &res );
+
+ LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex);
+
+ if ( rc != 0 ) {
+ fqdn = LDAP_STRDUP( name );
+ } else {
+ while ( res ) {
+ if ( res->ai_canonname ) {
+ fqdn = LDAP_STRDUP ( res->ai_canonname );
+ break;
+ }
+ res = res->ai_next;
+ }
+ freeaddrinfo( res );
+ }
+#else
+
rc = ldap_pvt_gethostbyname_a( name,
&he_buf, &ha_buf, &hp, &local_h_errno );
@@ -755,6 +788,8 @@ char * ldap_pvt_get_fqdn( char *name )
}
LDAP_FREE( ha_buf );
+#endif
+
return fqdn;
}

80
0011-openldap-re24-its7796.patch Normal file
View file

@ -0,0 +1,80 @@
diff --git a/servers/slapd/back-bdb/filterindex.c b/servers/slapd/back-bdb/filterindex.c
index 71e3ea4..bafef72 100644
--- a/servers/slapd/back-bdb/filterindex.c
+++ b/servers/slapd/back-bdb/filterindex.c
@@ -741,7 +741,7 @@ equality_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_equality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -858,7 +858,7 @@ approx_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_approx_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -978,7 +978,7 @@ substring_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_substring_candidates: (%s) not indexed\n",
sub->sa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -1095,7 +1095,7 @@ inequality_candidates(
&db, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= bdb_inequality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
diff --git a/servers/slapd/back-mdb/filterindex.c b/servers/slapd/back-mdb/filterindex.c
index 58c1cc8..20c58b7 100644
--- a/servers/slapd/back-mdb/filterindex.c
+++ b/servers/slapd/back-mdb/filterindex.c
@@ -709,7 +709,7 @@ equality_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_equality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -825,7 +825,7 @@ approx_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_approx_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -944,7 +944,7 @@ substring_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_substring_candidates: (%s) not indexed\n",
sub->sa_desc->ad_cname.bv_val, 0, 0 );
return 0;
@@ -1060,7 +1060,7 @@ inequality_candidates(
&dbi, &mask, &prefix );
if ( rc == LDAP_INAPPROPRIATE_MATCHING ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"<= mdb_inequality_candidates: (%s) not indexed\n",
ava->aa_desc->ad_cname.bv_val, 0, 0 );
return 0;

128
0012-ITS8051-sockdnpat.patch Normal file
View file

@ -0,0 +1,128 @@
From 328612d3370290c7f42ad835e1b0e3189eadef7b Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 4 Feb 2015 03:53:13 +0000
Subject: [PATCH] ITS#8051 add DN qualifier
---
doc/man/man5/slapd-sock.5 | 5 +++++
servers/slapd/back-sock/back-sock.h | 2 ++
servers/slapd/back-sock/config.c | 32 +++++++++++++++++++++++++++++---
3 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/doc/man/man5/slapd-sock.5 b/doc/man/man5/slapd-sock.5
index ee8cc919f..1ac4f7fdd 100644
--- a/doc/man/man5/slapd-sock.5
+++ b/doc/man/man5/slapd-sock.5
@@ -58,6 +58,11 @@ Specify which response types to send to the external program. "result"
sends just the results of an operation. "search" sends all entries that
the database returned for a search request. The default is empty
(no responses are sent).
+.TP
+.B sockdnpat <regexp>
+Specify DN patterns for which the overlay will act. Only operations on
+DNs matching the specified regular expression will be processed. The default
+is empty (all DNs are processed).
.SH PROTOCOL
The protocol is essentially the same as
diff --git a/servers/slapd/back-sock/back-sock.h b/servers/slapd/back-sock/back-sock.h
index 15495a6bc..7a083a8df 100644
--- a/servers/slapd/back-sock/back-sock.h
+++ b/servers/slapd/back-sock/back-sock.h
@@ -30,6 +30,8 @@ struct sockinfo {
slap_mask_t si_extensions;
slap_mask_t si_ops; /* overlay: operations to act on */
slap_mask_t si_resps; /* overlay: responses to forward */
+ regex_t si_dnpat; /* overlay: DN pattern to match */
+ struct berval si_dnpatstr;
};
#define SOCK_EXT_BINDDN 1
diff --git a/servers/slapd/back-sock/config.c b/servers/slapd/back-sock/config.c
index d8ff95ceb..dc3f1365c 100644
--- a/servers/slapd/back-sock/config.c
+++ b/servers/slapd/back-sock/config.c
@@ -36,11 +36,12 @@ static slap_response sock_over_response;
enum {
BS_EXT = 1,
BS_OPS,
- BS_RESP
+ BS_RESP,
+ BS_DNPAT
};
/* The number of overlay-only config attrs */
-#define NUM_OV_ATTRS 2
+#define NUM_OV_ATTRS 3
static ConfigTable bscfg[] = {
{ "sockops", "ops", 2, 0, 0, ARG_MAGIC|BS_OPS,
@@ -53,6 +54,11 @@ static ConfigTable bscfg[] = {
"DESC 'Response types to forward' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString )", NULL, NULL },
+ { "sockdnpat", "regexp", 2, 2, 0, ARG_MAGIC|BS_DNPAT,
+ bs_cf_gen, "( OLcfgDbAt:7.5 NAME 'olcOvSocketDNpat' "
+ "DESC 'DN pattern to match' "
+ "EQUALITY caseIgnoreMatch "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "socketpath", "pathname", 2, 2, 0, ARG_STRING|ARG_OFFSET,
(void *)offsetof(struct sockinfo, si_sockpath),
@@ -86,7 +92,8 @@ static ConfigOCs osocs[] = {
"SUP olcOverlayConfig "
"MUST olcDbSocketPath "
"MAY ( olcDbSocketExtensions $ "
- " olcOvSocketOps $ olcOvSocketResps ) )",
+ " olcOvSocketOps $ olcOvSocketResps $ "
+ " olcOvSocketDNpat ) )",
Cft_Overlay, bscfg },
{ NULL, 0, NULL }
};
@@ -150,6 +157,9 @@ bs_cf_gen( ConfigArgs *c )
return mask_to_verbs( ov_ops, si->si_ops, &c->rvalue_vals );
case BS_RESP:
return mask_to_verbs( ov_resps, si->si_resps, &c->rvalue_vals );
+ case BS_DNPAT:
+ value_add_one( &c->rvalue_vals, &si->si_dnpatstr );
+ return 0;
}
} else if ( c->op == LDAP_MOD_DELETE ) {
switch( c->type ) {
@@ -186,6 +196,11 @@ bs_cf_gen( ConfigArgs *c )
si->si_resps ^= dels;
}
return rc;
+ case BS_DNPAT:
+ regfree( &si->si_dnpat );
+ ch_free( si->si_dnpatstr.bv_val );
+ BER_BVZERO( &si->si_dnpatstr );
+ return 0;
}
} else {
@@ -196,6 +211,13 @@ bs_cf_gen( ConfigArgs *c )
return verbs_to_mask( c->argc, c->argv, ov_ops, &si->si_ops );
case BS_RESP:
return verbs_to_mask( c->argc, c->argv, ov_resps, &si->si_resps );
+ case BS_DNPAT:
+ if ( !regcomp( &si->si_dnpat, c->argv[1], REG_EXTENDED|REG_ICASE|REG_NOSUB )) {
+ ber_str2bv( c->argv[1], 0, 1, &si->si_dnpatstr );
+ return 0;
+ } else {
+ return 1;
+ }
}
}
return 1;
@@ -268,6 +290,10 @@ static int sock_over_op(
if ( !(si->si_ops & sockopflags[which]))
return SLAP_CB_CONTINUE;
+ if ( !BER_BVISEMPTY( &si->si_dnpatstr ) &&
+ regexec( &si->si_dnpat, op->o_req_ndn.bv_val, 0, NULL, 0 ))
+ return SLAP_CB_CONTINUE;
+
op->o_bd->be_private = si;
sc = op->o_callback;
op->o_callback = NULL;

241
0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch Normal file
View file

@ -0,0 +1,241 @@
diff --git a/doc/man/man5/slapd-sock.5 b/doc/man/man5/slapd-sock.5
index 1ac4f7fdd..903155fa4 100644
--- a/doc/man/man5/slapd-sock.5
+++ b/doc/man/man5/slapd-sock.5
@@ -49,7 +49,7 @@ be sent and from which replies are received.
When used as an overlay, these additional directives are defined:
.TP
-.B sockops [ bind | unbind | search | compare | modify | modrdn | add | delete ]*
+.B sockops [ bind | unbind | search | compare | modify | modrdn | add | delete | extended ]*
Specify which request types to send to the external program. The default is
empty (no requests are sent).
.TP
@@ -115,6 +115,17 @@ dn: <DN>
.PP
.RS
.nf
+EXTENDED
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+oid: <OID>
+value: <base64-value>
+<blank line>
+.fi
+.RE
+.PP
+.RS
+.nf
MODIFY
msgid: <message id>
<repeat { "suffix:" <database suffix DN> }>
@@ -213,6 +224,11 @@ msgid: <message id>
.fi
.RE
+.SH KNOWN LIMITATIONS
+The
+.B sock
+backend does not process extended operation results from an external program.
+
.SH ACCESS CONTROL
The
.B sock
@@ -292,6 +308,11 @@ access to the
pseudo_attribute of the searchBase;
.B search (=s)
access to the attributes and values used in the filter is not checked.
+.LP
+The
+.B extended
+operation does not require any access special rights.
+The external program has to implement any sort of access control.
.SH EXAMPLE
There is an example script in the slapd/back\-sock/ directory
diff --git a/servers/slapd/back-sock/Makefile.in b/servers/slapd/back-sock/Makefile.in
index 3e527e545..efb916246 100644
--- a/servers/slapd/back-sock/Makefile.in
+++ b/servers/slapd/back-sock/Makefile.in
@@ -18,9 +18,9 @@
## in OpenLDAP Software.
SRCS = init.c config.c opensock.c search.c bind.c unbind.c add.c \
- delete.c modify.c modrdn.c compare.c result.c
+ delete.c modify.c modrdn.c compare.c result.c extended.c
OBJS = init.lo config.lo opensock.lo search.lo bind.lo unbind.lo add.lo \
- delete.lo modify.lo modrdn.lo compare.lo result.lo
+ delete.lo modify.lo modrdn.lo compare.lo result.lo extended.lo
LDAP_INCDIR= ../../../include
LDAP_LIBDIR= ../../../libraries
diff --git a/servers/slapd/back-sock/config.c b/servers/slapd/back-sock/config.c
index dc3f1365c..2dcf68bf6 100644
--- a/servers/slapd/back-sock/config.c
+++ b/servers/slapd/back-sock/config.c
@@ -106,6 +106,7 @@ static ConfigOCs osocs[] = {
#define SOCK_OP_MODRDN 0x020
#define SOCK_OP_ADD 0x040
#define SOCK_OP_DELETE 0x080
+#define SOCK_OP_EXTENDED 0x100
#define SOCK_REP_RESULT 0x001
#define SOCK_REP_SEARCH 0x002
@@ -127,6 +128,7 @@ static slap_verbmasks ov_ops[] = {
{ BER_BVC("modrdn"), SOCK_OP_MODRDN },
{ BER_BVC("add"), SOCK_OP_ADD },
{ BER_BVC("delete"), SOCK_OP_DELETE },
+ { BER_BVC("extended"), SOCK_OP_EXTENDED },
{ BER_BVNULL, 0 }
};
@@ -249,7 +251,9 @@ static BI_op_bind *sockfuncs[] = {
sock_back_modify,
sock_back_modrdn,
sock_back_add,
- sock_back_delete
+ sock_back_delete,
+ 0, /* abandon not supported */
+ sock_back_extended
};
static const int sockopflags[] = {
@@ -260,7 +264,9 @@ static const int sockopflags[] = {
SOCK_OP_MODIFY,
SOCK_OP_MODRDN,
SOCK_OP_ADD,
- SOCK_OP_DELETE
+ SOCK_OP_DELETE,
+ 0, /* abandon not supported */
+ SOCK_OP_EXTENDED
};
static int sock_over_op(
@@ -283,6 +289,7 @@ static int sock_over_op(
case LDAP_REQ_MODRDN: which = op_modrdn; break;
case LDAP_REQ_ADD: which = op_add; break;
case LDAP_REQ_DELETE: which = op_delete; break;
+ case LDAP_REQ_EXTENDED: which = op_extended; break;
default:
return SLAP_CB_CONTINUE;
}
@@ -365,6 +372,7 @@ sock_over_setup()
sockover.on_bi.bi_op_modrdn = sock_over_op;
sockover.on_bi.bi_op_add = sock_over_op;
sockover.on_bi.bi_op_delete = sock_over_op;
+ sockover.on_bi.bi_extended = sock_over_op;
sockover.on_response = sock_over_response;
sockover.on_bi.bi_cf_ocs = osocs;
diff --git a/servers/slapd/back-sock/extended.c b/servers/slapd/back-sock/extended.c
new file mode 100644
index 000000000..dfe56b32b
--- /dev/null
+++ b/servers/slapd/back-sock/extended.c
@@ -0,0 +1,80 @@
+/* extended.c - sock backend extended routines */
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 2000-2017 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+
+#include "portable.h"
+
+#include <stdio.h>
+#include <ac/string.h>
+
+#include "slap.h"
+#include "back-sock.h"
+
+#include "lutil.h"
+
+int
+sock_back_extended( Operation *op, SlapReply *rs )
+{
+ int rc;
+ struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
+ FILE *fp;
+ struct berval b64;
+
+ Debug( LDAP_DEBUG_ARGS, "==> sock_back_extended(%s)\n",
+ op->ore_reqoid.bv_val, op->o_req_dn.bv_val, 0 );
+
+ if ( (fp = opensock( si->si_sockpath )) == NULL ) {
+ send_ldap_error( op, rs, LDAP_OTHER,
+ "could not open socket" );
+ return( -1 );
+ }
+
+ /* write out the request to the extended process */
+ fprintf( fp, "EXTENDED\n" );
+ fprintf( fp, "msgid: %ld\n", (long) op->o_msgid );
+ sock_print_conn( fp, op->o_conn, si );
+ sock_print_suffixes( fp, op->o_bd );
+ fprintf( fp, "oid: %s\n", op->ore_reqoid.bv_val );
+
+ if (op->ore_reqdata) {
+
+ b64.bv_len = LUTIL_BASE64_ENCODE_LEN( op->ore_reqdata->bv_len ) + 1;
+ b64.bv_val = ber_memalloc( b64.bv_len + 1 );
+
+ if( b64.bv_val == NULL ) {
+ return LUTIL_PASSWD_ERR;
+ }
+
+ rc = lutil_b64_ntop(
+ (unsigned char *) op->ore_reqdata->bv_val, op->ore_reqdata->bv_len,
+ b64.bv_val, b64.bv_len );
+
+ b64.bv_len = rc;
+ assert( strlen(b64.bv_val) == b64.bv_len );
+
+ fprintf( fp, "value: %s\n", b64.bv_val );
+
+ ber_memfree( b64.bv_val );
+
+ }
+
+ fprintf( fp, "\n" );
+
+ /* read in the results and send them along */
+ rc = sock_read_and_send_results( op, rs, fp );
+ fclose( fp );
+
+ return( rc );
+}
diff --git a/servers/slapd/back-sock/init.c b/servers/slapd/back-sock/init.c
index dcfe61a44..92e68782f 100644
--- a/servers/slapd/back-sock/init.c
+++ b/servers/slapd/back-sock/init.c
@@ -53,7 +53,7 @@ sock_back_initialize(
bi->bi_op_delete = sock_back_delete;
bi->bi_op_abandon = 0;
- bi->bi_extended = 0;
+ bi->bi_extended = sock_back_extended;
bi->bi_chk_referrals = 0;
diff --git a/servers/slapd/back-sock/proto-sock.h b/servers/slapd/back-sock/proto-sock.h
index fa02ab896..8b3b5f3ef 100644
--- a/servers/slapd/back-sock/proto-sock.h
+++ b/servers/slapd/back-sock/proto-sock.h
@@ -40,6 +40,8 @@ extern BI_op_modrdn sock_back_modrdn;
extern BI_op_add sock_back_add;
extern BI_op_delete sock_back_delete;
+extern BI_op_extended sock_back_extended;
+
extern int sock_back_init_cf( BackendInfo *bi );
LDAP_END_DECL

16
0016-Clear-shared-key-only-in-close-function.patch Normal file
View file

@ -0,0 +1,16 @@
diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
index 6bdf3151d..56212151b 100644
--- a/libraries/liblmdb/mdb.c
+++ b/libraries/liblmdb/mdb.c
@@ -4692,6 +4692,11 @@ mdb_env_close0(MDB_env *env, int excl)
if (env->me_flags & MDB_ENV_TXKEY) {
pthread_key_delete(env->me_txkey);
+
+ // No need to call desctructor anymore, as all pid
+ // values are cleared below.
+ env->me_txkey = NULL;
+
#ifdef _WIN32
/* Delete our key from the global list */
for (i=0; i<mdb_tls_nkeys; i++)

35
0017-Fix-segfault-in-nops.patch Normal file
View file

@ -0,0 +1,35 @@
diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
index 54c24682a..06945d811 100644
--- a/servers/slapd/overlays/memberof.c
+++ b/servers/slapd/overlays/memberof.c
@@ -360,10 +360,16 @@ memberof_value_modify(
unsigned long opid = op->o_opid;
SlapReply rs2 = { REP_RESULT };
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
- Modifications mod[ 2 ] = { { { 0 } } }, *ml;
- struct berval values[ 4 ], nvalues[ 4 ];
+ Modifications *mod, *ml;
+ struct berval *values, *nvalues;
int mcnt = 0;
+ mod = (Modifications*)malloc(2 * sizeof(Modifications));
+ memset(mod, 0, 2 * sizeof(Modifications));
+
+ values = (struct berval*)malloc(4 * sizeof(struct berval));
+ nvalues = (struct berval*)malloc(4 * sizeof(struct berval));
+
op2.o_tag = LDAP_REQ_MODIFY;
op2.o_req_dn = *ndn;
@@ -493,6 +499,11 @@ memberof_value_modify(
/* restore original opid */
op->o_opid = opid;
+
+ slap_mods_free( mod, 0 );
+ free(values);
+ free(nvalues);
+
/* FIXME: if old_group_ndn doesn't exist, both delete __and__
* add will fail; better split in two operations, although
* not optimal in terms of performance. At least it would

130
0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch Normal file
View file

@ -0,0 +1,130 @@
From b026c9236e6b11c158e69572a28eb0efb174234b Mon Sep 17 00:00:00 2001
From: HouzuoGuo <guohouzuo@gmail.com>
Date: Wed, 17 Feb 2016 16:10:05 +0100
Subject: [PATCH] Fix incorrect calculation of consecutive number of characters
in a class, when the input is shorter than 6 chars or consecutive chars
appear at the beginning of input
diff --git a/check_password.c b/check_password.c
index 0d9f901..acf8eda 100644
--- a/check_password.c
+++ b/check_password.c
@@ -355,18 +355,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
int min_quality = DEFAULT_QUALITY;
int use_cracklib = DEFAULT_CRACKLIB;
- /** bail out early as cracklib will reject passwords shorter
- * than 6 characters
- */
-
nLen = strlen (pPasswd);
- if ( nLen < 6) {
- mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1);
- sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
- goto fail;
- }
if (read_config_file() == -1) {
syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
@@ -392,46 +381,38 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
*/
if ( max_consecutive_per_class != 0 ) {
- int consec_chars = 1;
- char type[10] = "unkown";
- char prev_type[10] = "unknown";
+ char prev_type = '\0';
+ char this_type = ' ';
+ i = 0;
+ int consec_chars = 0;
for ( i = 0; i < nLen; i++ ) {
-
if ( islower(pPasswd[i]) ) {
- strncpy(type,"lower",10);
+ this_type = 'l';
}
else if ( isupper(pPasswd[i]) ) {
- strncpy(type,"upper",10);
+ this_type = 'u';
}
else if ( isdigit(pPasswd[i]) ) {
- strncpy(type,"digit",10);
+ this_type = 'd';
}
else if ( ispunct(pPasswd[i]) ) {
- strncpy(type,"punct",10);
+ this_type = 'p';
}
else {
- strncpy(type,"unknown",10);
- }
-
- if ( consec_chars > max_consecutive_per_class ) {
- mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(CONSEC_FAIL_SZ) +
- strlen(pEntry->e_name.bv_val));
- sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val);
- goto fail;
+ this_type = ' ';
}
-
- if ( strncmp(type,prev_type,10) == 0 ) {
- consec_chars++;
+ if (this_type == prev_type) {
+ ++consec_chars;
+ } else if (i > 0) {
+ consec_chars = 0;
}
- else {
- if (strncmp("unknown",prev_type,8) != 0) {
- consec_chars = 1;
- }
- else {
- consec_chars++;
- }
- strncpy(prev_type,type,10);
+ prev_type = this_type;
+ if ( consec_chars >= max_consecutive_per_class ) {
+ mem_len = realloc_error_message(&szErrStr, mem_len,
+ strlen(CONSEC_FAIL_SZ) +
+ strlen(pEntry->e_name.bv_val));
+ sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val);
+ goto fail;
}
}
}
diff --git a/check_password_test.c b/check_password_test.c
index 626d719..d33bd80 100644
--- a/check_password_test.c
+++ b/check_password_test.c
@@ -90,7 +90,6 @@ void setconf(
}
int main(void) {
-
// Empty Config, equiv to:
// 5,3,1,0,0,0,0
setconf(-1,-1,-1,-1,-1,-1,-1);
@@ -109,5 +108,16 @@ int main(void) {
testpass("Test 2.1", "Simp1e", 1);
testpass("Test 2.2", "SimPle", 1);
testpass("Test 2.1", "Simp1e!", 0);
+
+ setconf(1,0,0,0,0,0,0);
+ testpass("a", "Ab1,", 0);
+ testpass("a", "AAb1,", 1);
+ testpass("a", "Abb1,", 1);
+
+ setconf(3,0,0,0,0,0,0);
+ testpass("a", "AAAbbb111,,,", 0);
+ testpass("a", "AAAAbbb111,,,,", 1);
+ testpass("a", "AAAbbbb111,,,", 1);
+
return 0;
}
--
2.7.1

25
0201-ITS-9052-zero-out-sasl_ssf-in-connection_init.patch Normal file
View file

@ -0,0 +1,25 @@
From 0fa0f8ff078a3a49a19574eecaea797b7a55a665 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 10 Jul 2019 21:29:39 +0100
Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init
---
servers/slapd/connection.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 34ecaa85a..a9a8d119f 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -535,7 +535,7 @@ Connection * connection_init(
c->c_close_reason = "?"; /* should never be needed */
c->c_ssf = c->c_transport_ssf = ssf;
- c->c_tls_ssf = 0;
+ c->c_tls_ssf = c->c_sasl_ssf = 0;
#ifdef HAVE_TLS
if ( flags & CONN_IS_TLS ) {
--
2.20.1 (Apple Git-117)

36
0202-ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch Normal file
View file

@ -0,0 +1,36 @@
From fbe5611e606e80e56e158cc42f0c7289975836a8 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 19 Jun 2019 12:29:02 +0100
Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
Treat as normal user for any other DB.
---
servers/slapd/saslauthz.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 541c21344..de34c0b10 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
goto DONE;
}
- /* Allow the manager to authorize as any DN. */
- if( op->o_conn->c_authz_backend &&
- be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
+ /* Allow the manager to authorize as any DN in its own DBs. */
{
- rc = LDAP_SUCCESS;
- goto DONE;
+ Backend *zbe = select_backend( authzDN, 1 );
+ if ( zbe && be_isroot_dn( zbe, authcDN )) {
+ rc = LDAP_SUCCESS;
+ goto DONE;
+ }
}
/* Check source rules */
--
2.20.1 (Apple Git-117)

102
0203-ITS-9038-Update-test028-to-test-this-is-enforced.patch Normal file
View file

