diff options
Diffstat (limited to 'recipes-support/openldap')
24 files changed, 1341 insertions, 0 deletions
diff --git a/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch b/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch new file mode 100