@ -0,0 +1,102 @@
From eb5a58487b293358887a2b7f41ea1873abf55fa0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Wed, 19 Jun 2019 18:47:32 +0200
Subject: [PATCH] ITS#9038 Update test028 to test this is enforced
---
tests/data/idassert.out | 5 +++++
tests/data/slapd-idassert.conf | 1 +
tests/data/test-idassert1.ldif | 6 ++++++
tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++
4 files changed, 36 insertions(+)
diff --git a/tests/data/idassert.out b/tests/data/idassert.out
index 53d76bb2e..fa51c25d6 100644
--- a/tests/data/idassert.out
+++ b/tests/data/idassert.out
@@ -4,6 +4,11 @@ objectClass: dcObject
o: Example, Inc.
dc: example
+dn: cn=Manager,o=Example,c=US
+objectClass: inetOrgPerson
+cn: Manager
+sn: Parson
+
dn: ou=People,o=Example,c=US
objectClass: organizationalUnit
ou: People
diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
index 88d66a36f..561c5ccc4 100644
--- a/tests/data/slapd-idassert.conf
+++ b/tests/data/slapd-idassert.conf
@@ -36,6 +36,7 @@ argsfile @TESTDIR@/slapd.1.args
#######################################################################
authz-policy both
+authz-regexp "^uid=manager,.+" "cn=Manager,dc=example,dc=com"
authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif
index 063d6ec45..3ccbd1a22 100644
--- a/tests/data/test-idassert1.ldif
+++ b/tests/data/test-idassert1.ldif
@@ -4,6 +4,12 @@ objectClass: dcObject
o: Example, Inc.
dc: example
+dn: cn=Manager,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: Manager
+sn: Parson
+userPassword: secret
+
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index b1e16744a..9e5e10724 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -191,6 +191,17 @@ if test $RC != 0 ; then
exit $RC
fi
+AUTHZID="u:it/jaj"
+echo "Checking another DB's rootdn can't assert identity from another DB..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID"
+
+RC=$?
+if test $RC != 1 ; then
+ echo "ldapwhoami should have failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
ID="uid=jaj,ou=People,dc=example,dc=it"
BASE="o=Example,c=US"
echo "Testing ldapsearch as $ID for \"$BASE\"..."
@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then
exit $RC
fi
+ ID="manager"
+ AUTHZID="u:it/jaj"
+ echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..."
+ $LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \
+ -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID
+
+ RC=$?
+ if test $RC != 50 ; then
+ echo "ldapwhoami should have failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+
echo "Filtering ldapsearch results..."
$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
echo "Filtering original ldif used to create database..."
--
2.20.1 (Apple Git-117)

25
0204-ITS-9038-Another-test028-typo.patch Normal file
View file

@ -0,0 +1,25 @@
From 15137bf76fc68f3c97c92ec0d2354d4dd0906348 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Thu, 27 Jun 2019 00:45:29 +0200
Subject: [PATCH] ITS#9038 Another test028 typo
---
tests/scripts/test028-idassert | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index 564a615d2..dacd68d8f 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then
if test $RC != 50 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
+ exit 1
fi
echo "Filtering ldapsearch results..."
--
2.20.1 (Apple Git-117)

128
0205-bsc-1170771-limit-depth-of-nested-filters.patch Normal file
View file

@ -0,0 +1,128 @@
From 7a96c04e0f8bd325a00bd846ea3d244465474e2a Mon Sep 17 00:00:00 2001
From: William Brown <wbrown@suse.de>
Date: Thu, 30 Apr 2020 08:57:57 +1000
Subject: [PATCH] bsc#1170771 - limit depth of nested filters
Original Commit Message:
d38d48fc8f572dedfb67b9da61a2ba3b125ced91
[PATCH] ITS#9202 limit depth of nested filters
Using a hardcoded limit for now; no reasonable apps
should ever run into it.
---
servers/slapd/filter.c | 40 +++++++++++++++++++++++++++++++---------
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
index e76dc08..95a20fe 100644
--- a/servers/slapd/filter.c
+++ b/servers/slapd/filter.c
@@ -37,11 +37,16 @@
const Filter *slap_filter_objectClass_pres;
const struct berval *slap_filterstr_objectClass_pres;
+#ifndef SLAPD_MAX_FILTER_DEPTH
+#define SLAPD_MAX_FILTER_DEPTH 5000
+#endif
+
static int get_filter_list(
Operation *op,
BerElement *ber,
Filter **f,
- const char **text );
+ const char **text,
+ int depth );
static int get_ssa(
Operation *op,
@@ -80,12 +85,13 @@ filter_destroy( void )
return;
}
-int
-get_filter(
+static int
+get_filter0(
Operation *op,
BerElement *ber,
Filter **filt,
- const char **text )
+ const char **text,
+ int depth )
{
ber_tag_t tag;
ber_len_t len;
@@ -126,6 +132,11 @@ get_filter(
*
*/
+ if( depth > SLAPD_MAX_FILTER_DEPTH ) {
+ *text = "filter nested too deeply";
+ return SLAPD_DISCONNECT;
+ }
+
tag = ber_peek_tag( ber, &len );
if( tag == LBER_ERROR ) {
@@ -221,7 +232,7 @@ get_filter(
case LDAP_FILTER_AND:
Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
- err = get_filter_list( op, ber, &f.f_and, text );
+ err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
if ( err != LDAP_SUCCESS ) {
break;
}
@@ -234,7 +245,7 @@ get_filter(
case LDAP_FILTER_OR:
Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
- err = get_filter_list( op, ber, &f.f_or, text );
+ err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
if ( err != LDAP_SUCCESS ) {
break;
}
@@ -248,7 +259,7 @@ get_filter(
case LDAP_FILTER_NOT:
Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
(void) ber_skip_tag( ber, &len );
- err = get_filter( op, ber, &f.f_not, text );
+ err = get_filter0( op, ber, &f.f_not, text, depth+1 );
if ( err != LDAP_SUCCESS ) {
break;
}
@@ -311,10 +322,21 @@ get_filter(
return( err );
}
+int
+get_filter(
+ Operation *op,
+ BerElement *ber,
+ Filter **filt,
+ const char **text )
+{
+ return get_filter0( op, ber, filt, text, 0 );
+}
+
static int
get_filter_list( Operation *op, BerElement *ber,
Filter **f,
- const char **text )
+ const char **text,
+ int depth )
{
Filter **new;
int err;
@@ -328,7 +350,7 @@ get_filter_list( Operation *op, BerElement *ber,
tag != LBER_DEFAULT;
tag = ber_next_element( ber, &len, last ) )
{
- err = get_filter( op, ber, new, text );
+ err = get_filter0( op, ber, new, text, depth );
if ( err != LDAP_SUCCESS )
return( err );
new = &(*new)->f_next;
--
2.26.2

224
0206-openldap-tlso-use-openssl-api-to-verify-host.patch Normal file
View file

@ -0,0 +1,224 @@
From f2978fefa13eb92b73922e49d2f6c12b4f92ea85 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Fri, 10 Jan 2020 18:35:02 +0100
Subject: [PATCH] Use OpenSSL API to verify host
Replace custom hostname and IP address verification with OpenSSL 1.0.2
APIs.
---
libraries/libldap/tls_o.c | 184 ++++++--------------------------------
1 file changed, 28 insertions(+), 156 deletions(-)
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index e52c5507c..5adf7b74f 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -660,25 +660,15 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
return 0;
}
-/* what kind of hostname were we given? */
-#define IS_DNS 0
-#define IS_IP4 1
-#define IS_IP6 2
-
static int
tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
{
tlso_session *s = (tlso_session *)sess;
- int i, ret = LDAP_LOCAL_ERROR;
+ int ret = LDAP_LOCAL_ERROR;
X509 *x;
const char *name;
- char *ptr;
- int ntype = IS_DNS, nlen;
-#ifdef LDAP_PF_INET6
- struct in6_addr addr;
-#else
- struct in_addr addr;
-#endif
+ int flags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
+ ASN1_OCTET_STRING *ip;
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
@@ -687,7 +677,6 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
} else {
name = name_in;
}
- nlen = strlen(name);
x = tlso_get_cert(s);
if (!x) {
@@ -619,150 +619,32 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
return LDAP_SUCCESS;
}
-#ifdef LDAP_PF_INET6
- if (inet_pton(AF_INET6, name, &addr)) {
- ntype = IS_IP6;
- } else
-#endif
- if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
- if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
- }
-
- i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
- if (i >= 0) {
- X509_EXTENSION *ex;
- STACK_OF(GENERAL_NAME) *alt;
-
- ex = X509_get_ext(x, i);
- alt = X509V3_EXT_d2i(ex);
- if (alt) {
- int n, len2 = 0;
- char *domain = NULL;
- GENERAL_NAME *gn;
-
- if (ntype == IS_DNS) {
- domain = strchr(name, '.');
- if (domain) {
- len2 = nlen - (domain-name);
- }
- }
- n = sk_GENERAL_NAME_num(alt);
- for (i=0; i<n; i++) {
- char *sn;
- int sl;
- gn = sk_GENERAL_NAME_value(alt, i);
- if (gn->type == GEN_DNS) {
- if (ntype != IS_DNS) continue;
-
- sn = (char *) ASN1_STRING_data(gn->d.ia5);
- sl = ASN1_STRING_length(gn->d.ia5);
-
- /* ignore empty */
- if (sl == 0) continue;
-
- /* Is this an exact match? */
- if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
- break;
- }
-
- /* Is this a wildcard match? */
- if (domain && (sn[0] == '*') && (sn[1] == '.') &&
- (len2 == sl-1) && !strncasecmp(domain, &sn[1], len2))
- {
- break;
- }
-
- } else if (gn->type == GEN_IPADD) {
- if (ntype == IS_DNS) continue;
-
- sn = (char *) ASN1_STRING_data(gn->d.ia5);
- sl = ASN1_STRING_length(gn->d.ia5);
-
-#ifdef LDAP_PF_INET6
- if (ntype == IS_IP6 && sl != sizeof(struct in6_addr)) {
- continue;
- } else
-#endif
- if (ntype == IS_IP4 && sl != sizeof(struct in_addr)) {
- continue;
- }
- if (!memcmp(sn, &addr, sl)) {
- break;
- }
- }
- }
-
- GENERAL_NAMES_free(alt);
- if (i < n) { /* Found a match */
- ret = LDAP_SUCCESS;
- }
- }
- }
-
- if (ret != LDAP_SUCCESS) {
- X509_NAME *xn;
- X509_NAME_ENTRY *ne;
- ASN1_OBJECT *obj;
- ASN1_STRING *cn = NULL;
- int navas;
-
- /* find the last CN */
- obj = OBJ_nid2obj( NID_commonName );
- if ( !obj ) goto no_cn; /* should never happen */
-
- xn = X509_get_subject_name(x);
- navas = X509_NAME_entry_count( xn );
- for ( i=navas-1; i>=0; i-- ) {
- ne = X509_NAME_get_entry( xn, i );
- if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) {
- cn = X509_NAME_ENTRY_get_data( ne );
- break;
- }
+ /* attempt to encode name as IP address */
+ ip = a2i_IPADDRESS(name);
+ if (ip == NULL) {
+ ERR_clear_error();
+ /* it's a hostname */
+ if (X509_check_host(x, name, strlen(name), flags, NULL) == 1) {
+ ret = LDAP_SUCCESS;
}
-
- if( !cn )
- {
-no_cn:
- Debug( LDAP_DEBUG_ANY,
- "TLS: unable to get common name from peer certificate.\n",
- 0, 0, 0 );
- ret = LDAP_CONNECT_ERROR;
- if ( ld->ld_error ) {
- LDAP_FREE( ld->ld_error );
- }
- ld->ld_error = LDAP_STRDUP(
- _("TLS: unable to get CN from peer certificate"));
-
- } else if ( cn->length == nlen &&
- strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
+ } else {
+ /* It's an IPv4 or IPv6 address */
+ if (X509_check_ip(x, ASN1_STRING_data(ip),
+ ASN1_STRING_length(ip), 0) == 1) {
ret = LDAP_SUCCESS;
-
- } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
- char *domain = strchr(name, '.');
- if( domain ) {
- int dlen;
-
- dlen = nlen - (domain-name);
-
- /* Is this a wildcard match? */
- if ((dlen == cn->length-1) &&
- !strncasecmp(domain, (char *) &cn->data[1], dlen)) {
- ret = LDAP_SUCCESS;
- }
- }
}
+ ASN1_OCTET_STRING_free(ip);
+ }
- if( ret == LDAP_LOCAL_ERROR ) {
- Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
- "common name in certificate (%.*s).\n",
- name, cn->length, cn->data );
- ret = LDAP_CONNECT_ERROR;
- if ( ld->ld_error ) {
- LDAP_FREE( ld->ld_error );
- }
- ld->ld_error = LDAP_STRDUP(
- _("TLS: hostname does not match CN in peer certificate"));
+ if( ret == LDAP_LOCAL_ERROR ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+ "peer certificate.\n", name, 0, 0);
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
}
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: hostname does not match peer certificate"));
}
X509_free(x);
return ret;

27
0207-ITS-9370-check-for-equality-rule-on-old_rdn.patch Normal file
View file

@ -0,0 +1,27 @@
From e26672d296d67457d77a49c482e900f416b15dfd Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 19 Oct 2020 14:03:41 +0100
Subject: [PATCH] ITS#9370 check for equality rule on old_rdn
Just skip normalization if there's no equality rule. We accept
DNs without equality rules already.
---
servers/slapd/modrdn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
index 77eaa68..6f176e8 100644
--- a/servers/slapd/modrdn.c
+++ b/servers/slapd/modrdn.c
@@ -494,7 +494,7 @@ slap_modrdn2mods(
mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value );
mod_tmp->sml_values[1].bv_val = NULL;
- if( desc->ad_type->sat_equality->smr_normalize) {
+ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) {
mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
(void) (*desc->ad_type->sat_equality->smr_normalize)(
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
--
2.29.2

252
0208-ITS-9400-back-ldap-fix-retry-binds.patch Normal file
View file

@ -0,0 +1,252 @@
From 76fea1fa8f4fe3b546596a6b63831cacb33c73aa Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 23 Nov 2020 05:14:30 +0000
Subject: [PATCH] ITS#9400 back-ldap: fix retry binds
Regression from fix for ITS#7403
ITS#9400 back-ldap: fix prev commit
ITS#9400 Added test case for back-ldap retry failure
---
servers/slapd/back-ldap/bind.c | 2 +-
tests/data/regressions/its9400/its9400 | 161 ++++++++++++++++++
.../its9400/slapd-proxy-idassert.conf | 45 +++++
3 files changed, 207 insertions(+), 1 deletion(-)
create mode 100755 tests/data/regressions/its9400/its9400
create mode 100644 tests/data/regressions/its9400/slapd-proxy-idassert.conf
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 621cd2c8c..e6a3db144 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2102,7 +2102,7 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok,
}
if ( !( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )) {
- if ( op->o_tag == LDAP_REQ_BIND ) {
+ if ( op->o_tag == LDAP_REQ_BIND && ( sendok & LDAP_BACK_SENDERR )) {
if ( !BER_BVISEMPTY( &ndn )) {
dobind = 0;
goto done;
diff --git a/tests/data/regressions/its9400/its9400 b/tests/data/regressions/its9400/its9400
new file mode 100755
index 000000000..ae0c5258b
--- /dev/null
+++ b/tests/data/regressions/its9400/its9400
@@ -0,0 +1,161 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+ITS=9400
+ITSDIR=$DATADIR/regressions/its$ITS
+
+if test $BACKLDAP = "ldapno" ; then
+ echo "LDAP backend not available, test skipped"
+ exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1 $DBDIR2
+cp -r $DATADIR/tls $TESTDIR
+
+echo "This test checks that back-ldap does retry binds after the remote LDAP server"
+echo "has abruptly disconnected the (idle) LDAP connection."
+
+#
+# Start slapd that acts as a remote LDAP server that will be proxied
+#
+echo "Running slapadd to build database for the remote slapd server..."
+. $CONFFILTER $BACKEND < $CONF > $CONF1
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+
+RC=$?
+if test $RC != 0 ; then
+ echo "slapadd failed ($RC)!"
+ exit $RC
+fi
+
+
+echo "Starting remote slapd server on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 &
+SERVERPID=$!
+if test $WAIT != 0 ; then
+ echo SERVERPID $SERVERPID
+ read foo
+fi
+
+
+#
+# Start ldapd that will proxy for the remote server
+#
+echo "Starting slapd proxy on TCP/IP port $PORT2..."
+. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy-idassert.conf > $CONF2
+$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
+PROXYPID=$!
+if test $WAIT != 0 ; then
+ echo PROXYPID $PROXYPID
+ read foo
+fi
+KILLPIDS="$KILLPIDS $PROXYPID"
+
+sleep 1
+
+
+#
+# Successful searches
+#
+
+echo "Using ldapsearch with bind that will be passed through to remote server..."
+$LDAPSEARCH -S "" -b "$BASEDN" \
+ -D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \
+ -H $URI2 \
+ -w "bjensen" \
+ 'objectclass=*' > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapsearch failed at proxy ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+
+echo "Using ldapsearch with idassert-bind..."
+$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret" \
+ 'objectclass=*' >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapsearch failed at proxy ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+
+#
+# Now kill the remote slapd that is being proxied for.
+# This will invalidate the current TCP connections that proxy has to remote.
+#
+echo "Killing remote server"
+kill $SERVERPID
+sleep 1
+
+echo "Re-starting remote slapd server on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 &
+SERVERPID=$!
+if test $WAIT != 0 ; then
+ echo SERVERPID $SERVERPID
+ read foo
+fi
+KILLPIDS="$KILLPIDS $SERVERPID"
+
+sleep 2
+
+
+echo "-------------------------------------------------" >> $TESTOUT
+echo "Searches after remote slapd server has restarted:" >> $TESTOUT
+echo "-------------------------------------------------" >> $TESTOUT
+
+#
+# Successful search
+#
+echo "Using ldapsearch with bind that will be passed through to remote server..."
+$LDAPSEARCH -S "" -b "$BASEDN" \
+ -D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \
+ -H $URI2 \
+ -w "bjensen" \
+ 'objectclass=*' >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapsearch failed at proxy ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+#
+# UNSUCCESFUL SEARCH
+#
+echo "Using ldapsearch with idassert-bind..."
+$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret" \
+ 'objectclass=*' >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapsearch failed at proxy ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
+exit 0
diff --git a/tests/data/regressions/its9400/slapd-proxy-idassert.conf b/tests/data/regressions/its9400/slapd-proxy-idassert.conf
new file mode 100644
index 000000000..b1f3c6626
--- /dev/null
+++ b/tests/data/regressions/its9400/slapd-proxy-idassert.conf
@@ -0,0 +1,45 @@
+# provider slapd config -- for testing
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include @SCHEMADIR@/core.schema
+include @SCHEMADIR@/cosine.schema
+include @SCHEMADIR@/inetorgperson.schema
+include @SCHEMADIR@/openldap.schema
+include @SCHEMADIR@/nis.schema
+pidfile @TESTDIR@/slapd.m.pid
+argsfile @TESTDIR@/slapd.m.args
+
+#######################################################################
+# database definitions
+#######################################################################
+
+# here the proxy is not only acting as a proxy, but it also has a local database dc=local,dc=com"
+database @BACKEND@
+suffix "dc=local,dc=com"
+rootdn "cn=Manager,dc=local,dc=com"
+rootpw "secret"
+#~null~#directory @TESTDIR@/db.2.a
+
+# Configure proxy
+# - normal user binds to "*,dc=example,dc=com" are proxied through to the remote slapd
+# - admin bind to local "cn=Manager,dc=local,dc=com" is overwritten by using idassert-bind
+database ldap
+uri "@URI1@"
+suffix "dc=example,dc=com"
+idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials="secret"
+idassert-authzFrom "dn.exact:cn=Manager,dc=local,dc=com"
+rebind-as-user yes
+
+database monitor
--
2.24.3 (Apple Git-128)

26
0209-ITS-9383-remove-assert-in-certificateListValidate.patch Normal file
View file

@ -0,0 +1,26 @@
From 0b4c1bbb77a75e6139e9d9e7c84c90fb650408e3 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 2 Nov 2020 13:12:10 +0000
Subject: [PATCH 1/2] ITS#9383 remove assert in certificateListValidate
---
servers/slapd/schema_init.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 6a512a286..cd979cc5a 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in )
/* Optional version */
if ( tag == LBER_INTEGER ) {
tag = ber_get_int( ber, &version );
- assert( tag == LBER_INTEGER );
- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
+ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
}
tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
--
2.29.2

27
0210-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch Normal file
View file

@ -0,0 +1,27 @@
From 5482b878d90a9ee163a823ccc17b537bdb70aae7 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 2 Nov 2020 16:01:14 +0000
Subject: [PATCH 2/2] ITS#9384 remove assert in obsolete csnNormalize23()
---
servers/slapd/schema_init.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index cd979cc5a..d6a54ad0b 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -5315,8 +5315,8 @@ csnNormalize23(
}
*ptr = '\0';
- assert( ptr == &bv.bv_val[bv.bv_len] );
- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
+ if ( ptr != &bv.bv_val[bv.bv_len] ||
+ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
return LDAP_INVALID_SYNTAX;
}
--
2.29.2

25
0211-ITS-9454-fix-issuerAndThisUpdateCheck.patch Normal file
View file

@ -0,0 +1,25 @@
From 49dd15ba74283e40ec296237af45862d795c75ad Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sat, 6 Feb 2021 20:52:06 +0000
Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck
---
servers/slapd/schema_init.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index d6a54ad0b..3c5ee3dad 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3887,6 +3887,8 @@ issuerAndThisUpdateCheck(
break;
}
}
+ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX;
+
x.bv_val += tu->bv_len + 1;
x.bv_len -= tu->bv_len + 1;
--
2.30.0

58
0212-ITS-9404-fix-serialNumberAndIssuerCheck.patch Normal file
View file

@ -0,0 +1,58 @@
From 02e18c2f80eb89ef9dbab323a1c4301e713c8b79 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 23 Nov 2020 17:14:00 +0000
Subject: [PATCH 212/224] ITS#9404 fix serialNumberAndIssuerCheck
Tighten validity checks
---
servers/slapd/schema_init.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 3c5ee3dad..f9200d362 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3189,7 +3189,7 @@ serialNumberAndIssuerCheck(
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
- if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+ if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
/* Parse old format */
is->bv_val = ber_bvchr( in, '$' );
if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
@@ -3220,7 +3220,7 @@ serialNumberAndIssuerCheck(
HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
} have = HAVE_NONE;
- int numdquotes = 0;
+ int numdquotes = 0, gotquote;
struct berval x = *in;
struct berval ni;
x.bv_val++;
@@ -3262,11 +3262,12 @@ serialNumberAndIssuerCheck(
is->bv_val = x.bv_val;
is->bv_len = 0;
- for ( ; is->bv_len < x.bv_len; ) {
+ for ( gotquote=0; is->bv_len < x.bv_len; ) {
if ( is->bv_val[is->bv_len] != '"' ) {
is->bv_len++;
continue;
}
+ gotquote = 1;
if ( is->bv_val[is->bv_len+1] == '"' ) {
/* double dquote */
numdquotes++;
@@ -3275,6 +3276,8 @@ serialNumberAndIssuerCheck(
}
break;
}
+ if ( !gotquote ) return LDAP_INVALID_SYNTAX;
+
x.bv_val += is->bv_len + 1;
x.bv_len -= is->bv_len + 1;
--
2.30.0

69
0213-ITS-9406-9407-remove-saslauthz-asserts.patch Normal file
View file

@ -0,0 +1,69 @@
From f691c1bc5e7a3166a8c371974f8d920a99bae298 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 27 Nov 2020 14:37:10 +0000
Subject: [PATCH 213/224] ITS#9406, #9407 remove saslauthz asserts
---
servers/slapd/saslauthz.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 1245efc6c..bb99f5283 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -180,14 +180,16 @@ int slap_parse_user( struct berval *id, struct berval *user,
}
if ( !BER_BVISNULL( mech ) ) {
- assert( mech->bv_val == id->bv_val + 2 );
+ if ( mech->bv_val != id->bv_val + 2 )
+ return LDAP_PROTOCOL_ERROR;
AC_MEMCPY( mech->bv_val - 2, mech->bv_val, mech->bv_len + 1 );
mech->bv_val -= 2;
}
if ( !BER_BVISNULL( realm ) ) {
- assert( realm->bv_val >= id->bv_val + 2 );
+ if ( realm->bv_val < id->bv_val + 2 )
+ return LDAP_PROTOCOL_ERROR;
AC_MEMCPY( realm->bv_val - 2, realm->bv_val, realm->bv_len + 1 );
realm->bv_val -= 2;
@@ -449,9 +451,12 @@ is_dn: bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
}
/* Grab the searchbase */
- assert( ludp->lud_dn != NULL );
- ber_str2bv( ludp->lud_dn, 0, 0, &bv );
- rc = dnValidate( NULL, &bv );
+ if ( ludp->lud_dn != NULL ) {
+ ber_str2bv( ludp->lud_dn, 0, 0, &bv );
+ rc = dnValidate( NULL, &bv );
+ } else {
+ rc = LDAP_INVALID_SYNTAX;
+ }
done:
ldap_free_urldesc( ludp );
@@ -813,7 +818,6 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
}
/* Grab the searchbase */
- assert( ludp->lud_dn != NULL );
if ( ludp->lud_dn ) {
struct berval out = BER_BVNULL;
@@ -831,6 +835,9 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
}
ludp->lud_dn = out.bv_val;
+ } else {
+ rc = LDAP_INVALID_SYNTAX;
+ goto done;
}
ludp->lud_port = 0;
--
2.30.0

33
0214-ITS-9406-fix-debug-msg.patch Normal file
View file

@ -0,0 +1,33 @@
From 6f896a9db19cd48df25fddc3bec4ab358f3a82f7 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 27 Nov 2020 14:48:26 +0000
Subject: [PATCH 214/224] ITS#9406 fix debug msg
---
servers/slapd/saslauthz.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index bb99f5283..f424028ff 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -488,6 +488,7 @@ authzPrettyNormal(
assert( val != NULL );
assert( !BER_BVISNULL( val ) );
+ BER_BVZERO( normalized );
/*
* 2) dn[.{exact|children|subtree|onelevel}]:{*|<DN>}
@@ -906,7 +907,7 @@ authzPretty(
rc = authzPrettyNormal( val, out, ctx, 0 );
Debug( LDAP_DEBUG_TRACE, "<<< authzPretty: <%s> (%d)\n",
- out->bv_val, rc, 0 );
+ out->bv_val ? out->bv_val : "(null)" , rc, 0 );
return rc;
}
--
2.30.0

28
0215-ITS-9408-fix-vrfilter-double-free.patch Normal file
View file

@ -0,0 +1,28 @@
From b4f0b6d88fa165de73e2418894038c2d24cee0a8 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sat, 28 Nov 2020 15:54:17 +0000
Subject: [PATCH 215/224] ITS#9408 fix vrfilter double-free
---
servers/slapd/controls.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index b8edd39bc..50a358b07 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -1578,7 +1578,10 @@ static int parseValuesReturnFilter (
} else {
send_ldap_result( op, rs );
}
- if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter );
+ if( op->o_vrFilter != NULL) {
+ vrFilter_free( op, op->o_vrFilter );
+ op->o_vrFilter = NULL;
+ }
}
#ifdef LDAP_DEBUG
else {
--
2.30.0

25
0216-ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch Normal file
View file

@ -0,0 +1,25 @@
From 6eda12deab86a523a0eee8d395a83adacfe35d28 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 30 Nov 2020 11:45:46 +0000
Subject: [PATCH 216/224] ITS#9409 saslauthz: use ch_free on normalized DN
---
servers/slapd/saslauthz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index f424028ff..6001a5cbe 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -860,7 +860,7 @@ done:
if ( lud_dn ) {
if ( ludp->lud_dn != lud_dn ) {
- ber_memfree( ludp->lud_dn );
+ ch_free( ludp->lud_dn );
}
ludp->lud_dn = lud_dn;
}
--
2.30.0

25
0217-ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch Normal file
View file

@ -0,0 +1,25 @@
From 5d7ac6942c4e42a330b8874b71338b11a79c7051 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 30 Nov 2020 16:20:18 +0000
Subject: [PATCH 217/224] ITS#9409 saslauthz: use slap_sl_free in prev commit
---
servers/slapd/saslauthz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 6001a5cbe..19c058cbf 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -860,7 +860,7 @@ done:
if ( lud_dn ) {
if ( ludp->lud_dn != lud_dn ) {
- ch_free( ludp->lud_dn );
+ slap_sl_free( ludp->lud_dn, ctx );
}
ludp->lud_dn = lud_dn;
}
--
2.30.0

42
0218-ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch Normal file
View file

@ -0,0 +1,42 @@
From ef319e3bfd3c092a6a64d43a1f4a5a86a9aa1b58 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 1 Dec 2020 18:32:35 +0000
Subject: [PATCH 218/224] ITS#9412 fix AVA_Sort on invalid RDN
---
servers/slapd/dn.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
index c3465498d..4ac6cf313 100644
--- a/servers/slapd/dn.c
+++ b/servers/slapd/dn.c
@@ -233,6 +233,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
{
LDAPAVA *ava_i;
int i;
+ int rc = LDAP_SUCCESS;
assert( rdn != NULL );
@@ -250,7 +251,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
/* RFC4512 does not allow multiple AVAs
* with the same attribute type in RDN (ITS#5968) */
if ( a == 0 )
- return LDAP_INVALID_DN_SYNTAX;
+ rc = LDAP_INVALID_DN_SYNTAX;
if ( a > 0 )
break;
@@ -259,7 +260,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
}
rdn[ j+1 ] = ava_i;
}
- return LDAP_SUCCESS;
+ return rc;
}
static int
--
2.30.0

38
0219-ITS-9413-fix-slap_parse_user.patch Normal file
View file

@ -0,0 +1,38 @@
From b4248eeda7ebb2c62266c34128caba5c14e4bc67 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 1 Dec 2020 19:03:24 +0000
Subject: [PATCH 219/224] ITS#9413 fix slap_parse_user
---
servers/slapd/saslauthz.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 19c058cbf..629280efe 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -156,10 +156,9 @@ int slap_parse_user( struct berval *id, struct berval *user,
user->bv_val++;
user->bv_len = id->bv_len - ( user->bv_val - id->bv_val );
- mech->bv_val = ber_bvchr( id, '.' );
- if ( !BER_BVISNULL( mech ) ) {
- mech->bv_val[ 0 ] = '\0';
- mech->bv_val++;
+ if ( id->bv_val[1] == '.' ) {
+ id->bv_val[1] = '\0';
+ mech->bv_val = id->bv_val + 2;
mech->bv_len = user->bv_val - mech->bv_val - 1;
realm->bv_val = ber_bvchr( mech, '/' );
@@ -172,6 +171,7 @@ int slap_parse_user( struct berval *id, struct berval *user,
}
} else {
+ BER_BVZERO( mech );
BER_BVZERO( realm );
}
--
2.30.0

48
0220-ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch Normal file
View file

@ -0,0 +1,48 @@
From bd843f03d4137756b1d1ba0695cb583fbe91d905 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sun, 13 Dec 2020 21:48:45 +0000
Subject: [PATCH 220/224] ITS#9423 ldap_X509dn2bv: check for invalid BER after
RDN count
---
libraries/libldap/tls2.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index d25c190ea..c642469d9 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1220,6 +1220,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
}
}
+ /* Rewind and prepare to extract */
+ ber_rewind( ber );
+ tag = ber_first_element( ber, &len, &dn_end );
+ if ( tag == LBER_DEFAULT )
+ return LDAP_DECODING_ERROR;
+
/* Allocate the DN/RDN/AVA stuff as a single block */
dnsize = sizeof(LDAPRDN) * (nrdns+1);
dnsize += sizeof(LDAPAVA *) * (navas+nrdns);
@@ -1231,16 +1237,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
} else {
newDN = (LDAPDN)(char *)ptrs;
}
-
+
newDN[nrdns] = NULL;
newRDN = (LDAPRDN)(newDN + nrdns+1);
newAVA = (LDAPAVA *)(newRDN + navas + nrdns);
baseAVA = newAVA;
- /* Rewind and start extracting */
- ber_rewind( ber );
-
- tag = ber_first_element( ber, &len, &dn_end );
for ( i = nrdns - 1; i >= 0; i-- ) {
newDN[i] = newRDN;
--
2.30.0

25
0221-ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch Normal file
View file

@ -0,0 +1,25 @@
From a1b3d529c7cb26ca94ee4450a55773130c6ed9a4 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 14 Dec 2020 19:03:27 +0000
Subject: [PATCH 221/224] ITS#9424 fix serialNumberAndIssuerSerialCheck
---
servers/slapd/schema_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index f9200d362..00f0d3b8c 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -4291,7 +4291,7 @@ serialNumberAndIssuerSerialCheck(
if ( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
/* no old format */
- if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
+ if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
x.bv_val++;
x.bv_len -= 2;
--
2.30.0

45
0222-ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch Normal file
View file

@ -0,0 +1,45 @@
From 959971b245f1676a2aa4d25d3a1d1898eda5b0a7 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 14 Dec 2020 20:05:44 +0000
Subject: [PATCH 222/224] ITS#9425 add more checks to ldap_X509dn2bv
---
libraries/libldap/tls2.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index c642469d9..16c9d0487 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1214,6 +1214,8 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
for ( tag = ber_first_element( ber, &len, &rdn_end );
tag == LBER_SEQUENCE;
tag = ber_next_element( ber, &len, rdn_end )) {
+ if ( rdn_end > dn_end )
+ return LDAP_DECODING_ERROR;
tag = ber_skip_tag( ber, &len );
ber_skip_data( ber, len );
navas++;
@@ -1223,7 +1225,7 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
/* Rewind and prepare to extract */
ber_rewind( ber );
tag = ber_first_element( ber, &len, &dn_end );
- if ( tag == LBER_DEFAULT )
+ if ( tag != LBER_SET )
return LDAP_DECODING_ERROR;
/* Allocate the DN/RDN/AVA stuff as a single block */
@@ -1336,6 +1338,10 @@ allocd:
/* X.690 bitString value converted to RFC4517 Bit String */
rc = der_to_ldap_BitString( &Val, &newAVA->la_value );
goto allocd;
+ case LBER_DEFAULT:
+ /* decode error */
+ rc = LDAP_DECODING_ERROR;
+ goto nomem;
default:
/* Not a string type at all */
newAVA->la_flags = 0;
--
2.30.0

25
0223-ITS-9427-fix-issuerAndThisUpdateCheck.patch Normal file
View file

@ -0,0 +1,25 @@
From 4b2578c5b2cdb4563c53bda3479839a255261750 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 16 Dec 2020 18:52:42 +0000
Subject: [PATCH 223/224] ITS#9427 fix issuerAndThisUpdateCheck
---
servers/slapd/schema_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 00f0d3b8c..d0a2ebd3d 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3799,7 +3799,7 @@ issuerAndThisUpdateCheck(
if ( in->bv_len < STRLENOF( "{issuer \"\",thisUpdate \"YYMMDDhhmmssZ\"}" ) ) return LDAP_INVALID_SYNTAX;
- if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+ if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
return LDAP_INVALID_SYNTAX;
}
--
2.30.0

28
0224-ITS-9428-fix-cancel-exop.patch Normal file
View file

@ -0,0 +1,28 @@
From 94ec55f8ad7f71d820906b9a2b18f42c06980fb3 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sun, 20 Dec 2020 21:31:15 +0000
Subject: [PATCH 224/224] ITS#9428 fix cancel exop
---
servers/slapd/cancel.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/servers/slapd/cancel.c b/servers/slapd/cancel.c
index a7bbb5350..822c00965 100644
--- a/servers/slapd/cancel.c
+++ b/servers/slapd/cancel.c
@@ -64,6 +64,11 @@ int cancel_extop( Operation *op, SlapReply *rs )
return LDAP_PROTOCOL_ERROR;
}
+ if ( opid == op->o_msgid ) {
+ op->o_cancel = SLAP_CANCEL_DONE;
+ return LDAP_SUCCESS;
+ }
+
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
if ( op->o_abandon ) {
--
2.30.0

417
0225-ITS-8625-Separate-Avlnode-and-TAvlnode-types.patch Normal file
View file

@ -0,0 +1,417 @@
From 60e0f25d7c0b09023118577acb973d664c8469b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Tue, 28 Mar 2017 15:32:27 +0100
Subject: [PATCH 225/230] ITS#8625 Separate Avlnode and TAvlnode types
Switch AVL_CHILD/AVL_THREAD values and set Avlnode bits to AVL_CHILD for
better compatibility between avl and tavl as suggested by Howard.
---
include/avl.h | 39 ++++++++++++++++-----------
libraries/liblutil/avl.c | 2 ++
libraries/liblutil/tavl.c | 40 ++++++++++++++--------------
libraries/liblutil/testtavl.c | 10 +++----
servers/slapd/back-mdb/back-mdb.h | 2 +-
servers/slapd/back-mdb/tools.c | 4 +--
servers/slapd/overlays/pcache.c | 6 ++---
servers/slapd/overlays/sssvlv.c | 12 ++++-----
servers/slapd/overlays/translucent.c | 4 +--
9 files changed, 64 insertions(+), 55 deletions(-)
diff --git a/include/avl.h b/include/avl.h
index 4c9efecb6..e811648a7 100644
--- a/include/avl.h
+++ b/include/avl.h
@@ -50,9 +50,16 @@ struct avlnode {
#define avl_lbit avl_bits[0]
#define avl_rbit avl_bits[1]
-#ifdef AVL_INTERNAL
+typedef struct tavlnode TAvlnode;
-#define NULLAVL ((Avlnode *) NULL)
+struct tavlnode {
+ void* avl_data;
+ struct tavlnode *avl_link[2];
+ char avl_bits[2];
+ signed char avl_bf;
+};
+
+#ifdef AVL_INTERNAL
/* balance factor values */
#define LH (-1)
@@ -62,8 +69,8 @@ struct avlnode {
#define avl_bf2str(bf) ((bf) == -1 ? "LH" : (bf) == 0 ? "EH" : (bf) == 1 ? "RH" : "(unknown)" )
/* thread bits */
-#define AVL_THREAD 0
-#define AVL_CHILD 1
+#define AVL_CHILD 0
+#define AVL_THREAD 1
/* avl routines */
#define avl_getone(x) ((x) == 0 ? 0 : (x)->avl_data)
@@ -120,31 +127,31 @@ LDAP_AVL_F( int )
avl_prefixapply LDAP_P((Avlnode *, void*, AVL_CMP, void*, AVL_CMP, void*, int));
LDAP_AVL_F( int )
-tavl_free LDAP_P(( Avlnode *root, AVL_FREE dfree ));
+tavl_free LDAP_P(( TAvlnode *root, AVL_FREE dfree ));
LDAP_AVL_F( int )
-tavl_insert LDAP_P((Avlnode **, void*, AVL_CMP, AVL_DUP));
+tavl_insert LDAP_P((TAvlnode **, void*, AVL_CMP, AVL_DUP));
LDAP_AVL_F( void* )
-tavl_delete LDAP_P((Avlnode **, void*, AVL_CMP));
+tavl_delete LDAP_P((TAvlnode **, void*, AVL_CMP));
LDAP_AVL_F( void* )
-tavl_find LDAP_P((Avlnode *, const void*, AVL_CMP));
+tavl_find LDAP_P((TAvlnode *, const void*, AVL_CMP));
-LDAP_AVL_F( Avlnode* )
-tavl_find2 LDAP_P((Avlnode *, const void*, AVL_CMP));
+LDAP_AVL_F( TAvlnode* )
+tavl_find2 LDAP_P((TAvlnode *, const void*, AVL_CMP));
-LDAP_AVL_F( Avlnode* )
-tavl_find3 LDAP_P((Avlnode *, const void*, AVL_CMP, int *ret));
+LDAP_AVL_F( TAvlnode* )
+tavl_find3 LDAP_P((TAvlnode *, const void*, AVL_CMP, int *ret));
#define TAVL_DIR_LEFT 0
#define TAVL_DIR_RIGHT 1
-LDAP_AVL_F( Avlnode* )
-tavl_end LDAP_P((Avlnode *, int direction ));
+LDAP_AVL_F( TAvlnode* )
+tavl_end LDAP_P((TAvlnode *, int direction));
-LDAP_AVL_F( Avlnode* )
-tavl_next LDAP_P((Avlnode *, int direction ));
+LDAP_AVL_F( TAvlnode* )
+tavl_next LDAP_P((TAvlnode *, int direction));
/* apply traversal types */
#define AVL_PREORDER 1
diff --git a/libraries/liblutil/avl.c b/libraries/liblutil/avl.c
index 8cd88b132..62747a2d4 100644
--- a/libraries/liblutil/avl.c
+++ b/libraries/liblutil/avl.c
@@ -81,6 +81,7 @@ avl_insert( Avlnode ** root, void *data, AVL_CMP fcmp, AVL_DUP fdup )
}
r->avl_link[0] = r->avl_link[1] = NULL;
r->avl_data = data;
+ r->avl_bits[0] = r->avl_bits[1] = AVL_CHILD;
r->avl_bf = EH;
*root = r;
@@ -105,6 +106,7 @@ avl_insert( Avlnode ** root, void *data, AVL_CMP fcmp, AVL_DUP fdup )
}
q->avl_link[0] = q->avl_link[1] = NULL;
q->avl_data = data;
+ q->avl_bits[0] = q->avl_bits[1] = AVL_CHILD;
q->avl_bf = EH;
p->avl_link[cmp] = q;
diff --git a/libraries/liblutil/tavl.c b/libraries/liblutil/tavl.c
index 320ffaa26..0a9e49bc7 100644
--- a/libraries/liblutil/tavl.c
+++ b/libraries/liblutil/tavl.c
@@ -60,13 +60,13 @@ static const int avl_bfs[] = {LH, RH};
* NOTE: this routine may malloc memory
*/
int
-tavl_insert( Avlnode ** root, void *data, AVL_CMP fcmp, AVL_DUP fdup )
+tavl_insert( TAvlnode ** root, void *data, AVL_CMP fcmp, AVL_DUP fdup )
{
- Avlnode *t, *p, *s, *q, *r;
+ TAvlnode *t, *p, *s, *q, *r;
int a, cmp, ncmp;
if ( *root == NULL ) {
- if (( r = (Avlnode *) ber_memalloc( sizeof( Avlnode ))) == NULL ) {
+ if (( r = (TAvlnode *) ber_memalloc( sizeof( TAvlnode ))) == NULL ) {
return( -1 );
}
r->avl_link[0] = r->avl_link[1] = NULL;
@@ -91,7 +91,7 @@ tavl_insert( Avlnode ** root, void *data, AVL_CMP fcmp, AVL_DUP fdup )
q = avl_child( p, cmp );
if (q == NULL) {
/* insert */
- if (( q = (Avlnode *) ber_memalloc( sizeof( Avlnode ))) == NULL ) {
+ if (( q = (TAvlnode *) ber_memalloc( sizeof( TAvlnode ))) == NULL ) {
return( -1 );
}
q->avl_link[cmp] = p->avl_link[cmp];
@@ -187,13 +187,13 @@ tavl_insert( Avlnode ** root, void *data, AVL_CMP fcmp, AVL_DUP fdup )
}
void*
-tavl_delete( Avlnode **root, void* data, AVL_CMP fcmp )
+tavl_delete( TAvlnode **root, void* data, AVL_CMP fcmp )
{
- Avlnode *p, *q, *r, *top;
+ TAvlnode *p, *q, *r, *top;
int side, side_bf, shorter, nside = -1;
/* parent stack */
- Avlnode *pptr[MAX_TREE_DEPTH];
+ TAvlnode *pptr[MAX_TREE_DEPTH];
unsigned char pdir[MAX_TREE_DEPTH];
int depth = 0;
@@ -424,7 +424,7 @@ tavl_delete( Avlnode **root, void* data, AVL_CMP fcmp )
*/
int
-tavl_free( Avlnode *root, AVL_FREE dfree )
+tavl_free( TAvlnode *root, AVL_FREE dfree )
{
int nleft, nright;
@@ -450,15 +450,15 @@ tavl_free( Avlnode *root, AVL_FREE dfree )
*/
/*
- * tavl_find2 - returns Avlnode instead of data pointer.
- * tavl_find3 - as above, but returns Avlnode even if no match is found.
+ * tavl_find2 - returns TAvlnode instead of data pointer.
+ * tavl_find3 - as above, but returns TAvlnode even if no match is found.
* also set *ret = last comparison result, or -1 if root == NULL.
*/
-Avlnode *
-tavl_find3( Avlnode *root, const void *data, AVL_CMP fcmp, int *ret )
+TAvlnode *
+tavl_find3( TAvlnode *root, const void *data, AVL_CMP fcmp, int *ret )
{
int cmp = -1, dir;
- Avlnode *prev = root;
+ TAvlnode *prev = root;
while ( root != 0 && (cmp = (*fcmp)( data, root->avl_data )) != 0 ) {
prev = root;
@@ -469,8 +469,8 @@ tavl_find3( Avlnode *root, const void *data, AVL_CMP fcmp, int *ret )
return root ? root : prev;
}
-Avlnode *
-tavl_find2( Avlnode *root, const void *data, AVL_CMP fcmp )
+TAvlnode *
+tavl_find2( TAvlnode *root, const void *data, AVL_CMP fcmp )
{
int cmp;
@@ -482,7 +482,7 @@ tavl_find2( Avlnode *root, const void *data, AVL_CMP fcmp )
}
void*
-tavl_find( Avlnode *root, const void* data, AVL_CMP fcmp )
+tavl_find( TAvlnode *root, const void* data, AVL_CMP fcmp )
{
int cmp;
@@ -495,8 +495,8 @@ tavl_find( Avlnode *root, const void* data, AVL_CMP fcmp )
}
/* Return the leftmost or rightmost node in the tree */
-Avlnode *
-tavl_end( Avlnode *root, int dir )
+TAvlnode *
+tavl_end( TAvlnode *root, int dir )
{
if ( root ) {
while ( root->avl_bits[dir] == AVL_CHILD )
@@ -506,8 +506,8 @@ tavl_end( Avlnode *root, int dir )
}
/* Return the next node in the given direction */
-Avlnode *
-tavl_next( Avlnode *root, int dir )
+TAvlnode *
+tavl_next( TAvlnode *root, int dir )
{
if ( root ) {
int c = root->avl_bits[dir];
diff --git a/libraries/liblutil/testtavl.c b/libraries/liblutil/testtavl.c
index 8374f3ec7..9bd621c0e 100644
--- a/libraries/liblutil/testtavl.c
+++ b/libraries/liblutil/testtavl.c
@@ -39,14 +39,14 @@
#define AVL_INTERNAL
#include "avl.h"
-static void ravl_print LDAP_P(( Avlnode *root, int depth, int thread ));
-static void myprint LDAP_P(( Avlnode *root ));
+static void ravl_print LDAP_P(( TAvlnode *root, int depth, int thread ));
+static void myprint LDAP_P(( TAvlnode *root ));
static int avl_strcmp LDAP_P(( const void *s, const void *t ));
int
main( int argc, char **argv )
{
- Avlnode *tree = NULL, *n;
+ TAvlnode *tree = NULL, *n;
char command[ 10 ];
char name[ 80 ];
char *p;
@@ -115,7 +115,7 @@ main( int argc, char **argv )
static const char bfc_array[] = "\\-/";
static const char *bfcs = bfc_array+1;
-static void ravl_print( Avlnode *root, int depth, int thread )
+static void ravl_print( TAvlnode *root, int depth, int thread )
{
int i;
@@ -140,7 +140,7 @@ static void ravl_print( Avlnode *root, int depth, int thread )
ravl_print( root->avl_link[0], depth+1, root->avl_bits[0] == AVL_THREAD );
}
-static void myprint( Avlnode *root )
+static void myprint( TAvlnode *root )
{
printf( "********\n" );
diff --git a/servers/slapd/back-mdb/back-mdb.h b/servers/slapd/back-mdb/back-mdb.h
index b27106977..578c7e7f3 100644
--- a/servers/slapd/back-mdb/back-mdb.h
+++ b/servers/slapd/back-mdb/back-mdb.h
@@ -150,7 +150,7 @@ typedef struct mdb_attrinfo {
#ifdef LDAP_COMP_MATCH
ComponentReference* ai_cr; /*component indexing*/
#endif
- Avlnode *ai_root; /* for tools */
+ TAvlnode *ai_root; /* for tools */
void *ai_flist; /* for tools */
void *ai_clist; /* for tools */
MDB_cursor *ai_cursor; /* for tools */
diff --git a/servers/slapd/back-mdb/tools.c b/servers/slapd/back-mdb/tools.c
index bb56e65e0..baa3ab289 100644
--- a/servers/slapd/back-mdb/tools.c
+++ b/servers/slapd/back-mdb/tools.c
@@ -1208,7 +1208,7 @@ int mdb_tool_idl_add(
dbi = ai->ai_dbi;
for (i=0; keys[i].bv_val; i++) {
itmp.kstr = keys[i];
- ic = tavl_find( (Avlnode *)ai->ai_root, &itmp, mdb_tool_idl_cmp );
+ ic = tavl_find( ai->ai_root, &itmp, mdb_tool_idl_cmp );
/* No entry yet, create one */
if ( !ic ) {
@@ -1230,7 +1230,7 @@ int mdb_tool_idl_add(
ic->count = 0;
ic->offset = 0;
ic->flags = 0;
- tavl_insert( (Avlnode **)&ai->ai_root, ic, mdb_tool_idl_cmp,
+ tavl_insert( &ai->ai_root, ic, mdb_tool_idl_cmp,
avl_dup_error );
/* load existing key count here */
diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
index 166ca48a2..36c26af58 100644
--- a/servers/slapd/overlays/pcache.c
+++ b/servers/slapd/overlays/pcache.c
@@ -67,7 +67,7 @@ typedef struct Query_s {
struct query_template_s;
typedef struct Qbase_s {
- Avlnode *scopes[4]; /* threaded AVL trees of cached queries */
+ TAvlnode *scopes[4]; /* threaded AVL trees of cached queries */
struct berval base;
int queries;
} Qbase;
@@ -1274,14 +1274,14 @@ typedef struct fstack {
} fstack;
static CachedQuery *
-find_filter( Operation *op, Avlnode *root, Filter *inputf, Filter *first )
+find_filter( Operation *op, TAvlnode *root, Filter *inputf, Filter *first )
{
Filter* fs;
Filter* fi;
MatchingRule* mrule = NULL;
int res=0, eqpass= 0;
int ret, rc, dir;
- Avlnode *ptr;
+ TAvlnode *ptr;
CachedQuery cq, *qc;
fstack *stack = NULL, *fsp;
diff --git a/servers/slapd/overlays/sssvlv.c b/servers/slapd/overlays/sssvlv.c
index dff2929a0..97d3b99f5 100644
--- a/servers/slapd/overlays/sssvlv.c
+++ b/servers/slapd/overlays/sssvlv.c
@@ -105,7 +105,7 @@ typedef struct sssvlv_info
typedef struct sort_op
{
- Avlnode *so_tree;
+ TAvlnode *so_tree;
sort_ctrl *so_ctrl;
sssvlv_info *so_info;
int so_paged;
@@ -409,7 +409,7 @@ static void free_sort_op( Connection *conn, sort_op *so )
if ( sess_id > -1 ){
if ( so->so_tree ) {
if ( so->so_paged > SLAP_CONTROL_IGNORED ) {
- Avlnode *cur_node, *next_node;
+ TAvlnode *cur_node, *next_node;
cur_node = so->so_tree;
while ( cur_node ) {
next_node = tavl_next( cur_node, TAVL_DIR_RIGHT );
@@ -447,7 +447,7 @@ static void send_list(
SlapReply *rs,
sort_op *so)
{
- Avlnode *cur_node, *tmp_node;
+ TAvlnode *cur_node, *tmp_node;
vlv_ctrl *vc = op->o_controls[vlv_cid];
int i, j, dir, rc;
BackendDB *be;
@@ -600,8 +600,8 @@ range_err:
static void send_page( Operation *op, SlapReply *rs, sort_op *so )
{
- Avlnode *cur_node = so->so_tree;
- Avlnode *next_node = NULL;
+ TAvlnode *cur_node = so->so_tree;
+ TAvlnode *next_node = NULL;
BackendDB *be = op->o_bd;
Entry *e;
int rc;
@@ -665,7 +665,7 @@ static void send_entry(
send_list( op, rs, so );
} else {
/* Get the first node to send */
- Avlnode *start_node = tavl_end(so->so_tree, TAVL_DIR_LEFT);
+ TAvlnode *start_node = tavl_end(so->so_tree, TAVL_DIR_LEFT);
so->so_tree = start_node;
if ( so->so_paged <= SLAP_CONTROL_IGNORED ) {
diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c
index 959917039..372f05383 100644
--- a/servers/slapd/overlays/translucent.c
+++ b/servers/slapd/overlays/translucent.c
@@ -766,7 +766,7 @@ typedef struct trans_ctx {
BackendDB *db;
slap_overinst *on;
Filter *orig;
- Avlnode *list;
+ TAvlnode *list;
int step;
int slimit;
AttributeName *attrs;
@@ -1135,7 +1135,7 @@ static int translucent_search(Operation *op, SlapReply *rs) {
/* Send out anything remaining on the list and finish */
if ( tc.step & USE_LIST ) {
if ( tc.list ) {
- Avlnode *av;
+ TAvlnode *av;
av = tavl_end( tc.list, TAVL_DIR_LEFT );
while ( av ) {
--
2.30.1

1460
0226-ITS-9197-back-ldap-added-task-that-prunes-expired-co.patch Normal file
View file

File diff suppressed because it is too large Load diff

166
0227-ITS-9197-Increase-timeouts-in-test-case-due-to-spora.patch Normal file
View file

@ -0,0 +1,166 @@
From 67f7f7eecbac11bc0040a4034ef2ea1cd99e617d Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Thu, 25 Feb 2021 14:38:45 +0200
Subject: [PATCH 227/230] ITS#9197 Increase timeouts in test case due to
sporadic failures
---
tests/scripts/defines.sh | 2 +-
tests/scripts/test079-proxy-timeout | 54 +++++++++++++++++++----------
2 files changed, 36 insertions(+), 20 deletions(-)
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 273f039cf..fe8bd47c3 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -50,7 +50,7 @@ THREADS=${AC_THREADS-threadsno}
SLEEP0=${SLEEP0-1}
SLEEP1=${SLEEP1-7}
SLEEP2=${SLEEP2-15}
-TIMEOUT=${TIMEOUT-4}
+TIMEOUT=${TIMEOUT-8}
# dirs
PROGDIR=./progs
diff --git a/tests/scripts/test079-proxy-timeout b/tests/scripts/test079-proxy-timeout
index e097c0739..79f19d937 100644
--- a/tests/scripts/test079-proxy-timeout
+++ b/tests/scripts/test079-proxy-timeout
@@ -73,8 +73,9 @@ sleep $SLEEP0
# Test 1: Test that shared connections are timed out
#
-NOW=`date +%s`
-echo "Create shared connection towards remote LDAP (time_t now=$NOW timeout=`expr $NOW + $TIMEOUT`)"
+CONN_BEGINS=`date +%s`
+CONN_EXPIRES=`expr $CONN_BEGINS + $TIMEOUT`
+echo "Create shared connection towards remote LDAP (time_t now=$CONN_BEGINS timeout=$CONN_EXPIRES)"
$LDAPSEARCH -b "dc=idle-timeout,$BASEDN" \
-D "cn=Manager,dc=local,dc=com" \
@@ -102,7 +103,7 @@ fi
# Check that connections are established by searching for olmDbConnURI from Monitor
-echo "Checking that proxy has created connections towards backend"
+echo "Checking that proxy has created connections towards backend (time_t now=`date +%s`)"
$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \
-D "cn=Manager,dc=local,dc=com" \
@@ -129,9 +130,10 @@ fi
# Wait for connections to be closed, either due to
# - idle-timeout and
# - conn-ttl
-
+# sleep 2 second overtime for robustness of the test case
echo "Sleeping until idle-timeout and conn-ttl have passed"
-sleep `expr $TIMEOUT + 1`
+NOW=`date +%s`
+sleep `expr $CONN_EXPIRES - $NOW + 2`
echo "Checking that proxy has closed expired connections towards the remote LDAP server (time_t now=`date +%s`)"
@@ -163,8 +165,9 @@ fi
# Test 2: Test that private connections are timed out
#
-NOW=`date +%s`
-echo "Create private connection towards remote LDAP (time_t now=$NOW timeout=`expr $NOW + $TIMEOUT`)"
+CONN_BEGINS=`date +%s`
+CONN_EXPIRES=`expr $CONN_BEGINS + $TIMEOUT`
+echo "Create private connection towards remote LDAP (time_t now=$CONN_BEGINS timeout=$CONN_EXPIRES)"
# Create fifos that are used to pass searches from the test case to ldapsearch
rm -f $TESTDIR/ldapsearch1.fifo $TESTDIR/ldapsearch2.fifo
@@ -192,9 +195,11 @@ exec 4>$TESTDIR/ldapsearch2.fifo
# Trigger LDAP connections towards the proxy by executing a search
echo 'objectclass=*' >&3
echo 'objectclass=*' >&4
-sleep 1
-echo "Checking that proxy has created connections towards backend"
+# wait for ldapsearches (running as background processes) to execute search operations
+sleep 2
+
+echo "Checking that proxy has created connections towards backend (time_t now=`date +%s`)"
$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \
-D "cn=Manager,dc=local,dc=com" \
@@ -218,9 +223,13 @@ if test $RC != 0 ; then
exit $RC
fi
-
+# Wait for connections to be closed, either due to
+# - idle-timeout and
+# - conn-ttl
+# sleep 2 second overtime for robustness of the test case
echo "Sleeping until idle-timeout and conn-ttl have passed"
-sleep `expr $TIMEOUT + 1`
+NOW=`date +%s`
+sleep `expr $CONN_EXPIRES - $NOW + 2`
echo "Checking that proxy has closed expired connections towards the remote LDAP server (time_t now=`date +%s`)"
@@ -258,8 +267,9 @@ exec 4>&-
#
echo "Checking that idle-timeout is reset on activity"
-NOW=`date +%s`
-echo "Create cached connection: idle-timeout timeout starts (time_t now=$NOW, original_timeout=`expr $NOW + $TIMEOUT`)"
+CONN_BEGINS=`date +%s`
+CONN_EXPIRES=`expr $CONN_BEGINS + $TIMEOUT`
+echo "Create cached connection: idle-timeout timeout starts (time_t now=$CONN_BEGINS, original_timeout=$CONN_EXPIRES)"
$LDAPSEARCH -b "dc=idle-timeout,$BASEDN" \
-D "cn=Manager,dc=local,dc=com" \
-H $URI2 \
@@ -272,10 +282,13 @@ if test $RC != 0 ; then
exit $RC
fi
-# sleep second less than idle-timeout to extend the timeout
-sleep `expr $TIMEOUT - 1`
+# sleep until 2 seconds before idle-timeout, then extend the timeout by executing another search operation
NOW=`date +%s`
-echo "Do another search to reset the timeout (time_t now=$NOW, new_timeout=`expr $NOW + $TIMEOUT`)"
+sleep `expr $CONN_EXPIRES - $NOW - 2`
+
+CONN_BEGINS=`date +%s`
+CONN_EXPIRES=`expr $CONN_BEGINS + $TIMEOUT`
+echo "Do another search to reset the timeout (time_t now=$CONN_BEGINS, new_timeout=$CONN_EXPIRES)"
$LDAPSEARCH -b "dc=idle-timeout,$BASEDN" \
-D "cn=Manager,dc=local,dc=com" \
-H $URI2 \
@@ -288,7 +301,9 @@ if test $RC != 0 ; then
exit $RC
fi
-sleep `expr $TIMEOUT - 1`
+# sleep until 2 seconds before new exteneded idle-timeout, check that connection still exist
+NOW=`date +%s`
+sleep `expr $CONN_EXPIRES - $NOW - 2`
echo "Check that connection is still alive due to idle-timeout reset (time_t now=`date +%s`)"
$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \
-D "cn=Manager,dc=local,dc=com" \
@@ -301,7 +316,9 @@ if test $RC != 0 ; then
exit $RC
fi
-sleep 2
+# sleep until 2 seconds after timeout, check that connection does not exist
+NOW=`date +%s`
+sleep `expr $CONN_EXPIRES - $NOW + 2`
echo "Check that connection is closed after extended idle-timeout has passed (time_t now=`date +%s`)"
$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \
-D "cn=Manager,dc=local,dc=com" \
@@ -314,7 +331,6 @@ if test $RC != 1 ; then
exit $RC
fi
-
test $KILLSERVERS != no && kill -HUP $KILLPIDS
echo ">>>>> Test succeeded"
--
2.30.1

25
0228-ITS-9197-fix-typo-in-prev-commit.patch Normal file
View file

@ -0,0 +1,25 @@
From 0db68d0983e21eee17c135402c7d603c6415ae65 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Thu, 25 Feb 2021 17:05:17 +0000
Subject: [PATCH 228/230] ITS#9197 - fix typo in prev commit
---
tests/scripts/test079-proxy-timeout | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/scripts/test079-proxy-timeout b/tests/scripts/test079-proxy-timeout
index 79f19d937..39a6d36ce 100644
--- a/tests/scripts/test079-proxy-timeout
+++ b/tests/scripts/test079-proxy-timeout
@@ -301,7 +301,7 @@ if test $RC != 0 ; then
exit $RC
fi
-# sleep until 2 seconds before new exteneded idle-timeout, check that connection still exist
+# sleep until 2 seconds before new extended idle-timeout, check that connection still exist
NOW=`date +%s`
sleep `expr $CONN_EXPIRES - $NOW - 2`
echo "Check that connection is still alive due to idle-timeout reset (time_t now=`date +%s`)"
--
2.30.1

66
0229-ITS-9197-Fix-test-script.patch Normal file
View file

@ -0,0 +1,66 @@
From 089fb5f9fe662324368f928a37b5b0e09655b4f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Fri, 26 Feb 2021 09:13:54 +0000
Subject: [PATCH 229/230] ITS#9197 Fix test script
---
tests/scripts/test079-proxy-timeout | 36 ++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/tests/scripts/test079-proxy-timeout b/tests/scripts/test079-proxy-timeout
index 39a6d36ce..514bcfacc 100644
--- a/tests/scripts/test079-proxy-timeout
+++ b/tests/scripts/test079-proxy-timeout
@@ -48,6 +48,24 @@ if test $WAIT != 0 ; then
read foo
fi
+echo "Testing slapd modify operations..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP1 seconds for slapd to start..."
+ sleep $SLEEP1
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
#
# Start ldapd that will proxy for the remote server
#
@@ -66,7 +84,23 @@ fi
KILLPIDS="$SERVERPID $PROXYPID"
-sleep $SLEEP0
+echo "Testing slapd modify operations..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP1 seconds for slapd to start..."
+ sleep $SLEEP1
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
##############################################################################
#
--
2.30.1

34
0230-ITS-9197-fix-info-msg-for-slapd-check.patch Normal file
View file

@ -0,0 +1,34 @@
From c621153dc7dc86caab09a0afd546f5ef19904db9 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 26 Feb 2021 14:47:18 +0000
Subject: [PATCH 230/230] ITS#9197 fix info msg for slapd check
---
tests/scripts/test079-proxy-timeout | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/scripts/test079-proxy-timeout b/tests/scripts/test079-proxy-timeout
index 514bcfacc..075d64659 100644
--- a/tests/scripts/test079-proxy-timeout
+++ b/tests/scripts/test079-proxy-timeout
@@ -48,7 +48,7 @@ if test $WAIT != 0 ; then
read foo
fi
-echo "Testing slapd modify operations..."
+echo "Using ldapsearch to check that slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
'objectclass=*' > /dev/null 2>&1
@@ -84,7 +84,7 @@ fi
KILLPIDS="$SERVERPID $PROXYPID"
-echo "Testing slapd modify operations..."
+echo "Using ldapsearch to check that slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
'objectclass=*' > /dev/null 2>&1
--
2.30.1

591
0231-ITS-9468-Added-test-case-for-proxy-re-binding-anonym.patch Normal file
View file

@ -0,0 +1,591 @@
From 430ca1b323d92a4ec02bbeda0acb556467751ae6 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Wed, 24 Feb 2021 18:24:31 +0200
Subject: [PATCH 231/238] ITS#9468 Added test case for proxy re-binding
anonymously
---
tests/data/regressions/its9468/its9468 | 421 ++++++++++++++++++
.../data/regressions/its9468/slapd-proxy.conf | 81 ++++
.../regressions/its9468/slapd-remote.conf | 50 +++
3 files changed, 552 insertions(+)
create mode 100755 tests/data/regressions/its9468/its9468
create mode 100644 tests/data/regressions/its9468/slapd-proxy.conf
create mode 100644 tests/data/regressions/its9468/slapd-remote.conf
diff --git a/tests/data/regressions/its9468/its9468 b/tests/data/regressions/its9468/its9468
new file mode 100755
index 000000000..f79b48687
--- /dev/null
+++ b/tests/data/regressions/its9468/its9468
@@ -0,0 +1,421 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+ITS=9468
+ITSDIR=$DATADIR/regressions/its$ITS
+
+if test $BACKLDAP = "ldapno" ; then
+ echo "LDAP backend not available, test skipped"
+ exit 0
+fi
+if test $RWM = "rwmno" ; then
+ echo "rwm (rewrite/remap) overlay not available, test skipped"
+ exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1 $DBDIR2
+
+echo "This test checks back-ldap connection retry behavior when the connection"
+echo "to remote LDAP server is disconnected due to:"
+echo " - remote server disconnecting the proxy connection"
+echo " - proxy disconnecting the remote server connection due to timeout/ttl"
+
+#
+# Start slapd that acts as a remote LDAP server that will be proxied
+#
+echo "Running slapadd to build database for the remote slapd server..."
+. $CONFFILTER $BACKEND < $ITSDIR/slapd-remote.conf > $CONF1
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+ echo "slapadd failed ($RC)!"
+ exit $RC
+fi
+
+echo "Starting remote slapd server on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 &
+SERVERPID=$!
+if test $WAIT != 0 ; then
+ echo SERVERPID $SERVERPID
+ read foo
+fi
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
+ -D $MANAGERDN \
+ -w $PASSWD \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP0 seconds for slapd to start..."
+ sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $SERVERPID
+ exit $RC
+fi
+
+#
+# Start slapd that will proxy for the remote server
+#
+echo "Starting slapd proxy on TCP/IP port $PORT2..."
+. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy.conf > $CONF2
+$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
+PROXYPID=$!
+if test $WAIT != 0 ; then
+ echo PROXYPID $PROXYPID
+ read foo
+fi
+KILLPIDS="$KILLPIDS $PROXYPID"
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITORDN" -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP0 seconds for slapd to start..."
+ sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+# Create fifo that is used to pass searches from the test case to ldapsearch without
+# disconnecting the client -> proxy connection
+rm -f $TESTDIR/ldapsearch.fifo
+mkfifo $TESTDIR/ldapsearch.fifo
+
+#############################################################################
+#
+# Test 1: Check that proxy WILL NOT try to re-establish connection and rebind
+# after server has disconnected the connection towards proxy.
+#
+# Proxy config is
+# - rebind-as-user no
+# - no idle-timeout of conn-ttl set
+#
+
+echo "Test 1"
+
+# Start ldapsearch on background and have it read search filters from fifo,
+# so that single client connection will persist over many searches
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=no-rebind,dc=no-timeout,$BASEDN" \
+ -D "cn=Barbara Jensen,dc=no-rebind,dc=no-timeout,$BASEDN" \
+ -w "bjensen" \
+ -H $URI2 \
+ -f $TESTDIR/ldapsearch.fifo > $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$KILLPIDS $LDAPSEARCHPID"
+
+# Open fifo as file descriptor
+exec 3>$TESTDIR/ldapsearch.fifo
+
+# Trigger LDAP connections towards the proxy by executing a search
+echo 'objectclass=*' >&3
+# Wait for ldapsearch process on the background to catch up reading the fifo
+sleep 2
+
+# Check the number of bind operations that proxy has executed so far
+NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+# Restart the remote server to invalidate TCP connection between proxy and remote
+echo "Killing and re-starting remote slapd server on TCP/IP port $PORT1..."
+kill -HUP $SERVERPID
+sleep 2
+
+# When forking slapd on background, close filehandle 3 to avoid leaving fifo hanging uncloseable
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 3>&- &
+SERVERPID=$!
+KILLPIDS="$KILLPIDS $SERVERPID"
+
+echo "Using ldapsearch to check that remote slapd is running..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
+ -D $MANAGERDN \
+ -w $PASSWD \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP0 seconds for slapd to start..."
+ sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit $RC
+fi
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+# Wait for ldapsearch process on the background to catch up reading the fifo
+sleep 2
+
+# Check how many binds have been executed after retry
+NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Checking if proxy tried to re-bind to the remote server"
+if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then
+ echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+if test $RC != 52 ; then
+ echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+#############################################################################
+#
+# Test 2: Check that proxy WILL re-establish connection and rebind after
+# remote server has disconnected the connection towards proxy.
+#
+# Proxy config is
+# - rebind-as-user yes
+# - no idle-timeout or conn-ttl set
+#
+
+echo "Test 2"
+
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=rebind,dc=no-timeout,$BASEDN" \
+ -D "cn=Barbara Jensen,dc=rebind,dc=no-timeout,$BASEDN" \
+ -w "bjensen" \
+ -H $URI2 \
+ -f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID"
+
+exec 3>$TESTDIR/ldapsearch.fifo
+
+echo 'objectclass=*' >&3
+sleep 2
+
+echo "Killing and re-starting remote slapd server on TCP/IP port $PORT1..."
+kill -HUP $SERVERPID
+sleep 2
+
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 3>&- &
+SERVERPID=$!
+KILLPIDS="$KILLPIDS $SERVERPID"
+
+echo "Using ldapsearch to check that remote slapd is running..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
+ -D $MANAGERDN \
+ -w $PASSWD \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP0 seconds for slapd to start..."
+ sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit $RC
+fi
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+sleep 2
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit $RC
+fi
+
+#############################################################################
+#
+# Test 3: Check that proxy WILL NOT re-establish connection and rebind after
+# it disconnected the connection after idle-timeout or conn-ttl
+#
+# Proxy config is
+# - rebind-as-user no
+# - no idle-timeout or conn-ttl set
+#
+
+echo "Test 3"
+
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=no-rebind,dc=timeout,$BASEDN" \
+ -D "cn=Barbara Jensen,dc=no-rebind,dc=timeout,$BASEDN" \
+ -w "bjensen" \
+ -H $URI2 \
+ -f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID"
+
+exec 3>$TESTDIR/ldapsearch.fifo
+
+echo 'objectclass=*' >&3
+# Wait for proxy->remote server timeout to expire
+sleep 4
+
+NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+sleep 2
+
+NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Checking if proxy tried to re-bind to the remote server"
+if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then
+ echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+if test $RC != 52 ; then
+ echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+#############################################################################
+#
+# Test 4: Check that proxy WILL NOT re-establish connection and rebind after
+# it disconnected the connection after idle-timeout or conn-ttl
+#
+# Proxy config is
+# - rebind-as-user yes
+# - no idle-timeout or conn-ttl set
+#
+
+echo "Test 4"
+
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=rebind,dc=timeout,$BASEDN" \
+ -D "cn=Barbara Jensen,dc=rebind,dc=timeout,$BASEDN" \
+ -w "bjensen" \
+ -H $URI2 \
+ -f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID"
+
+exec 3>$TESTDIR/ldapsearch.fifo
+
+echo 'objectclass=*' >&3
+# Wait for proxy->remote server timeout to expire
+sleep 4
+
+NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+sleep 2
+
+NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Checking if proxy tried to re-bind to the remote server"
+if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then
+ echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+if test $RC != 52 ; then
+ echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+
+echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
+exit 0
\ No newline at end of file
diff --git a/tests/data/regressions/its9468/slapd-proxy.conf b/tests/data/regressions/its9468/slapd-proxy.conf
new file mode 100644
index 000000000..a2bd893c8
--- /dev/null
+++ b/tests/data/regressions/its9468/slapd-proxy.conf
@@ -0,0 +1,81 @@
+# provider slapd config -- for testing
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include @SCHEMADIR@/core.schema
+include @SCHEMADIR@/cosine.schema
+include @SCHEMADIR@/inetorgperson.schema
+include @SCHEMADIR@/openldap.schema
+include @SCHEMADIR@/nis.schema
+pidfile @TESTDIR@/slapd.m.pid
+argsfile @TESTDIR@/slapd.m.args
+
+#######################################################################
+# database definitions
+#######################################################################
+
+#mod#modulepath ../servers/slapd/back-@BACKEND@/:../servers/slapd/overlays
+#mod#moduleload back_@BACKEND@.la
+#ldapmod#modulepath ../servers/slapd/back-ldap/
+#ldapmod#moduleload back_ldap.la
+#rwmmod#modulepath ../servers/slapd/overlays/
+#rwmmod#moduleload rwm.la
+#monitormod#modulepath ../servers/slapd/back-monitor/
+#monitormod#moduleload back_monitor.la
+
+database @BACKEND@
+suffix "dc=local,dc=com"
+rootdn "cn=Manager,dc=local,dc=com"
+rootpw "secret"
+#~null~#directory @TESTDIR@/db.2.a
+
+# proxy with default settings, used for test where remote server will disconnect the proxy connection
+database ldap
+uri "@URI1@"
+suffix "dc=no-rebind,dc=no-timeout,dc=example,dc=com"
+monitoring yes
+rebind-as-user no
+overlay rwm
+rwm-suffixmassage "dc=no-rebind,dc=no-timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+# proxy with rebind-as-user set, used for test where remote server will disconnect the proxy connection
+database ldap
+uri "@URI1@"
+suffix "dc=rebind,dc=no-timeout,dc=example,dc=com"
+monitoring yes
+rebind-as-user yes
+overlay rwm
+rwm-suffixmassage "dc=rebind,dc=no-timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+# proxy with idle-timeout, used for test where proxy will disconnect the remote server connection
+database ldap
+uri "@URI1@"
+suffix "dc=no-rebind,dc=timeout,dc=example,dc=com"
+monitoring yes
+rebind-as-user no
+idle-timeout 1
+overlay rwm
+rwm-suffixmassage "dc=no-rebind,dc=timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+# proxy with rebind-as-user and idle-timeout, used for test where proxy will disconnect the remote server connection
+database ldap
+uri "@URI1@"
+suffix "dc=rebind,dc=timeout,dc=example,dc=com"
+monitoring yes
+rebind-as-user yes
+idle-timeout 1
+overlay rwm
+rwm-suffixmassage "dc=rebind,dc=timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+database monitor
\ No newline at end of file
diff --git a/tests/data/regressions/its9468/slapd-remote.conf b/tests/data/regressions/its9468/slapd-remote.conf
new file mode 100644
index 000000000..71fb1cb36
--- /dev/null
+++ b/tests/data/regressions/its9468/slapd-remote.conf
@@ -0,0 +1,50 @@
+# stand-alone slapd config -- for testing (with indexing)
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include @SCHEMADIR@/core.schema
+include @SCHEMADIR@/cosine.schema
+include @SCHEMADIR@/inetorgperson.schema
+include @SCHEMADIR@/openldap.schema
+include @SCHEMADIR@/nis.schema
+include @DATADIR@/test.schema
+
+#
+pidfile @TESTDIR@/slapd.1.pid
+argsfile @TESTDIR@/slapd.1.args
+
+# disable anonymous bind in order to catch ITS#9468
+disallow bind_anon
+
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
+
+#######################################################################
+# database definitions
+#######################################################################
+
+database @BACKEND@
+suffix "dc=example,dc=com"
+rootdn "cn=Manager,dc=example,dc=com"
+rootpw secret
+monitoring on
+#null#bind on
+#~null~#directory @TESTDIR@/db.1.a
+#indexdb#index objectClass eq
+#indexdb#index cn,sn,uid pres,eq,sub
+#mdb#maxsize 33554432
+#ndb#dbname db_1
+#ndb#include @DATADIR@/ndb.conf
+
+database monitor
\ No newline at end of file
--
2.32.0

52
0232-ITS-9468-back-ldap-Return-disconect-if-rebind-cannot.patch Normal file
View file

@ -0,0 +1,52 @@
From 9724cc7dc24dbbc17c356f100262a7999db3f88b Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Fri, 5 Mar 2021 10:51:28 +0200
Subject: [PATCH 232/238] ITS#9468 back-ldap: Return disconect if rebind cannot
be done
---
servers/slapd/back-ldap/bind.c | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 1f9cbf185..3b46caaa7 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1495,9 +1495,25 @@ retry_lock:;
retry:;
if ( BER_BVISNULL( &lc->lc_cred ) ) {
tmp_dn = "";
+ /*
+ * Bind is requested with DN but without credentials.
+ * This can happen when connection to remote server has been
+ * lost either due to remote server disconnecting it or due to
+ * proxy disconnecting it by itself (idle-timeout, conn-ttl).
+ */
if ( !BER_BVISNULL( &lc->lc_bound_ndn ) && !BER_BVISEMPTY( &lc->lc_bound_ndn ) ) {
- Debug( LDAP_DEBUG_ANY, "%s ldap_back_dobind_int: DN=\"%s\" without creds, binding anonymously",
- op->o_log_prefix, lc->lc_bound_ndn.bv_val, 0 );
+ Debug( LDAP_DEBUG_ANY,
+ "%s ldap_back_dobind_int: DN=\"%s\" connection "
+ "was re-established but cannot rebind without creds\n",
+ op->o_log_prefix, lc->lc_bound_ndn.bv_val, 0 );
+ rs->sr_text = "Proxy lost connection to remote server";
+ rs->sr_err = LDAP_UNAVAILABLE;
+ if ( sendok & LDAP_BACK_SENDERR ) {
+ send_ldap_result( op, rs );
+ }
+ rs->sr_err = SLAPD_DISCONNECT;
+ rc = 0;
+ goto done;
}
} else {
@@ -3209,4 +3225,4 @@ ldap_back_schedule_conn_expiry( ldapinfo_t *li, ldapconn_t *lc ) {
ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
return;
-}
\ No newline at end of file
+}
--
2.32.0

39
0233-ITS-9468-removed-accidental-unicode-characters.patch Normal file
View file

@ -0,0 +1,39 @@
From d144e881694555fc63169b069bfd4ba217fb0b78 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Mon, 15 Mar 2021 20:29:01 +0200
Subject: [PATCH 233/238] ITS#9468 removed accidental unicode characters
---
tests/data/regressions/its9468/its9468 | 2 +-
tests/data/regressions/its9468/slapd-proxy.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/data/regressions/its9468/its9468 b/tests/data/regressions/its9468/its9468
index f79b48687..96247ca51 100755
--- a/tests/data/regressions/its9468/its9468
+++ b/tests/data/regressions/its9468/its9468
@@ -139,7 +139,7 @@ KILLPIDS="$KILLPIDS $LDAPSEARCHPID"
# Open fifo as file descriptor
exec 3>$TESTDIR/ldapsearch.fifo
-# Trigger LDAP connections towards the proxy by executing a search
+# Trigger LDAP connections towards the proxy by executing a search
echo 'objectclass=*' >&3
# Wait for ldapsearch process on the background to catch up reading the fifo
sleep 2
diff --git a/tests/data/regressions/its9468/slapd-proxy.conf b/tests/data/regressions/its9468/slapd-proxy.conf
index a2bd893c8..e19ee91de 100644
--- a/tests/data/regressions/its9468/slapd-proxy.conf
+++ b/tests/data/regressions/its9468/slapd-proxy.conf
@@ -29,7 +29,7 @@ argsfile @TESTDIR@/slapd.m.args
#mod#moduleload back_@BACKEND@.la
#ldapmod#modulepath ../servers/slapd/back-ldap/
#ldapmod#moduleload back_ldap.la
-#rwmmod#modulepath ../servers/slapd/overlays/
+#rwmmod#modulepath ../servers/slapd/overlays/
#rwmmod#moduleload rwm.la
#monitormod#modulepath ../servers/slapd/back-monitor/
#monitormod#moduleload back_monitor.la
--
2.32.0

58
0234-ITS-9468-documented-that-re-connecting-does-not-happ.patch Normal file
View file

@ -0,0 +1,58 @@
From e969f9b508ed06984da48f61c7816a9b9b40409b Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Mon, 29 Mar 2021 18:57:53 +0300
Subject: [PATCH 234/238] ITS#9468 documented that re-connecting does not
happen after idle-timeout or conn-ttl
---
doc/man/man5/slapd-ldap.5 | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 1c509542f..6088b049b 100644
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -193,8 +193,12 @@ underlying libldap, with rebinding eventually performed if the
.TP
.B conn\-ttl <time>
-This directive causes a cached connection to be dropped and recreated
-after a given ttl, regardless of being idle or not.
+This directive causes a cached connection to be dropped after a given ttl,
+regardless of being idle or not. If a client connection outlives the remote
+connection, the client will receive
+.IR LDAP_UNAVAILABLE
+when it executes the next operation.
+
.TP
.B idassert\-authzFrom <authz-regexp>
@@ -410,8 +414,11 @@ for details on the syntax of this field.
.TP
.B idle\-timeout <time>
-This directive causes a cached connection to be dropped an recreated
-after it has been idle for the specified time.
+This directive causes a cached connection to be dropped after it has been idle
+for the specified time. If a client connection outlives the remote connection,
+the client will receive
+.IR LDAP_UNAVAILABLE
+when it executes the next operation.
.TP
.B keepalive <idle>:<probes>:<interval>
@@ -518,6 +525,11 @@ or when chasing a referral, if
.B chase\-referrals
is set to
.IR yes .
+Note, however, that connection is not re-established automatically after it
+was dropped due to
+.B idle\-timeout
+or
+.B conn\-ttl .
.TP
.B session\-tracking\-request {NO|yes}
--
2.32.0

58
0235-ITS-9468-summarize-discussion-about-rebind-as-user.patch Normal file
View file

@ -0,0 +1,58 @@
From a7de38dac0e3e4686637f26d168f4c95db9ad673 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Mon, 10 May 2021 21:41:02 +0300
Subject: [PATCH 235/238] ITS#9468 summarize discussion about rebind-as-user
---
servers/slapd/back-ldap/bind.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 3b46caaa7..8e77e3a60 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1500,6 +1500,7 @@ retry:;
* This can happen when connection to remote server has been
* lost either due to remote server disconnecting it or due to
* proxy disconnecting it by itself (idle-timeout, conn-ttl).
+ * See comment in ldap_back_conn_prune().
*/
if ( !BER_BVISNULL( &lc->lc_bound_ndn ) && !BER_BVISEMPTY( &lc->lc_bound_ndn ) ) {
Debug( LDAP_DEBUG_ANY,
@@ -3098,6 +3099,22 @@ ldap_back_conn_expire_time( ldapinfo_t *li, ldapconn_t *lc) {
return -1;
}
+/*
+ * Iterate though connections and close those that are pass the expiry time.
+ * Also calculate the time for next connection to to expire.
+ *
+ * Note:
+ * When the client sends a request after remote connection is pruned, a new
+ * connection is created but bind cannot be replayed even if "rebind-as-user"
+ * was set to "yes". The client credentials are stored in ldapconn_t and lost
+ * when the connection is freed.
+ *
+ * LDAP_DISCONNECT is sent to signal the client that it needs to reconnect to
+ * the proxy and rebind itself (see "Bind is requested with DN but without
+ * credentials" in ldap_back_dobind_int()). Better implementation would not
+ * free ldapconn_t but instead just close the socket. This is not implemented
+ * currently as it is considerable work for what is assumed to be a corner case.
+ */
static void
ldap_back_conn_prune( ldapinfo_t *li )
{
@@ -3106,10 +3123,6 @@ ldap_back_conn_prune( ldapinfo_t *li )
TAvlnode *edge;
int c;
- /*
- * Iterate though connections and close those that are pass the expiry time.
- * Also calculate the time for next connection to to expire.
- */
ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex );
for ( c = LDAP_BACK_PCONN_FIRST; c < LDAP_BACK_PCONN_LAST; c++ ) {
--
2.32.0

27
0236-ITS-9468-fixed-typos.patch Normal file
View file

@ -0,0 +1,27 @@
From 0512f1627c48d833bb110bb28e71400e182859d2 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Tue, 11 May 2021 17:02:40 +0300
Subject: [PATCH 236/238] ITS#9468 fixed typos
---
servers/slapd/back-ldap/bind.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 8e77e3a60..f44bdff06 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -3100,8 +3100,8 @@ ldap_back_conn_expire_time( ldapinfo_t *li, ldapconn_t *lc) {
}
/*
- * Iterate though connections and close those that are pass the expiry time.
- * Also calculate the time for next connection to to expire.
+ * Iterate though connections and close those that are past the expiry time.
+ * Also calculate the time for next connection to expire.
*
* Note:
* When the client sends a request after remote connection is pruned, a new
--
2.32.0

59
0237-ITS-9468-always-init-lc_time-and-lc_create_time.patch Normal file
View file

@ -0,0 +1,59 @@
From 2be4121973ae073fe80530ed367159888310cc23 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 25 May 2021 20:02:45 +0100
Subject: [PATCH 237/238] ITS#9468 always init lc_time and lc_create_time
Doesn't cost us anything and guarantees expiry will work if conn_ttl
or idletimeout are configured at a later time.
---
servers/slapd/back-ldap/bind.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index f44bdff06..0ec435c8c 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -658,7 +658,6 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
#ifdef HAVE_TLS
int is_tls = op->o_conn->c_is_tls;
int flags = li->li_flags;
- time_t lctime = (time_t)(-1);
slap_bindconf *sb;
#endif /* HAVE_TLS */
@@ -743,10 +742,6 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
ldap_unbind_ext( ld, NULL, NULL );
rs->sr_text = "Start TLS failed";
goto error_return;
-
- } else if ( li->li_idle_timeout ) {
- /* only touch when activity actually took place... */
- lctime = op->o_time;
}
#endif /* HAVE_TLS */
@@ -758,9 +753,6 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
} else {
LDAP_BACK_CONN_ISTLS_CLEAR( lc );
}
- if ( lctime != (time_t)(-1) ) {
- lc->lc_time = lctime;
- }
#endif /* HAVE_TLS */
error_return:;
@@ -774,9 +766,8 @@ error_return:;
}
} else {
- if ( li->li_conn_ttl > 0 ) {
- lc->lc_create_time = op->o_time;
- }
+ lc->lc_create_time = op->o_time;
+ lc->lc_time = op->o_time;
}
return rs->sr_err;
--
2.32.0

91
0238-ITS-9468-do-not-arm-expire-timer-for-connections-tha.patch Normal file
View file

@ -0,0 +1,91 @@
From bc05e285b3c647437606887c4810c0b1a4d3f308 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Thu, 13 May 2021 21:13:08 +0300
Subject: [PATCH 238/238] ITS#9468 do not arm expire timer for connections that
are already tainted
---
servers/slapd/back-ldap/bind.c | 58 +++++++++++++++++++---------------
1 file changed, 32 insertions(+), 26 deletions(-)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 0ec435c8c..37b07cf63 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -3121,6 +3121,38 @@ ldap_back_conn_prune( ldapinfo_t *li )
while ( lc ) {
ldapconn_t *next = LDAP_TAILQ_NEXT( lc, lc_q );
+
+ if ( !LDAP_BACK_CONN_TAINTED( lc ) ) {
+ time_t conn_expires = ldap_back_conn_expire_time( li, lc );
+
+ if ( now >= conn_expires ) {
+ if ( lc->lc_refcnt == 0 ) {
+ Debug( LDAP_DEBUG_TRACE,
+ "ldap_back_conn_prune: closing expired connection lc=%p\n",
+ lc, 0, 0 );
+ ldap_back_freeconn( li, lc, 0 );
+ } else {
+ Debug( LDAP_DEBUG_TRACE,
+ "ldap_back_conn_prune: tainting expired connection lc=%p\n",
+ lc, 0, 0 );
+ LDAP_BACK_CONN_TAINTED_SET( lc );
+ }
+ } else if ( next_timeout == -1 || conn_expires < next_timeout ) {
+ /* next_timeout was not yet initialized or current connection expires sooner */
+ next_timeout = conn_expires;
+ }
+ }
+
+ lc = next;
+ }
+ }
+
+ edge = tavl_end( li->li_conninfo.lai_tree, TAVL_DIR_LEFT );
+ while ( edge ) {
+ TAvlnode *next = tavl_next( edge, TAVL_DIR_RIGHT );
+ ldapconn_t *lc = (ldapconn_t *)edge->avl_data;
+
+ if ( !LDAP_BACK_CONN_TAINTED( lc ) ) {
time_t conn_expires = ldap_back_conn_expire_time( li, lc );
if ( now >= conn_expires ) {
@@ -3136,34 +3168,8 @@ ldap_back_conn_prune( ldapinfo_t *li )
LDAP_BACK_CONN_TAINTED_SET( lc );
}
} else if ( next_timeout == -1 || conn_expires < next_timeout ) {
- /* next_timeout was not yet initialized or current connection expires sooner */
next_timeout = conn_expires;
}
-
- lc = next;
- }
- }
-
- edge = tavl_end( li->li_conninfo.lai_tree, TAVL_DIR_LEFT );
- while ( edge ) {
- TAvlnode *next = tavl_next( edge, TAVL_DIR_RIGHT );
- ldapconn_t *lc = (ldapconn_t *)edge->avl_data;
- time_t conn_expires = ldap_back_conn_expire_time( li, lc );
-
- if ( now >= conn_expires ) {
- if ( lc->lc_refcnt == 0 ) {
- Debug( LDAP_DEBUG_TRACE,
- "ldap_back_conn_prune: closing expired connection lc=%p\n",
- lc, 0, 0 );
- ldap_back_freeconn( li, lc, 0 );
- } else {
- Debug( LDAP_DEBUG_TRACE,
- "ldap_back_conn_prune: tainting expired connection lc=%p\n",
- lc, 0, 0 );
- LDAP_BACK_CONN_TAINTED_SET( lc );
- }
- } else if ( next_timeout == -1 || conn_expires < next_timeout ) {
- next_timeout = conn_expires;
}
edge = next;
--
2.32.0

43
0239-ITS-9422-Update-for-TLS-v1.3.patch Normal file
View file

@ -0,0 +1,43 @@
From c51c78f50b96eb07dcaf45b237e03ae0291c30e2 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Thu, 11 Feb 2021 17:26:39 +0000
Subject: [PATCH 239/241] ITS#9422 - Update for TLS v1.3
---
include/ldap.h | 1 +
libraries/libldap/tls_o.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/include/ldap.h b/include/ldap.h
index c245651c27..149b9ea725 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
/* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_MECH 0x6100
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 27bd7fa982..41d34a94bb 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -279,6 +279,13 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#ifdef SSL_OP_NO_TLSv1
#ifdef SSL_OP_NO_TLSv1_1
#ifdef SSL_OP_NO_TLSv1_2
+#ifdef SSL_OP_NO_TLSv1_3
+ if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_3)
+ SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+ SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
+ SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 );
+ else
+#endif
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2)
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
--
2.35.1

216
0240-ITS-9518-add-LDAP_OPT_X_TLS_PROTOCOL_MAX-option.patch Normal file
View file

@ -0,0 +1,216 @@
From e2b25e6e935253ad1d8b834cadebb7277770b336 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 9 Apr 2021 18:09:15 +0100
Subject: [PATCH 240/241] ITS#9518 add LDAP_OPT_X_TLS_PROTOCOL_MAX option
OpenSSL only
---
doc/man/man3/ldap_get_option.3 | 9 +++++
include/ldap.h | 3 +-
libraries/libldap/init.c | 1 +
libraries/libldap/ldap-int.h | 5 ++-
libraries/libldap/tls2.c | 8 +++++
libraries/libldap/tls_o.c | 64 ++++++++++++++++++++++------------
6 files changed, 66 insertions(+), 24 deletions(-)
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index af5ede141e..ab4fe5d934 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -730,6 +730,15 @@ A non-zero value pointed to by
.BR invalue
tells the library to create a context for a server.
.TP
+.B LDAP_OPT_X_TLS_PROTOCOL_MAX
+Sets/gets the maximum protocol version.
+.BR invalue
+must be
+.BR "const int *" ;
+.BR outvalue
+must be
+.BR "int *" .
+.TP
.B LDAP_OPT_X_TLS_PROTOCOL_MIN
Sets/gets the minimum protocol version.
.BR invalue
diff --git a/include/ldap.h b/include/ldap.h
index 149b9ea725..02de148661 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_NEWCTX 0x600f
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
+#define LDAP_OPT_X_TLS_PROTOCOL_MAX 0x601b
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
@@ -169,7 +170,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_CRL_PEER 1
#define LDAP_OPT_X_TLS_CRL_ALL 2
-/* for LDAP_OPT_X_TLS_PROTOCOL_MIN */
+/* for LDAP_OPT_X_TLS_PROTOCOL_MIN/MAX */
#define LDAP_OPT_X_TLS_PROTOCOL(maj,min) (((maj) << 8) + (min))
#define LDAP_OPT_X_TLS_PROTOCOL_SSL2 (2 << 8)
#define LDAP_OPT_X_TLS_PROTOCOL_SSL3 (3 << 8)
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 9b877a92f5..77e3139b9e 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -130,6 +130,7 @@ static const struct ol_attribute {
{0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
{0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE},
{0, ATTR_TLS, "TLS_PROTOCOL_MIN", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN},
+ {0, ATTR_TLS, "TLS_PROTOCOL_MAX", NULL, LDAP_OPT_X_TLS_PROTOCOL_MAX},
#ifdef HAVE_OPENSSL_CRL
{0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK},
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 66e04ae805..b0d8858a8e 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -166,6 +166,7 @@ struct ldaptls {
char *lt_crlfile;
char *lt_randfile; /* OpenSSL only */
int lt_protocol_min;
+ int lt_protocol_max;
};
#endif
@@ -254,13 +255,15 @@ struct ldapoptions {
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
#define ldo_tls_protocol_min ldo_tls_info.lt_protocol_min
+#define ldo_tls_protocol_max ldo_tls_info.lt_protocol_max
#define ldo_tls_crlfile ldo_tls_info.lt_crlfile
#define ldo_tls_randfile ldo_tls_info.lt_randfile
int ldo_tls_mode;
int ldo_tls_require_cert;
int ldo_tls_impl;
int ldo_tls_crlcheck;
-#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0
+#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0,\
+ LDAP_OPT_X_TLS_PROTOCOL(255,255)},0,0,0,0
#else
#define LDAP_LDO_TLS_NULLARG
#endif
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 16c9d0487e..e932938ff0 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -553,6 +553,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
return ldap_pvt_tls_set_option( ld, option, &i );
}
return -1;
+ case LDAP_OPT_X_TLS_PROTOCOL_MAX:
case LDAP_OPT_X_TLS_PROTOCOL_MIN: {
char *next;
long l;
@@ -665,6 +666,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
*(int *)arg = lo->ldo_tls_protocol_min;
break;
+ case LDAP_OPT_X_TLS_PROTOCOL_MAX:
+ *(int *)arg = lo->ldo_tls_protocol_max;
+ break;
case LDAP_OPT_X_TLS_RANDOM_FILE:
*(char **)arg = lo->ldo_tls_randfile ?
LDAP_STRDUP( lo->ldo_tls_randfile ) : NULL;
@@ -802,6 +806,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
if ( !arg ) return -1;
lo->ldo_tls_protocol_min = *(int *)arg;
return 0;
+ case LDAP_OPT_X_TLS_PROTOCOL_MAX:
+ if ( !arg ) return -1;
+ lo->ldo_tls_protocol_max = *(int *)arg;
+ return 0;
case LDAP_OPT_X_TLS_RANDOM_FILE:
if ( ld != NULL )
return -1;
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 41d34a94bb..f02b7ca53a 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -276,36 +276,56 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
(const unsigned char *) "OpenLDAP", sizeof("OpenLDAP")-1 );
}
+ if ( lo->ldo_tls_protocol_min ) {
+ int opt = 0;
+ if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) {
+ opt |= SSL_OP_NO_SSLv2;
+ SSL_CTX_clear_options( ctx, SSL_OP_NO_SSLv3 );
+ }
+ if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
+ opt |= SSL_OP_NO_SSLv3;
#ifdef SSL_OP_NO_TLSv1
+ if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 )
+ opt |= SSL_OP_NO_TLSv1;
+#endif
#ifdef SSL_OP_NO_TLSv1_1
+ if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 )
+ opt |= SSL_OP_NO_TLSv1_1;
+#endif
#ifdef SSL_OP_NO_TLSv1_2
+ if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 )
+ opt |= SSL_OP_NO_TLSv1_2;
+#endif
#ifdef SSL_OP_NO_TLSv1_3
- if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_3)
- SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
- SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
- SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 );
- else
+ if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 )
+ opt |= SSL_OP_NO_TLSv1_3;
#endif
- if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2)
- SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
- SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
- SSL_OP_NO_TLSv1_2 );
- else
+ if ( opt )
+ SSL_CTX_set_options( ctx, opt );
+ }
+ if ( lo->ldo_tls_protocol_max ) {
+ int opt = 0;
+#ifdef SSL_OP_NO_TLSv1_3
+ if ( lo->ldo_tls_protocol_max < LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 )
+ opt |= SSL_OP_NO_TLSv1_3;
#endif
- if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_1)
- SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
- SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 );
- else
+#ifdef SSL_OP_NO_TLSv1_2
+ if ( lo->ldo_tls_protocol_max < LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 )
+ opt |= SSL_OP_NO_TLSv1_2;
#endif
- if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_0)
- SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
- SSL_OP_NO_TLSv1);
- else
+#ifdef SSL_OP_NO_TLSv1_1
+ if ( lo->ldo_tls_protocol_max < LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 )
+ opt |= SSL_OP_NO_TLSv1_1;
+#endif
+#ifdef SSL_OP_NO_TLSv1
+ if ( lo->ldo_tls_protocol_max < LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 )
+ opt |= SSL_OP_NO_TLSv1;
#endif
- if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
- SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
- else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
- SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
+ if ( lo->ldo_tls_protocol_max < LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
+ opt |= SSL_OP_NO_SSLv3;
+ if ( opt )
+ SSL_CTX_set_options( ctx, opt );
+ }
if ( lo->ldo_tls_ciphersuite &&
!SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
--
2.35.1

47
0241-TLS-set-protocol-version.patch Normal file
View file

@ -0,0 +1,47 @@
From c6e416e88c650ad74f44bc66a931327f82e2075d Mon Sep 17 00:00:00 2001
From: William Brown <wbrown@suse.de>
Date: Wed, 23 Mar 2022 15:06:47 +1000
Subject: [PATCH 241/241] TLS set protocol version
---
libraries/libldap/tls_o.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index f02b7ca53a..81c16864ba 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -277,6 +277,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
if ( lo->ldo_tls_protocol_min ) {
+#ifdef SSL_CTX_set_min_proto_version
+ SSL_CTX_set_min_proto_version( ctx, lo->ldo_tls_protocol_min );
+#else
int opt = 0;
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) {
opt |= SSL_OP_NO_SSLv2;
@@ -302,8 +305,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#endif
if ( opt )
SSL_CTX_set_options( ctx, opt );
+#endif
}
if ( lo->ldo_tls_protocol_max ) {
+#ifdef SSL_CTX_set_max_proto_version
+ SSL_CTX_set_max_proto_version( ctx, lo->ldo_tls_protocol_max );
+#else
int opt = 0;
#ifdef SSL_OP_NO_TLSv1_3
if ( lo->ldo_tls_protocol_max < LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 )
@@ -325,6 +332,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
opt |= SSL_OP_NO_SSLv3;
if ( opt )
SSL_CTX_set_options( ctx, opt );
+#endif
}
if ( lo->ldo_tls_ciphersuite &&
--
2.35.1

273
0242-ITS-9815-slapd-sql-escape-filter-values.patch Normal file
View file

@ -0,0 +1,273 @@
From 714256de247bda3157c4fc3961d7266d081284a2 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 23 Mar 2022 12:43:31 +0000
Subject: [PATCH] ITS#9815 slapd-sql: escape filter values
---
servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++-----
1 file changed, 105 insertions(+), 18 deletions(-)
diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
index 5c60db507e..81dd94a2d6 100644
--- a/servers/slapd/back-sql/search.c
+++ b/servers/slapd/back-sql/search.c
@@ -63,6 +63,38 @@ static void send_paged_response(
ID *lastid );
#endif /* ! BACKSQL_ARBITRARY_KEY */
+/* Look for chars that need to be escaped, return count of them.
+ * If out is non-NULL, copy escape'd val to it.
+ */
+static int
+backsql_val_escape( Operation *op, struct berval *in, struct berval *out )
+{
+ char *ptr, *end;
+ int q = 0;
+
+ ptr = in->bv_val;
+ end = ptr + in->bv_len;
+ while (ptr < end) {
+ if ( *ptr == '\'' )
+ q++;
+ ptr++;
+ }
+ if ( q && out ) {
+ char *dst;
+ out->bv_len = in->bv_len + q;
+ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
+ ptr = in->bv_val;
+ dst = out->bv_val;
+ while (ptr < end ) {
+ if ( *ptr == '\'' )
+ *dst++ = '\'';
+ *dst++ = *ptr++;
+ }
+ *dst = '\0';
+ }
+ return q;
+}
+
static int
backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad )
{
@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private;
int i;
int casefold = 0;
+ int escaped = 0;
+ struct berval escval, *fvalue;
if ( !f ) {
return 0;
@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
BER_BVZERO( &bv );
if ( f->f_sub_initial.bv_val ) {
- bv.bv_len += f->f_sub_initial.bv_len;
+ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
}
if ( f->f_sub_any != NULL ) {
for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
- bv.bv_len += f->f_sub_any[ a ].bv_len;
+ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
}
}
if ( f->f_sub_final.bv_val ) {
- bv.bv_len += f->f_sub_final.bv_len;
+ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
}
bv.bv_len = 2 * bv.bv_len - 1;
bv.bv_val = ch_malloc( bv.bv_len + 1 );
s = 0;
if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
+ fvalue = &f->f_sub_initial;
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
+ for ( i = 1; i < fvalue->bv_len; i++ ) {
bv.bv_val[ s + 2 * i - 1 ] = '%';
- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
}
bv.bv_val[ s + 2 * i - 1 ] = '%';
s += 2 * i;
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
}
if ( f->f_sub_any != NULL ) {
for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
+ fvalue = &f->f_sub_any[ a ];
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
+ for ( i = 1; i < fvalue->bv_len; i++ ) {
bv.bv_val[ s + 2 * i - 1 ] = '%';
- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
}
bv.bv_val[ s + 2 * i - 1 ] = '%';
s += 2 * i;
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
}
}
if ( !BER_BVISNULL( &f->f_sub_final ) ) {
- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
+ fvalue = &f->f_sub_final;
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
+ for ( i = 1; i < fvalue->bv_len; i++ ) {
bv.bv_val[ s + 2 * i - 1 ] = '%';
- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
}
- bv.bv_val[ s + 2 * i - 1 ] = '%';
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
s += 2 * i;
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
}
bv.bv_val[ s - 1 ] = '\0';
@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
f->f_sub_initial.bv_val, 0 );
#endif /* BACKSQL_TRACE */
+ fvalue = &f->f_sub_initial;
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
start = bsi->bsi_flt_where.bb_val.bv_len;
backsql_strfcat_x( &bsi->bsi_flt_where,
bsi->bsi_op->o_tmpmemctx,
"b",
- &f->f_sub_initial );
+ fvalue );
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
}
@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
i, f->f_sub_any[ i ].bv_val );
#endif /* BACKSQL_TRACE */
+ fvalue = &f->f_sub_any[ i ];
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
start = bsi->bsi_flt_where.bb_val.bv_len;
backsql_strfcat_x( &bsi->bsi_flt_where,
bsi->bsi_op->o_tmpmemctx,
"bc",
- &f->f_sub_any[ i ],
+ fvalue,
'%' );
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
/*
* Note: toupper('%') = '%'
@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
f->f_sub_final.bv_val, 0 );
#endif /* BACKSQL_TRACE */
+ fvalue = &f->f_sub_final;
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
start = bsi->bsi_flt_where.bb_val.bv_len;
backsql_strfcat_x( &bsi->bsi_flt_where,
bsi->bsi_op->o_tmpmemctx,
"b",
- &f->f_sub_final );
+ fvalue );
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
}
@@ -1183,6 +1253,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r
struct berval *filter_value = NULL;
MatchingRule *matching_rule = NULL;
struct berval ordering = BER_BVC("<=");
+ struct berval escval;
+ int escaped = 0;
Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
at->bam_ad->ad_cname.bv_val, 0, 0 );
@@ -1237,6 +1309,10 @@ equality_match:;
casefold = 1;
}
+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
+ if ( escaped )
+ filter_value = &escval;
+
/* FIXME: directoryString filtering should use a similar
* approach to deal with non-prettified values like
* " A non prettified value ", by using a LIKE
@@ -1317,6 +1393,10 @@ equality_match:;
casefold = 1;
}
+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
+ if ( escaped )
+ filter_value = &escval;
+
/*
* FIXME: should we uppercase the operands?
*/
@@ -1350,7 +1430,7 @@ equality_match:;
&at->bam_sel_expr,
&ordering,
'\'',
- &f->f_av_value,
+ filter_value,
(ber_len_t)STRLENOF( /* (' */ "')" ),
/* ( */ "')" );
}
@@ -1374,13 +1454,17 @@ equality_match:;
case LDAP_FILTER_APPROX:
/* we do our best */
+ filter_value = &f->f_av_value;
+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
+ if ( escaped )
+ filter_value = &escval;
/*
* maybe we should check type of at->sel_expr here somehow,
* to know whether upper_func is applicable, but for now
* upper_func stuff is made for Oracle, where UPPER is
* safely applicable to NUMBER etc.
*/
- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
+ (void)backsql_process_filter_like( bsi, at, 1, filter_value );
break;
default:
@@ -1394,6 +1478,9 @@ equality_match:;
}
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+
Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
at->bam_ad->ad_cname.bv_val, 0, 0 );
--
2.36.0

77
0243-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch Normal file
View file

@ -0,0 +1,77 @@
From eee1fad18d3caebde0de36c58d3e77a10f98d287 Mon Sep 17 00:00:00 2001
From: William Brown <wbrown@suse.de>
Date: Wed, 11 May 2022 12:40:50 +1000
Subject: [PATCH] Change malloc to use calloc to prevent memory reuse
corruption
---
servers/slapd/sl_malloc.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/servers/slapd/sl_malloc.c b/servers/slapd/sl_malloc.c
index 942f7402bd..01f3634574 100644
--- a/servers/slapd/sl_malloc.c
+++ b/servers/slapd/sl_malloc.c
@@ -292,8 +292,8 @@ slap_sl_mem_setctx(
SET_MEMCTX(thrctx, memctx, slap_sl_mem_destroy);
}
-void *
-slap_sl_malloc(
+static void *
+slap_sl_malloc_inner(
ber_len_t size,
void *ctx
)
@@ -394,6 +394,12 @@ slap_sl_malloc(
((0UL|(t)-1) >>31>>31 > 1 ? ((t)1 <<32) - 1 : \
(0UL|(t)-1) >>31 ? 65535U : (0UL|(t)-1) >>15 ? 255U : 15U)
+void *
+slap_sl_malloc( ber_len_t size, void *ctx )
+{
+ return slap_sl_calloc(1, size, ctx);
+}
+
void *
slap_sl_calloc( ber_len_t n, ber_len_t size, void *ctx )
{
@@ -402,7 +408,7 @@ slap_sl_calloc( ber_len_t n, ber_len_t size, void *ctx )
/* The sqrt test is a slight optimization: often avoids the division */
if ((n | size) <= LIM_SQRT(ber_len_t) || n == 0 || total/n == size) {
- newptr = slap_sl_malloc( total, ctx );
+ newptr = slap_sl_malloc_inner( total, ctx );
memset( newptr, 0, n*size );
} else {
Debug(LDAP_DEBUG_ANY, "slap_sl_calloc(%lu,%lu) out of range\n",
@@ -421,7 +427,7 @@ slap_sl_realloc(void *ptr, ber_len_t size, void *ctx)
void *newptr;
if (ptr == NULL)
- return slap_sl_malloc(size, ctx);
+ return slap_sl_malloc_inner(size, ctx);
/* Not our memory? */
if (No_sl_malloc || !sh || ptr < sh->sh_base || ptr >= sh->sh_end) {
@@ -468,7 +474,7 @@ slap_sl_realloc(void *ptr, ber_len_t size, void *ctx)
/* Nowhere to grow, need to alloc and copy */
} else {
/* Slight optimization of the final realloc variant */
- newptr = slap_sl_malloc(size-sizeof(ber_len_t), ctx);
+ newptr = slap_sl_malloc_inner(size-sizeof(ber_len_t), ctx);
AC_MEMCPY(newptr, ptr, oldsize-sizeof(ber_len_t));
/* Not last block, can just mark old region as free */
nextp[-1] = oldsize;
@@ -483,7 +489,7 @@ slap_sl_realloc(void *ptr, ber_len_t size, void *ctx)
oldsize = size;
}
- newptr = slap_sl_malloc(size, ctx);
+ newptr = slap_sl_malloc_inner(size, ctx);
AC_MEMCPY(newptr, ptr, oldsize);
slap_sl_free(ptr, ctx);
return newptr;
--
2.36.1

26
0244-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch Normal file
View file

@ -0,0 +1,26 @@
From fa0d1a185c402036605fbf939575dfc93a68ebc5 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 24 Aug 2022 14:40:51 +0100
Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure
Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a
---
libraries/libldap/fetch.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c
index 410fb80762..cf3de52af7 100644
--- a/libraries/libldap/fetch.c
+++ b/libraries/libldap/fetch.c
@@ -69,6 +69,8 @@ ldif_open_url(
}
p = ber_strdup( urlstr );
+ if ( p == NULL )
+ return NULL;
/* But we should convert to LDAP_DIRSEP before use */
if ( LDAP_DIRSEP[0] != '/' ) {
--
2.40.1

44
0245-ITS-9803-Drop-connection-when-receiving-non-LDAP-dat.patch Normal file
View file

@ -0,0 +1,44 @@
From e7e2743112e32e13bbe79d20de2aead1b40a7400 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Mon, 7 Mar 2022 10:06:49 +0000
Subject: [PATCH] ITS#9803 Drop connection when receiving non-LDAP data
---
libraries/libldap/result.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
index 9966ec89d1..c5d9687696 100644
--- a/libraries/libldap/result.c
+++ b/libraries/libldap/result.c
@@ -501,6 +501,16 @@ nextresp3:
lc->lconn_ber = NULL;
break;
+ default:
+ /*
+ * We read a BerElement that isn't LDAP or the stream has desync'd.
+ * In either case, anything we read from now on is probably garbage,
+ * just drop the connection.
+ */
+ ber_free( ber, 1 );
+ lc->lconn_ber = NULL;
+ /* FALLTHRU */
+
case LBER_DEFAULT:
err = sock_errno();
#ifdef LDAP_DEBUG
@@ -513,10 +523,6 @@ nextresp3:
--lc->lconn_refcnt;
lc->lconn_status = 0;
return -1;
-
- default:
- ld->ld_errno = LDAP_LOCAL_ERROR;
- return -1;
}
/* message id */
--
2.40.1

7
DB_CONFIG Normal file
View file

@ -0,0 +1,7 @@
set_cachesize 0 15000000 1
set_lg_regionmax 262144
set_lg_bsize 2097152
set_lk_max_locks 30000
set_lk_max_objects 30000
set_flags DB_LOG_AUTOREMOVE

25
README.module-loading Normal file
View file

@ -0,0 +1,25 @@
All of the OpenLDAP backends (except back-config) and overlays are now
compiled as dynamic modules in our packages. If you want to use any of
these in your setup make sure to put the correct "olcModuleLoad" or
"moduleload" statements in your configuration.
For details please see the slapd-config(5) and slapd.conf(5) manpages
(depending on which config mechanism you use).
For a list of the included dynamic modules list all modules files:
ls /usr/lib*/openldap/*.so
Or just the backend files:
ls /usr/lib*/openldap/back_*.so
Documentations for the overlays can be found in the respective man pages or
the OpenLDAP Administration Guide which is part of the "openldap2-doc"
package.
Backend man-pages:
man 5 slapo-<back_name>
Overlays man-pages:
man 5 slapo-<name>

17
SuSEfirewall2.openldap Normal file
View file

@ -0,0 +1,17 @@
## Name: OpenLDAP Server
## Description: Opens ports for the OpenLDAP Server (slapd).
# space separated list of allowed TCP ports
TCP="ldap ldaps"
# space separated list of allowed UDP ports
UDP="ldap"
# space separated list of allowed RPC services
RPC=""
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""

6
baselibs.conf Normal file
View file

@ -0,0 +1,6 @@
libldap-2_4-2
provides "openldap2-client-<targettype> = <version>"
obsoletes "openldap2-client-<targettype> <= <version>"
openldap2-devel
requires -openldap2-<targettype>
requires "libldap-2_4-2-<targettype> = <version>"

42
fixup-modulepath.sh Normal file
View file

@ -0,0 +1,42 @@
#!/bin/bash
source /usr/lib/openldap/update-crc
conf_dir='/etc/openldap/slapd.d'
tgt_ldif="${conf_dir}/cn=config.ldif"
if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ]
then
exit 0
fi
# Make sure slapd.service is not running.
slapd_running=1
# Don't check if no systemd, we could be in a container.
if [ -f "/usr/bin/systemctl" ]; then
/usr/bin/systemctl is-active --quiet slapd.service
slapd_running=$?
fi
if [ $slapd_running -eq 0 ]; then
echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..."
exit 1
fi
# Remove the module path.
sed -n -i '/olcModulePath/!p' ${tgt_ldif}
res=$?
if [ $res -ne 0 ]
then
echo "Failed to remove olcModulePath in ${tgt_ldif}"
exit 1
else
do_update_crc ${tgt_ldif}
echo "Updated crc of ${tgt_ldif}"
fi

24
openldap-r-only.dif Normal file
View file

@ -0,0 +1,24 @@
From: Jan Engelhardt <jengelh@inai.de>
Date: 2017-07-04 13:53:32.386698982 +0200
Build all own programs exclusively with libldap_r and not libldap.
References: http://bugzilla.redhat.com/1370065
References: http://bugzilla.opensuse.org/996551
---
build/top.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: openldap-2.4.45/build/top.mk
===================================================================
--- openldap-2.4.45.orig/build/top.mk
+++ openldap-2.4.45/build/top.mk
@@ -171,7 +171,7 @@ LDAP_LIBLUNICODE_A = $(LDAP_LIBDIR)/libl
LDAP_LIBLUTIL_A = $(LDAP_LIBDIR)/liblutil/liblutil.a
LDAP_L = $(LDAP_LIBLUTIL_A) \
- $(LDAP_LIBLDAP_LA) $(LDAP_LIBLBER_LA)
+ $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
SLAPD_L = $(LDAP_LIBLUNICODE_A) $(LDAP_LIBREWRITE_A) \
$(LDAP_LIBLUTIL_A) $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)

3
openldap2-rpmlintrc Normal file
View file

@ -0,0 +1,3 @@
# We have to pin the libldap versions so that if symbols are added or removed
# then openldap doesn't break.
addFilter("shlib-fixed-dependency")

2034
openldap2.changes Normal file
View file

File diff suppressed because it is too large Load diff

3
openldap2.conf Normal file
View file

@ -0,0 +1,3 @@
# openldap needs a directory in /var/lib/:
d /var/lib/ldap 0750 ldap ldap -
L+ /var/lib/ldap/DB_CONFIG - - - - ../../../usr/lib/openldap/DB_CONFIG

731
openldap2.spec Normal file
View file

@ -0,0 +1,731 @@
#
# spec file for package openldap2
#
# Copyright (c) 2022-2023 ZhuningOS
#
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates
%endif
%define run_test_suite 0
%define version_main 2.4.46
%if %{suse_version} >= 1310 && %{suse_version} != 1315
%define _rundir /run/slapd
%else
%define _rundir /var/run/slapd
%endif
%define name_ppolicy_check_module ppolicy-check-password
%define version_ppolicy_check_module 1.2
%define ppolicy_docdir %{_docdir}/openldap-%{name_ppolicy_check_module}-%{version_ppolicy_check_module}
Name: openldap2
Summary: An open source implementation of the Lightweight Directory Access Protocol
License: OLDAP-2.8
Group: Productivity/Networking/LDAP/Servers
Version: %{version_main}
Release: 150200.14.17.1
Url: http://www.openldap.org
Source: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-%{version_main}.tgz
Source1: slapd.conf
Source2: slapd.conf.olctemplate
Source3: DB_CONFIG
Source4: sasl-slapd.conf
Source5: README.module-loading
Source6: schema2ldif
Source7: baselibs.conf
Source9: addonschema.tar.gz
Source12: slapd.conf.example
Source13: start
Source14: slapd.service
Source15: SuSEfirewall2.openldap
Source16: sysconfig.openldap
Source18: openldap2.conf
Source19: fixup-modulepath.sh
Source20: slapd-ldif-update-crc.sh
Source21: update-crc.sh
Source99: %{name}-rpmlintrc
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
Patch3: 0003-LDAPI-socket-location.dif
Patch5: 0005-pie-compile.dif
Patch6: 0006-No-Build-date-and-time-in-binaries.dif
Patch7: 0007-Recover-on-DB-version-change.dif
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch11: 0011-openldap-re24-its7796.patch
Patch12: 0012-ITS8051-sockdnpat.patch
Patch14: 0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
Patch15: openldap-r-only.dif
Patch16: 0016-Clear-shared-key-only-in-close-function.patch
Patch17: 0017-Fix-segfault-in-nops.patch
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
Source201: %{name_ppolicy_check_module}.Makefile
Source202: %{name_ppolicy_check_module}.conf
Source203: %{name_ppolicy_check_module}.5
Patch200: 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch
Patch201: 0201-ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
Patch202: 0202-ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
Patch203: 0203-ITS-9038-Update-test028-to-test-this-is-enforced.patch
Patch204: 0204-ITS-9038-Another-test028-typo.patch
Patch205: 0205-bsc-1170771-limit-depth-of-nested-filters.patch
Patch206: 0206-openldap-tlso-use-openssl-api-to-verify-host.patch
Patch207: 0207-ITS-9370-check-for-equality-rule-on-old_rdn.patch
Patch208: 0208-ITS-9400-back-ldap-fix-retry-binds.patch
Patch209: 0209-ITS-9383-remove-assert-in-certificateListValidate.patch
Patch210: 0210-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
Patch211: 0211-ITS-9454-fix-issuerAndThisUpdateCheck.patch
Patch212: 0212-ITS-9404-fix-serialNumberAndIssuerCheck.patch
Patch213: 0213-ITS-9406-9407-remove-saslauthz-asserts.patch
Patch214: 0214-ITS-9406-fix-debug-msg.patch
Patch215: 0215-ITS-9408-fix-vrfilter-double-free.patch
Patch216: 0216-ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch
Patch217: 0217-ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch
Patch218: 0218-ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch
Patch219: 0219-ITS-9413-fix-slap_parse_user.patch
Patch220: 0220-ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch
Patch221: 0221-ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch
Patch222: 0222-ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
Patch223: 0223-ITS-9427-fix-issuerAndThisUpdateCheck.patch
Patch224: 0224-ITS-9428-fix-cancel-exop.patch
Patch225: 0225-ITS-8625-Separate-Avlnode-and-TAvlnode-types.patch
Patch226: 0226-ITS-9197-back-ldap-added-task-that-prunes-expired-co.patch
Patch227: 0227-ITS-9197-Increase-timeouts-in-test-case-due-to-spora.patch
Patch228: 0228-ITS-9197-fix-typo-in-prev-commit.patch
Patch229: 0229-ITS-9197-Fix-test-script.patch
Patch230: 0230-ITS-9197-fix-info-msg-for-slapd-check.patch
Patch231: 0231-ITS-9468-Added-test-case-for-proxy-re-binding-anonym.patch
Patch232: 0232-ITS-9468-back-ldap-Return-disconect-if-rebind-cannot.patch
Patch233: 0233-ITS-9468-removed-accidental-unicode-characters.patch
Patch234: 0234-ITS-9468-documented-that-re-connecting-does-not-happ.patch
Patch235: 0235-ITS-9468-summarize-discussion-about-rebind-as-user.patch
Patch236: 0236-ITS-9468-fixed-typos.patch
Patch237: 0237-ITS-9468-always-init-lc_time-and-lc_create_time.patch
Patch238: 0238-ITS-9468-do-not-arm-expire-timer-for-connections-tha.patch
Patch239: 0239-ITS-9422-Update-for-TLS-v1.3.patch
Patch240: 0240-ITS-9518-add-LDAP_OPT_X_TLS_PROTOCOL_MAX-option.patch
Patch241: 0241-TLS-set-protocol-version.patch
Patch242: 0242-ITS-9815-slapd-sql-escape-filter-values.patch
Patch243: 0243-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
Patch244: 0244-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
Patch245: 0245-ITS-9803-Drop-connection-when-receiving-non-LDAP-dat.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: cyrus-sasl-devel
BuildRequires: db-devel
BuildRequires: groff
BuildRequires: libopenssl-devel
BuildRequires: libtool
BuildRequires: openslp-devel
BuildRequires: unixODBC-devel
%if %{suse_version} >= 1310 && %{suse_version} != 1315
# avoid cycle with krb5
BuildRequires: krb5-mini
BuildRequires: pkgconfig(systemd)
%if %{suse_version} < 1500
%{?systemd_requires}
%endif
%endif
Requires: libldap-2_4-2 = %{version}-%{release}
Requires: gawk
Recommends: cyrus-sasl
Conflicts: openldap
PreReq: %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
%description
OpenLDAP is a client and server reference implementation of the
Lightweight Directory Access Protocol v3 (LDAPv3).
The server provides several database backends and overlays.
%package back-perl
Summary: OpenLDAP Perl Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}-%{release}
Requires: perl = %{perl_version}
%description back-perl
The OpenLDAP Perl back-end allows you to execute Perl code specific to
different LDAP operations.
%package back-sock
Summary: OpenLDAP Socket Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}-%{release}
Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz
%description back-sock
The OpenLDAP socket back-end allows you to handle LDAP requests and
results with an external process listening on a Unix domain socket.
%package back-meta
Summary: OpenLDAP Meta Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}-%{release}
Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz
%description back-meta
The OpenLDAP Meta back-end is able to perform basic LDAP proxying with
respect to a set of remote LDAP servers. The information contained in
these servers can be presented as belonging to a single Directory
Information Tree (DIT).
%package back-sql
Summary: OpenLDAP SQL Back-End
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}-%{release}
%description back-sql
The primary purpose of this OpenLDAP backend is to present information
stored in a Relational (SQL) Database as an LDAP subtree without the need
to do any programming.
%package -n libldap-data
Summary: Configuration file for system-wide defaults for all uses of libldap
Group: Productivity/Networking/LDAP/Clients
%if 0%{?suse_version} != 1110
BuildArch: noarch
%endif
%description -n libldap-data
The subpackage contains a configuration file used to set system-wide defaults
to be applied with all usages of libldap.
%package contrib
Summary: OpenLDAP Contrib Modules
Group: Productivity/Networking/LDAP/Servers
Requires: openldap2 = %{version}-%{release}
%description contrib
Various overlays found in contrib/:
addpartial Intercepts ADD requests, applies changes to existing entries
allop
allowed Generates attributes indicating access rights
autogroup
cloak
denyop
lastbind writes last bind timestamp to entry
noopsrch handles no-op search control
nops
pw-sha2 generates/validates SHA-2 password hashes
pw-pbkdf2 generates/validates PBKDF2 password hashes
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
trace traces overlay invocation
%package doc
Summary: OpenLDAP Documentation
Group: Documentation/Other
Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README
%if 0%{?suse_version} > 1110
BuildArch: noarch
%endif
%description doc
The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts.
%package client
Summary: OpenLDAP client utilities
Group: Productivity/Networking/LDAP/Clients
Requires: libldap-2_4-2 = %{version}-%{release}
%description client
OpenLDAP client utilities such as ldapadd, ldapsearch, ldapmodify.
%package devel
Summary: Libraries, Header Files and Documentation for OpenLDAP
# bug437293
Group: Development/Libraries/C and C++
%ifarch ppc64
Obsoletes: openldap2-devel-64bit
%endif
#
Conflicts: openldap-devel
Requires: libldap-2_4-2 = %{version}-%{release}
Recommends: cyrus-sasl-devel
%description devel
This package provides the OpenLDAP libraries, header files, and
documentation.
%package devel-static
Summary: Static libraries for the OpenLDAP libraries
Group: Development/Libraries/C and C++
Requires: cyrus-sasl-devel
Requires: libopenssl-devel
Requires: openldap2-devel = %{version}-%{release}
%description devel-static
This package provides the static versions of the OpenLDAP libraries
for development.
%package -n libldap-2_4-2
Summary: OpenLDAP Client Libraries
Group: Productivity/Networking/LDAP/Clients
Requires: libldap-data = %{version}-%{release}
%description -n libldap-2_4-2
This package contains the OpenLDAP client libraries.
%package ppolicy-check-password
Version: %{version_ppolicy_check_module}
Release: 150200.14.17.1
Summary: Password quality check module for OpenLDAP
Group: Productivity/Networking/LDAP/Servers
Url: https://github.com/onyxpoint/ppolicy-check-password
BuildRequires: cracklib-devel
Requires: openldap2 = %{version_main}-%{release}
Recommends: cracklib cracklib-dict-full
%description ppolicy-check-password
An implementation of password quality check module, based on the original
work done by LDAP Toolbox Project (https://ltd-project.org), that works
together with OpenLDAP password policy overlay (ppolicy), to enforce
password strength policies.
%prep
# Unpack ppolicy check module
%setup -b 200 -q -n %{name_ppolicy_check_module}-%{version_ppolicy_check_module}
%patch200 -p1
cd ..
# Compress the manual page of ppolicy check module
gzip -k %{S:203}
# Unpack and patch OpenLDAP 2.4
%setup -q -a 9 -n openldap-%{version_main}
%patch1 -p1
%patch3 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch11 -p1
%patch12 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch201 -p1
%patch202 -p1
%patch203 -p1
%patch204 -p1
%patch205 -p1
%patch206 -p1
%patch207 -p1
%patch208 -p1
%patch209 -p1
%patch210 -p1
%patch211 -p1
%patch212 -p1
%patch213 -p1
%patch214 -p1
%patch215 -p1
%patch216 -p1
%patch217 -p1
%patch218 -p1
%patch219 -p1
%patch220 -p1
%patch221 -p1
%patch222 -p1
%patch223 -p1
%patch224 -p1
%patch225 -p1
%patch226 -p1
%patch227 -p1
%patch228 -p1
%patch229 -p1
%patch230 -p1
%patch231 -p1
%patch232 -p1
%patch233 -p1
%patch234 -p1
%patch235 -p1
%patch236 -p1
%patch237 -p1
%patch238 -p1
%patch239 -p1
%patch240 -p1
%patch241 -p1
%patch242 -p1
%patch243 -p1
%patch244 -p1
%patch245 -p1
cp %{SOURCE5} .
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
mv ../%{name_ppolicy_check_module}-%{version_ppolicy_check_module} contrib/slapd-modules/%{name_ppolicy_check_module}
cp %{S:201} contrib/slapd-modules/%{name_ppolicy_check_module}/Makefile
%build
export CFLAGS="%{optflags} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DLDAP_USE_NON_BLOCKING_TLS -DLDAP_CONNECTIONLESS "
export STRIP=""
./configure \
--prefix=/usr \
--sysconfdir=%{_sysconfdir} \
--libdir=%{_libdir} \
--libexecdir=%{_libdir} \
--localstatedir=%{_rundir} \
--enable-wrappers=no \
--enable-spasswd \
--enable-modules \
--enable-shared \
--enable-dynamic \
--with-tls=openssl \
--with-cyrus-sasl \
--enable-crypt \
--enable-ipv6=yes \
--enable-aci \
--enable-bdb=mod \
--enable-hdb=mod \
--enable-rewrite \
--enable-ldap=mod \
--enable-meta=mod \
--enable-monitor=mod \
--enable-perl=mod \
--enable-sock=mod \
--enable-sql=mod \
--enable-mdb=mod \
--enable-relay=mod \
--enable-slp \
--enable-overlays=mod \
--enable-syncprov=mod \
--enable-ppolicy=mod \
--enable-lmpasswd \
--with-yielding-select \
|| cat config.log
make depend
make %{?_smp_mflags}
# Build selected contrib overlays
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
do
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
done
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
# Build ppolicy-check-password module
make -C contrib/slapd-modules/%{name_ppolicy_check_module} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
%check
%if %run_test_suite
# calculate the base port to be use in the test-suite
SLAPD_BASEPORT=10000
if [ -f /.buildenv ] ; then
. /.buildenv
SLAPD_BASEPORT=$(($SLAPD_BASEPORT + ${BUILD_INCARNATION:-0} * 10))
fi
export SLAPD_BASEPORT
%ifnarch %arm alpha
rm -f tests/scripts/test019-syncreplication-cascade
rm -f tests/scripts/test022-ppolicy
rm -f tests/scripts/test023-refint
rm -f tests/scripts/test033-glue-syncrepl
#rm -f tests/scripts/test036-meta-concurrency
#rm -f tests/scripts/test039-glue-ldap-concurrency
rm -f tests/scripts/test043-delta-syncrepl
#rm -f tests/scripts/test045-syncreplication-proxied
rm -f tests/scripts/test048-syncrepl-multiproxy
rm -f tests/scripts/test050-syncrepl-multimaster
rm -f tests/scripts/test058-syncrepl-asymmetric
make SLAPD_DEBUG=0 test
%endif
%endif
%install
mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap
mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap
mkdir -p ${RPM_BUILD_ROOT}/usr/sbin
mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir}
make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
# Additional symbolic link to slapd executable in /usr/sbin/
ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
# Install selected contrib overlays
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
do
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
done
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start
install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir}
mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d
mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2
install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf
install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap
chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so*
chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so*
install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif
mkdir -p ${RPM_BUILD_ROOT}/usr/lib/tmpfiles.d/
install -m 644 %{SOURCE18} ${RPM_BUILD_ROOT}/usr/lib/tmpfiles.d/
install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/%{_libexecdir}/openldap/
install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/%{_libexecdir}/openldap/fixup-modulepath
install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/%{_libexecdir}/openldap/update-crc
# Install ppolicy check module
make -C contrib/slapd-modules/ppolicy-check-password STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf
# Install ppolicy check module's doc files
pushd contrib/slapd-modules/%{name_ppolicy_check_module}
mkdir -p "%{buildroot}%ppolicy_docdir"
install -m 0644 README "%{buildroot}%ppolicy_docdir"
install -m 0644 LICENSE "%{buildroot}%ppolicy_docdir"
popd
# Install ppolicy check module's manual page
install -m 0644 %{S:203}.gz %{buildroot}%{_mandir}/man5/
mkdir -p ${RPM_BUILD_ROOT}%{_fillupdir}
install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}%{_fillupdir}/sysconfig.openldap
install -m 644 *.ldif ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
install -m 644 *.schema ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
# Install default and sample configuration files
install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
install -m 644 %{SOURCE2} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
rm -rf doc/guide/release
%define DOCDIR %{_defaultdocdir}/%{name}
# Install default database optimisation
install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \
${RPM_BUILD_ROOT}/%{DOCDIR}/images \
${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/%{DOCDIR}/
install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide
install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images
install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
install -m 644 ANNOUNCEMENT \
COPYRIGHT \
README \
CHANGES \
%{SOURCE5} \
${RPM_BUILD_ROOT}/%{DOCDIR}
install -m 644 servers/slapd/slapd.ldif \
${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default
rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example
rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README
rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif*
rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example
mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5
# Remove *.la files, libtool does not handle this correct
rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
# Make ldap_r the only copy in the system [rh#1370065].
# libldap.so is only for `gcc/ld -lldap`. Make no libldap-2.4.so.2.
rm -f "%{buildroot}/%{_libdir}"/libldap-2.4.so*
ln -fs libldap_r.so "%{buildroot}/%{_libdir}/libldap.so"
#gcc -shared -o "%{buildroot}/%{_libdir}/libldap-2.4.so.2" --no-as-needed \
# -Wl,-soname -Wl,libldap-2.4.so.2 -L "%{buildroot}/%{_libdir}" -lldap_r
%pre
getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap
getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap
%service_add_pre slapd.service
%post
if [ ${1:-0} -gt 1 ] && [ -f %{_libdir}/sasl2/slapd.conf ] ; then
cp /etc/sasl2/slapd.conf /etc/sasl2/slapd.conf.rpmnew
cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf
fi
%{fillup_only -n openldap ldap}
%tmpfiles_create %{name}.conf
%service_add_post slapd.service
%post -n libldap-2_4-2 -p /sbin/ldconfig
%postun -n libldap-2_4-2 -p /sbin/ldconfig
%preun
%service_del_preun slapd.service
%postun
%service_del_postun slapd.service
%files
%defattr(-,root,root)
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openldap
%config %{_sysconfdir}/openldap/schema/*.schema
%config %{_sysconfdir}/openldap/schema/*.ldif
%config(noreplace) /etc/sasl2/slapd.conf
%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf
%config(noreplace) %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.olctemplate
%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.default
%config %attr(640, root, ldap) %{_sysconfdir}/openldap/slapd.conf.example
%config(noreplace) %attr(640, root, ldap) %{_libexecdir}/openldap/DB_CONFIG
%dir %{_libdir}/openldap
%dir %{_libexecdir}/openldap
%dir %{_sysconfdir}/sasl2
%dir %{_sysconfdir}/openldap
%dir %attr(0770, ldap, ldap) %{_sysconfdir}/openldap/slapd.d
%dir %{_sysconfdir}/openldap/schema
%{_fillupdir}/sysconfig.openldap
%{_sbindir}/slap*
%{_sbindir}/rcslapd
%{_libdir}/openldap/back_bdb*
%{_libdir}/openldap/back_hdb*
%{_libdir}/openldap/back_ldap*
%{_libdir}/openldap/back_mdb*
%{_libdir}/openldap/back_monitor*
%{_libdir}/openldap/back_relay*
%{_libdir}/openldap/accesslog*
%{_libdir}/openldap/auditlog*
%{_libdir}/openldap/collect*
%{_libdir}/openldap/constraint*
%{_libdir}/openldap/dds*
%{_libdir}/openldap/deref*
%{_libdir}/openldap/dyngroup*
%{_libdir}/openldap/dynlist*
%{_libdir}/openldap/memberof*
%{_libdir}/openldap/pcache*
%{_libdir}/openldap/ppolicy-2.4.*
%{_libdir}/openldap/ppolicy.*
%{_libdir}/openldap/refint*
%{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm*
%{_libdir}/openldap/seqmod*
%{_libdir}/openldap/sssvlv*
%{_libdir}/openldap/syncprov*
%{_libdir}/openldap/translucent*
%{_libdir}/openldap/unique*
%{_libdir}/openldap/valsort*
%{_libdir}/slapd
%{_libexecdir}/openldap/start
%{_libexecdir}/openldap/update-crc
%{_libexecdir}/openldap/fixup-modulepath
%{_unitdir}/slapd.service
/usr/lib/tmpfiles.d/%{name}.conf
%dir %attr(0750, ldap, ldap) /var/lib/ldap
%ghost %attr(0750, ldap, ldap) %{_rundir}
%doc %{_mandir}/man8/sl*
%doc %{_mandir}/man5/slapd.*
%doc %{_mandir}/man5/slapd-bdb.*
%doc %{_mandir}/man5/slapd-config.*
%doc %{_mandir}/man5/slapd-hdb.*
%doc %{_mandir}/man5/slapd-ldap.*
%doc %{_mandir}/man5/slapd-ldif.*
%doc %{_mandir}/man5/slapd-mdb.*
%doc %{_mandir}/man5/slapd-monitor.*
%doc %{_mandir}/man5/slapd-relay.*
%doc %{_mandir}/man5/slapo-*
%dir %{DOCDIR}
%doc %{DOCDIR}/ANNOUNCEMENT
%doc %{DOCDIR}/COPYRIGHT
%license LICENSE
%doc %{DOCDIR}/README*
%doc %{DOCDIR}/CHANGES
%doc %{DOCDIR}/slapd.ldif.default
%doc %{DOCDIR}/DB_CONFIG.example
%files back-perl
%defattr(-,root,root)
%{_libdir}/openldap/back_perl*
%doc %{_mandir}/man5/slapd-perl.*
%files back-sock
%defattr(-,root,root)
%{_libdir}/openldap/back_sock*
%doc %{_mandir}/man5/slapd-sock.*
%files back-meta
%defattr(-,root,root)
%{_libdir}/openldap/back_meta*
%doc %{_mandir}/man5/slapd-meta.*
%files back-sql
%defattr(-,root,root)
%{_libdir}/openldap/back_sql*
%doc %{_mandir}/man5/slapd-sql.*
%doc servers/slapd/back-sql/examples
%doc servers/slapd/back-sql/docs/bugs
%doc servers/slapd/back-sql/docs/install
%files -n libldap-data
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%doc %{_mandir}/man5/ldap.conf*
%{_sysconfdir}/openldap/ldap.conf.default
%files doc
%defattr(-,root,root)
%dir %{DOCDIR}
%doc %{DOCDIR}/drafts
%doc %{DOCDIR}/adminguide
%doc %{DOCDIR}/images
%files contrib
%defattr(-,root,root)
%{_libdir}/openldap/addpartial.*
%{_libdir}/openldap/allowed.*
%{_libdir}/openldap/allop.*
%{_libdir}/openldap/autogroup.*
%{_libdir}/openldap/lastbind.*
%{_libdir}/openldap/noopsrch.*
%{_libdir}/openldap/nops.*
%{_libdir}/openldap/pw-sha2.*
%{_libdir}/openldap/pw-pbkdf2.*
%{_libdir}/openldap/denyop.*
%{_libdir}/openldap/cloak.*
%{_libdir}/openldap/smbk5pwd.*
%{_libdir}/openldap/trace.*
%files client
%defattr(-,root,root)
%doc %{_mandir}/man1/ldap*
%doc %{_mandir}/man5/ldif.*
%dir /etc/openldap
/usr/sbin/schema2ldif
/usr/bin/ldapadd
/usr/bin/ldapcompare
/usr/bin/ldapdelete
/usr/bin/ldapexop
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldapsearch
/usr/bin/ldappasswd
/usr/bin/ldapurl
/usr/bin/ldapwhoami
%files -n libldap-2_4-2
%defattr(-,root,root)
%{_libdir}/liblber*2.4.so.*
%{_libdir}/libldap*2.4.so.*
%files devel
%defattr(-,root,root)
%doc %{_mandir}/man3/ber*
%doc %{_mandir}/man3/lber*
%doc %{_mandir}/man3/ld_errno*
%doc %{_mandir}/man3/ldap*
%{_includedir}/*.h
%{_libdir}/liblber.so
%{_libdir}/libldap*.so
%files devel-static
%defattr(-,root,root)
%_libdir/liblber.a
%_libdir/libldap*.a
%files ppolicy-check-password
%defattr(-,root,root)
%doc %{ppolicy_docdir}/
%config(noreplace) /etc/openldap/check_password.conf
%{_libdir}/openldap/ppolicy-check-password.*
%{_mandir}/man5/ppolicy-check-password.*
%changelog

182
ppolicy-check-password.5 Normal file
View file

@ -0,0 +1,182 @@
.\"/*
.\" * All rights reserved
.\" * Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
.\" * Authors: Howard Guo <hguo@suse.com>
.\" *
.\" * This program is free software; you can redistribute it and/or
.\" * modify it under the terms of the GNU General Public License
.\" * as published by the Free Software Foundation; either version 2
.\" * of the License, or (at your option) any later version.
.\" *
.\" * This program is distributed in the hope that it will be useful,
.\" * but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" * GNU General Public License for more details.
.\" */
.\"
.TH PPOLICY-CHECK-PASSWORD 5 "2016/02/18" "OpenLDAP password quality check"
.SH NAME
ppolicy\-check\-password \- Password quality checker for OpenLDAP ppolicy overlay
.SH SYNOPSIS
pwdCheckModule ppolicy-check-password.so
.SH DESCRIPTION
ppolicy\-check\-password is an implementation of password quality check module, it can be plugged into OpenLDAP
.BR slapo\-ppolicy (5)
overlay to enforce organisational password strength policies for password-change operations.
.SH PREREQUISITES
In order to use the module, you should enable and configure
.BR slapo\-ppolicy (5)
overlay on the OpenLDAP server. You may use the following example to enable ppolicy overlay:
.HP 4
Enable ppolicy overlay
To enable ppolicy overlay on the server using static configuration file
.BR slapd.conf (5)
, first enable ppolicy schema by adding line:
.br
include /etc/openldap/schema/ppolicy.schema
and then append the following lines to the database definition in which password policy should be enforced:
.br
overlay ppolicy
.br
ppolicy_default "cn=PolicyContainer,dc=my-domain,dc=com"
Save slapd.conf and (re)start OpenLDAP server.
If you use cn=config (online configuration) instead of static configuration file, add the schema /etc/openldap/schema/ppolicy.ldif to cn=schema,cn=config, then enable ppolicy overlay in olcDatabase.
.LP
.HP 4
Create ppolicy container entry
The ppolicy container entry stores attributes that describe the password policy in detail, create the entry with
.BR ldapadd (1)
:
.br
dn: cn=PolicyContainer,dc=my-domain,dc=com
.br
cn: PolicyContainer
.br
objectClass: pwdPolicy
.br
objectClass: person
.br
objectClass: top
.br
pwdAllowUserChange: TRUE
.br
pwdAttribute: userPassword
.br
pwdCheckQuality: 2
.br
pwdExpireWarning: 600
.br
pwdFailureCountInterval:
.br
pwdGraceAuthNLimit: 5
.br
pwdInHistory: 5
.br
pwdLockout: TRUE
.br
pwdLockoutDuration: 0
.br
pwdMaxAge: 0
.br
pwdMaxFailure:
.br
pwdMinAge: 0
.br
pwdMinLength: 5
.br
pwdMustChange: FALSE
.br
pwdSafeModify: FALSE
.br
sn: dummy value
.br
The password policy becomes effective immediately, there is no need to restart OpenLDAP server.
.LP
.HP 4
Enable ppolicy-check-password.so module
Modify the ppolicy container entry with
.BR ldapmodify (1)
:
.br
dn: cn=PolicyContainer,dc=my-domain,dc=com
.br
changeType: modify
.br
add: objectClass
.br
objectClass: pwdPolicyChecker
.br
\-
.br
add: pwdCheckModule
.br
pwdCheckModule: ppolicy-check-password.so
The password check module becomes effective immediately, there is no need to restart OpenLDAP server.
.LP
.SH CONFIGURATION
The password check module reads configuration parameters from
.B /etc/openldap/check_password.conf
Edits made to the configuration file become effective immediately, there is no need to restart OpenLDAP server.
List of parameters:
.TP
.BI use_cracklib \ 1|0
CrackLib is a library for checking that a password is not easily crackable, making sure that the password is not based on simple patterns or dictionary words. If the parameter is set to 1, cracklib will be involved and new passwords must pass cracklib quality check in addition to all other policies such as min_points
.TP
.BI min_points \ <integer>
The parameter holds an integer value in between 0 and 4. The value denotes "quality points" that a password must acquire in order to pass the check. Usage of each character class awards one quality point. If the parameeter is set to 0, the check is disabled.
The character classes are: upper case letters, lower case letters, numeric digits, punctuations.
.TP
.BI min_upper \ <integer>
The minimal number of upper case characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI min_lower \ <integer>
The minimal number of lower case characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI min_digit \ <integer>
The minimal number of numeric digit characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI min_punct \ <integer>
The minimal number of punctuation characters a password must contain. If the parameter is set to 0, the check is disabled.
.TP
.BI max_consecutive_per_class \ <integer>
The maximum number of characters from each character class that may appear consecutively. If the parameter is set to 0, the check is disabled.
.SH USAGE
After the module is enabled, the OpenLDAP server will invoke the password checker module on every user password change, the new user password must pass all quality checks before it is accepted. If the new password does not pass quality checks, the detailed reason will be logged on the OpenLDAP server, and the client will receive a Constraint Violation and a generic error message "Password fails quality checking policy" \- the lack of details is by design.
If the password change is carried out by RootDN, password checker module will not enforce the quality checks, and any password is acceptable.
.SH FILES
.TP
/etc/openldap/check_password.conf
Define the password strength policy.
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapd (8),
.BR slapo\-ppolicy (5)
.SH ACKNOWLEDGEMENTS
.P
The module was originally authored by LTB-project (ltb\-project.org), and further maintained by Onyx Point (onyxpoint.com).

43
ppolicy-check-password.Makefile Normal file
View file

@ -0,0 +1,43 @@
LDAP_SRC = ../../..
LDAP_BUILD = $(LDAP_SRC)
LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
$(LDAP_BUILD)/libraries/liblber/liblber.la
LIBTOOL = $(LDAP_BUILD)/libtool
CC = gcc
OPT = -g -O2 -Wall -fpic -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"/usr/share/cracklib/pw_dict\"" -DCONFIG_FILE="\"/etc/openldap/check_password.conf\"" -lcrack
INCS = $(LDAP_INC)
LIBS = $(LDAP_LIB)
PROGRAMS = ppolicy-check-password.la
LTVER = 0:0:0
prefix=/usr/local
exec_prefix=$(prefix)
ldap_subdir=/openldap
libdir=$(exec_prefix)/lib64
libexecdir=$(exec_prefix)/libexec
moduledir=$(libdir)$(ldap_subdir)
.SUFFIXES: .c .o .lo
.c.lo:
$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
all: $(PROGRAMS)
ppolicy-check-password.la: check_password.lo
$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
-rpath $(moduledir) -module -o $@ $? $(LIBS)
clean:
rm -rf *.o *.lo *.la .libs
install: $(PROGRAMS)
mkdir -p $(DESTDIR)$(moduledir)
for p in $(PROGRAMS) ; do \
$(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
done

7
ppolicy-check-password.conf Normal file
View file

@ -0,0 +1,7 @@
use_cracklib 1
min_points 3
min_upper 0
min_lower 0
min_digit 0
min_punct 0
max_consecutive_per_class 5

1
sasl-slapd.conf Normal file
View file

@ -0,0 +1 @@
mech_list: gssapi digest-md5 cram-md5 external

53
schema2ldif Normal file
View file

@ -0,0 +1,53 @@
#!/bin/bash
#
# This is a simple tool to convert OpenLDAP Schema files to
# LDIF suitable for usage with OpenLDAP's dynamic configuration
# backend (cn=config)
#
# usage:
# schema2ldif <input file>
#
# The generated LDIF is printed to stdout.
#
if [ -z "$1" ]; then
echo 'usage: schema2ldif <input file>'
exit;
fi
cn=`basename $1 .schema`
echo "dn: cn=$cn,cn=schema,cn=config";
echo "objectclass: olcSchemaConfig";
echo "cn: $cn";
/usr/bin/awk '
BEGIN {
buffer = "";
width=78 ;
}
function wrap(data)
{
if (length(data) > 0) {
do {
print substr(data,0,width);
data = " " substr(data, width+1);
}
while (length(data) > 1 )
};
}
/^[\t ]*$/ {wrap(buffer); buffer=""; print "#"; next; }
/^#.*$/ { wrap(buffer); buffer=""; print $0; next }
/^[\t ]+/ { gsub("^[\t ]+",""); buffer = buffer " " $0; next; }
{
wrap(buffer);
$1 = tolower($1) ;
gsub("^objectclass$","olcObjectclasses:",$1)
gsub("^attributetype$","olcAttributeTypes:",$1)
gsub("^attributetypes$","olcAttributeTypes:",$1)
gsub("^objectidentifier$","olcObjectIdentifier:",$1)
buffer = $0;
}
END { wrap(buffer); print "" }
' "$@"

33
slapd-ldif-update-crc.sh Normal file
View file

@ -0,0 +1,33 @@
#!/bin/bash
# Script to fix the crc of openldap slapd.d ldifs.
source /usr/lib/openldap/update-crc
if [ -z ${1} ]; then
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
exit 1
fi
if [ ! -f "${1}" ]; then
echo "File ${1} does not exist?"
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
exit 1
fi
# Make sure slapd.service is not running.
slapd_running=1
# Don't check if no systemd, we could be in a container.
if [ -f "/usr/bin/systemctl" ]; then
/usr/bin/systemctl is-active --quiet slapd.service
slapd_running=$?
fi
if [ $slapd_running -eq 0 ]; then
echo "Unable to update crc of '${1}' while slapd.service is running ..."
exit 1
fi
do_update_crc ${1}
echo "Updated crc of ${1}"

89
slapd.conf Normal file
View file

@ -0,0 +1,89 @@
# This file (slapd.conf) is the static configuration file of OpenLDAP server daemon.
#
# OpenLDAP daemon (slapd.service) supports two configuration styles:
# - Simple configuration with this file
# - Online configuration (OLC)
#
# You may choose the configuration style by setting it in:
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="files|ldap"
# If the value is set to "files", this configuration file will be used.
# If the value is set to "ldap", this configuration file will be entirely ignored, and
# the OLC configuration from /etc/openldap/slapd.d will be loaded.
#
# If you decide to use online configuration, please read the additional instructions in:
# /etc/openldap/slapd.conf.olctemplate
#
# Feel free to customise this file according to your needs, and start OpenLDAP
# server daemon by executing:
# systemctl start slapd.service
#
# To verify that LDAP service is running properly, try the following command:
# ldapsearch -x -D cn=Manager,dc=my-domain,dc=com -w secret -s base namingContexts
#
# See slapd.conf(5) for details on configuration options.
# See /etc/openldap/slapd.conf.example for more examples.
# This file should NOT be world readable.
#
pidfile /run/slapd/slapd.pid
argsfile /run/slapd/slapd.args
# The following schema files are often useful
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
# Load backend modules such as databas engines
#modulepath /usr/lib64/openldap
#moduleload back_mdb.la
#moduleload back_hdb.la
#moduleload back_bdb.la
# Very important: define ACL to authorise client access
# The default settings permit rootdn to read and write, while other users
# may read the entire database or change their own password.
# If no ACL is present, everyone will be allowed to read the database.
# rootdn can always read and write everything.
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# Define a LDAP database
database mdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Please avoid using clear text for root password
# See slappasswd(8) for instructions on creating a salted+hashed password
rootpw secret
# The database directory must exist prior to the start of OpenLDAP daemon
# The directory should be owned by ldap user and permission 0700 is recommended
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
# Using TLS to secure communication between LDAP clients and the server is strongly recommended.
# To enable TLS, you will need CA certificate, server certificate, and certificate key, and
# write down their paths below, make sure the files are readable by user "ldap".
# The server will then support StartTLS on standard port 389.
# To also serve LDAPS on port 636, set OPENLDAP_START_LDAPS="yes" in /etc/sysconfig/openldap.
#TLSProtocolMin 3.1
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
#TLSCACertificateFile /my/ca.crt
#TLSCertificateFile /my/tls.crt
#TLSCertificateKeyFile /my/tls.key

354
slapd.conf.example Normal file
View file

@ -0,0 +1,354 @@
############################################################################
# See slapd.conf(5) for details on configuration options.
# This file SHOULD NOT be world readable.
#
# Important note:
# You surely have to adjust some settings to meet your (security)
# requirements.
# At least you should replace suffix "dc=example,dc=com" by
# something meaningful for your setup.
# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos
# KDC then you MUST add decent ACLs for protecting user credentials!
#
# Read the man pages before changing something!
#
# You can debug the config by running (as root while slapd stopped):
# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
############################################################################
#---------------------------------------------------------------------------
# slapd global parameters
#---------------------------------------------------------------------------
# serverID must be unique across all provider replicas
# for using multi-master replication (MMR)
serverID 99
# only alter this when you know what you're doing
#threads 4
# Run-time files
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# for more debugging set:
#loglevel config stats stats2
loglevel stats
#---------------------------------------------------------------------------
# Load runtime loadable modules
#---------------------------------------------------------------------------
# Load additional backend modules installed by package 'openldap2'
# The following backends are statically built-in and therefore don't have
# to be loaded here:
# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
#moduleload back_
#moduleload back_
#moduleload back_mdb
#moduleload back_meta
#moduleload back_sock
# Load additional overlay modules installed by package 'openldap2'
# The following overlay are statically built-in and therefore don't have
# to be loaded here:
# ppolicy, syncprov
#moduleload accesslog
#moduleload constraint
#moduleload dds
#moduleload deref
#moduleload dynlist
#moduleload memberof
moduleload refint
#moduleload sssvlv
#moduleload translucent
moduleload unique
#moduleload valsort
# Load additional overlay modules installed by package 'openldap2-contrib'
#moduleload allowed
#moduleload lastbind
#moduleload noopsrch
#moduleload pw-pbkdf2
#moduleload pw-sha2
#moduleload smbk5pwd
#---------------------------------------------------------------------------
# Include schema files
#---------------------------------------------------------------------------
# Schema files installed by package 'openldap2'
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/ppolicy.schema
#include /etc/openldap/schema/yast.schema
# Schema file installed by package 'dhcp-server'
#include /etc/openldap/schema/dhcp.schema
# Schema file installed by package 'samba'
#include /etc/openldap/schema/samba3.schema
# Schema file installed by package 'krb5-plugin-kdb-ldap'
#include /usr/share/doc/packages/krb5/kerberos.schema
#---------------------------------------------------------------------------
# Transport Layer Security (TLS) configuration
#---------------------------------------------------------------------------
# require at least TLS 1.0 and highly secure ciphers
#TLSProtocolMin 3.1
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
# TLS certificate and key files
#TLSCACertificateFile /etc/ssl/ca-bundle.pem
#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
#TLSDHParamFile /etc/openldap/ssl.key/dhparam
#---------------------------------------------------------------------------
# Password hashing
#---------------------------------------------------------------------------
#password-hash {CRYPT}
# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
#password-crypt-salt-format "$6$%.12s"
#---------------------------------------------------------------------------
# Security requirements
#---------------------------------------------------------------------------
#disallow bind_anon
#require bind LDAPv3 strong
# SSF value for ldapi://
localSSF 256
# minimum required SSF value (security strength factor)
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#security ssf=128 update_ssf=256 simple_bind=128
security ssf=0
#---------------------------------------------------------------------------
# Global access control (ACLs)
#---------------------------------------------------------------------------
# Root DSE: allow anyone to read it
access to
dn.base=""
by * read
# Sub schema sub entry: allow anyone to read it
access to
dn.base="cn=Subschema"
by * read
#---------------------------------------------------------------------------
# Authz-DN mappings
#---------------------------------------------------------------------------
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
# System user root is mapped to the rootdn in database dc=example,dc=com
# which has also read access on config and monitor databases
authz-regexp
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
# Map local system user to LDAP entry
# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
authz-regexp
"gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
"ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
# this maps the attribute uid to a LDAP entry
# if one of the typical password-based SASL mechs was used
authz-regexp
"uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
"ldap:///dc=example,dc=com??sub?(uid=$1)"
# this maps the attribute uid to a LDAP entry
# if one of the Kerberos based SASL mechs was used
#authz-regexp
# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
#authz-regexp
# "(.+)"
# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
#===========================================================================
# Database specific configuration sections below
# Required order of databases:
# config (first), ...others..., monitor (last)
#===========================================================================
#---------------------------------------------------------------------------
# cn=config // Configuration database (always first!)
# see slapd-config(5)
#---------------------------------------------------------------------------
database config
# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
# For local config access by root use LDAPI with SASL/EXTERNAL instead
# (see above).
#rootpw secret
access to
dn.subtree="cn=config"
by dn.exact="cn=root,dc=example,dc=com" manage
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
by * none
#---------------------------------------------------------------------------
# dc=example,dc=com // Example MDB database to be used by normal clients
# see slapd-mdb(5)
#---------------------------------------------------------------------------
database mdb
suffix "dc=example,dc=com"
# rootdn has to be set for overlays' internal operations
rootdn "cn=root,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
# Best thing is not to set rootpw at all!
rootpw secret
# The database directory MUST exist prior to running slapd and
# SHOULD only be accessible by the slapd user 'ldap'.
# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
directory /var/lib/ldap/example-db
# Permissions of database files created
mode 0600
# extra information to be available in cn=monitor for this database
monitoring on
# Perform ACL checks on the content of a new entry being added
add_content_acl on
# backend-specific database parameters
checkpoint 1024 5
# 100 MB (you can raise the limit later)
maxsize 104857600
# Indices to maintain
#
# Whenever you change indexing configuration you have to re-run slapindex
# while slapd being stopped!
# Don't forget to fix ownership/permissions of newly generated index files
# afterwards!
# set always!
index objectClass eq
# for typical address book use
index cn,sn,givenName,mail eq,sub
# for user management
index uid,uidNumber,gidNumber eq
# for authz-regexp mapping of Kerberos principal name
#index krbPrincipalName,krbPrincipalAlias eq
# for authz-regexp mapping of client cert subject DNs
#index seeAlso eq
# for syncrepl
index entryUUID,entryCSN eq
# access control lists (ACLs) for dc=example,dc=com
# see slapd.access(5) for details on access control lists (ACLs)
# full read access also to 'userPassword' for group of replicas
# and control is forwarded to subsequent ACLs
access to
dn.subtree=dc=example,dc=com
by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
by * break
# write-only access to 'userPassword' for user, auth access else
access to
attrs=userPassword
by self =w
by * auth
# 'userPKCS' must only be accessible by self
access to
attrs=userPKCS12
by self write
by * none
# No access to history of passwords
#access to
# attrs=pwdHistory
# by * none
# Catch-all ACL for the rest
access to
dn.subtree=dc=example,dc=com
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
by self read
by users read
by * auth
# see slapo-ppolicy(5)
overlay ppolicy
# Default password policy entry
#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
# Hash clear-text userPassword values sent in with add/modify operations
#ppolicy_hash_cleartext
# Return AccountLocked error code to client
#ppolicy_use_lockout
# see slapo-refint(5)
overlay refint
refint_attributes member seeAlso
refint_nothing cn=dummy
# Check sub-tree wide uniqueness of certain attributes
# see slapo-unique(5)
# you have to add eq-index for efficient uniqueness check!
# Note that filter part is currently ignored because of OpenLDAP ITS#6825
overlay unique
unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
#overlay syncprov
#mirrormode on
#---------------------------------------------------------------------------
# cn=monitor // Monitoring database (always last!)
# see slapd-monitor(5)
#---------------------------------------------------------------------------
database monitor
access to
dn.subtree="cn=monitor"
by dn.exact="cn=root,dc=example,dc=com" write
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
by users read

46
slapd.conf.olctemplate Normal file
View file

@ -0,0 +1,46 @@
# This file (slapd.conf.olctemplate) is a template for creating the initial
# online configuration for OpenLDAP server daemon.
#
# In order to use online configuration for OpenLDAP server daemon, make sure to set:
# /etc/sysconfig/openldap OPENLDAP_CONFIG_BACKEND="ldap"
#
# Before starting the OpenLDAP daemon (slapd.conf) with onlne configuration for
# the very first time, you have to prepare the online configuration directory
# from this template file - first, make necessary customisations if you wish, and then
# run:
# cd /etc/openldap && slaptest -f slapd.conf.olctemplate -F slapd.d
#
# Then you may start OpenLDAP daemon:
# systemctl start slapd.service
#
# To verify that LDAP service is running properly, try the following command:
# ldapsearch -x -D cn=admin,cn=config -w secret -b cn=config
#
# See slapd.conf(5) for details on configuration options.
# See /etc/openldap/slapd.conf.example for more examples.
# This file should NOT be world readable.
#
pidfile /run/slapd/slapd.pid
argsfile /run/slapd/slapd.args
# The following schema files are often useful
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
# Load backend modules such as database engines
# modulepath /usr/lib64/openldap
# moduleload back_mdb.la
# moduleload back_hdb.la
# moduleload back_bdb.la
# Define the config database that holds all online configurations
database config
rootdn "cn=admin,cn=config"
# Please avoid using clear text for root password
# See slappasswd(8) for instructions on creating a salted+hashed password
rootpw secret

11
slapd.service Normal file
View file

@ -0,0 +1,11 @@
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/usr/lib/openldap/start
[Install]
WantedBy=multi-user.target

178
start Normal file
View file

@ -0,0 +1,178 @@
#! /bin/sh
# Copyright (c) 1997-2000 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany.
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# Author: Carsten Hoeger
# Ralf Haferkamp
#
# /etc/init.d/ldap
#
### BEGIN INIT INFO
# Provides: ldap
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: OpenLDAP Server (slapd)
# Description: Start and Stop the OpenLDAP Server (slapd) to
# provide LDAP directory services.
### END INIT INFO
# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}
test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap
SLAPD_BIN=/usr/sbin/slapd
LDAP_URLS=""
LDAPS_URLS=""
LDAPI_URLS=""
SLAPD_CONFIG_ARG="-F /etc/openldap/slapd.d"
SLAPD_PID_DIR="/var/run/slapd/"
test -x $SLAPD_BIN || exit 5
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num><num>
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
function init_ldap_listener_urls(){
case "$OPENLDAP_START_LDAP" in
[Yy][Ee][Ss])
if [ -n "$OPENLDAP_LDAP_INTERFACES" ]
then
for iface in $OPENLDAP_LDAP_INTERFACES ;do
LDAP_URLS="$LDAP_URLS ldap://$iface"
done
else
LDAP_URLS="ldap:///"
fi
;;
esac
}
function init_ldapi_listener_urls(){
case "$OPENLDAP_START_LDAPI" in
[Yy][Ee][Ss])
if [ -n "$OPENLDAP_LDAPI_INTERFACES" ]
then
for iface in $OPENLDAP_LDAPI_INTERFACES ;do
esc_iface=`echo "$iface" | sed -e s'/\\//\\%2f/'g`
LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface"
done
else
LDAPI_URLS="ldapi:///"
fi
;;
esac
}
function init_ldaps_listener_urls(){
case "$OPENLDAP_START_LDAPS" in
[Yy][Ee][Ss])
if [ -n "$OPENLDAP_LDAPS_INTERFACES" ]
then
for iface in $OPENLDAP_LDAPS_INTERFACES ;do
LDAPS_URLS="$LDAPS_URLS ldaps://$iface"
done
else
LDAPS_URLS="ldaps:///"
fi
;;
esac
}
function check_connection(){
SLAPD_TIMEOUT=10
START=$( date +%s)
while [ $(( $( date +%s) - ${START} )) -lt ${SLAPD_TIMEOUT} ]; do
ldapsearch -x -H "$LDAP_URLS $LDAPI_URLS $LDAPS_URLS" -b "" -s base &>/dev/null
LDAPSEARCH_RC=$?
if [ ${LDAPSEARCH_RC} -ge 0 ] && [ ${LDAPSEARCH_RC} -le 80 ] ; then break
else sleep 1
fi
done
}
depth=0;
USER_CMD=""
GROUP_CMD=""
[ ! "x$OPENLDAP_USER" = "x" ] && USER_CMD="-u $OPENLDAP_USER"
[ ! "x$OPENLDAP_GROUP" = "x" ] && GROUP_CMD="-g $OPENLDAP_GROUP"
[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf"
if [ -f /etc/openldap/UPDATE_NEEDED ]; then
rc_failed 6
echo " The configuration of your LDAP server needs to be updated."
echo " Please see /usr/share/doc/packages/openldap2/README.update"
echo " for details."
echo " After the update please remove the file:"
echo " /etc/openldap/UPDATE_NEEDED"
rc_status -v
exit
fi
# chown backend directories if OPENLDAP_CHOWN_DIRS ist set
if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then
chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
# assume back-config usage if slapd.conf is not present but slapd.d is
elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
else
chgrp $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
fi
if test -f /etc/sasl2/slapd.conf ; then
chgrp $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
fi
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
if test -f $keytabfile ; then
chgrp $OPENLDAP_GROUP $keytabfile 2>/dev/null
chmod g+r $keytabfile 2>/dev/null
fi
fi
fi
fi
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
export KRB5_KTNAME=$OPENLDAP_KRB5_KEYTAB
fi
case "$OPENLDAP_REGISTER_SLP" in
[Yy][Ee][Ss])
SLAPD_SLP_REG="-o slp=on"
;;
*)
SLAPD_SLP_REG="-o slp=off"
;;
esac
init_ldap_listener_urls
init_ldapi_listener_urls
init_ldaps_listener_urls
if [ ! -d $SLAPD_PID_DIR ]; then
mkdir -p $SLAPD_PID_DIR
chown ldap:ldap $SLAPD_PID_DIR
fi
echo -n "Starting ldap-server"
exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \
$SLAPD_CONFIG_ARG $USER_CMD $GROUP_CMD \
$OPENLDAP_SLAPD_PARAMS $SLAPD_SLP_REG

160
sysconfig.openldap Normal file
View file

@ -0,0 +1,160 @@
## Path: Network/LDAP
## Description: Basic Configuration of the OpenLDAP Directory Server
## Type: yesno
## Default: yes
## ServiceRestart: ldap
#
# If set to "no" the LDAP server will not accept any "normal" LDAP connections
# but just connections over "ldaps" or "ldapi". Setting this to "no" does only
# make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set
# "yes".
#
OPENLDAP_START_LDAP="yes"
## Type: yesno
## Default: no
## ServiceRestart: ldap
#
# If set to "yes" the "ldap over ssl" feature of slapd will be enabled. Don't
# forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile" options
# to the /etc/openldap/slapd.conf (man slapd.conf).
# Note: Don't confuse this with "START_TLS", the preferred method for
# making encrypted LDAP connections, which is enabled as soon as You
# specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your config
# file
#
OPENLDAP_START_LDAPS="no"
## Type: yesno
## Default: no
## ServiceRestart: ldap
#
# If set to "yes", "ldap over IPC" feature of slapd will be enabled.
# The ldap server creates a Unix domain socket as /var/run/slapd/ldapi.
# Default: no
#
OPENLDAP_START_LDAPI="yes"
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# If not empty, additional parameters for slapd daemon.
# Default: ""
#
OPENLDAP_SLAPD_PARAMS=""
## Type: string
## Default: ldap
## ServiceRestart: ldap
#
# specifies a user, as which the openldap server should be executed
# Default: ldap
#
OPENLDAP_USER="ldap"
## Type: string
## Default: ldap
## ServiceRestart: ldap
#
# specifies a group, as which the openldap server should be executed
# Default: ldap
#
OPENLDAP_GROUP="ldap"
## Type: yesno
## Default: yes
## ServiceRestart: ldap
#
# If set to "yes" the init scripts will change the owner/group of the
# different configuration directories (e.g. /etc/openldap/slapd.h) to the
# user/group specified above.
#
# Chown of the database directory is your responsibility (ie /var/lib/ldap)
#
OPENLDAP_CHOWN_DIRS="yes"
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Use this to specify the interfaces that the server such accept
# LDAP connections from. The values are specified in the format
# <address>:<port>, where address is an IP address and port is the
# portnumber, the daemon should listen to (defaulting to 389). If this
# parameter is empty the server will attach to all interfaces. This
# parameter is only evaluated if "OPENLDAP_START_LDAP" is set to
# "yes"
# Default: ""
#
OPENLDAP_LDAP_INTERFACES=""
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Use this to specify the interfaces that the server such accept
# LDAPS connections from. The values are specified in the format
# <address>:<port>, where address is an IP address and port is the
# portnumber, the daemon should listen to (defaulting to 636). If this
# parameter is empty the server will attach to all interfaces. This
# parameter is only evaluated if "OPENLDAP_START_LDAPS" is set to
# "yes"
# Default: ""
#
OPENLDAP_LDAPS_INTERFACES=""
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Use this to specify the paths of the Unix Domain Sockets that
# the server should create an accept incoming LDAPI connections
# on. This parameter is only evaluated if "OPENLDAP_START_LDAPI"
# is set to "yes".
# Default: ""
#
OPENLDAP_LDAPI_INTERFACES=""
## Type: yesno
## Default: "yes"
## ServiceRestart: ldap
#
# If set to "no" the LDAP server will not try itself at a running SLP
# daemon.
# Default: "yes"
#
OPENLDAP_REGISTER_SLP="no"
## Type: string
## Default: ""
## ServiceRestart: ldap
#
# Set this to the name of the keytab, if you want to use a non-default
# Kerberos Keytab. If OPENLDAP_CHOWN_DIRS is set to "yes" the permissions of
# this file will be changed so that the group OPENLDAP_GROUP has read
# access to the file.
# Example: OPENLDAP_KRB5_KEYTAB="FILE:/etc/openldap/krb5.keytab
# Default: ""
#
OPENLDAP_KRB5_KEYTAB=""
## Type: string
## Default: "files"
## ServiceRestart: ldap
#
# Here you can configure which of the configuration backends you want to
# use. Possible values are "files" for slapd.conf(5) styleconfiguration or
# "ldap" for the slapd-config(5) LDAP based configuration backend.
#
OPENLDAP_CONFIG_BACKEND="files"
## Type: yesno
## Default: "yes"
## ServiceRestart: ldap
#
# Here you can configure if the slapd shall start with or without memory limit.
#
OPENLDAP_MEMORY_LIMIT="yes"

67
update-crc.sh Normal file
View file

@ -0,0 +1,67 @@
#!/bin/bash
# Script to fix the crc of openldap slapd.d ldifs.
do_update_crc () {
if [ -z ${1} ]; then
echo "Invalid call to do_update_crc() - no filename provided"
exit 1
fi
tgt_ldif=$1
if [ ! -f "${tgt_ldif}" ]; then
echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?"
exit 1
fi
rm -f "${tgt_ldif}.crcbak"
mv "${tgt_ldif}" "${tgt_ldif}.crcbak"
/usr/bin/awk '
BEGIN {
# CRC-32 ZIP polynomial in reversed bit order.
POLY = 0xedb88320
# 8-bit character -> ordinal table.
for (i = 0; i < 256; i++)
ORD[sprintf("%c", i)] = i
}
{
# Remember each input line.
input[NR] = $0
# Verify the file header.
if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.")
exit 1
if (NR == 2 && $0 !~ /# CRC32 ......../)
exit 1
}
# Calculate CRC-32.
function crc32(crc, string, i, j, c) {
crc = and(compl(crc), 0xffffffff)
for (i = 1; i <= length(string); i++) {
c = substr(string, i, 1)
crc = xor(crc, ORD[c])
for (j = 0; j < 8; j++)
crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1)
}
crc = and(compl(crc), 0xffffffff)
return crc
}
END {
# Calculate CRC-32 of the file and update it in the header.
crc = 0
for (i = 3; i <= length(input); i++)
crc = crc32(crc, input[i] "\n")
input[2] = "# CRC32 " sprintf("%08x", crc)
# Print the output.
for (i = 1; i <= length(input); i++)
print input[i]
}' "${tgt_ldif}.crcbak" > "${tgt_ldif}"
}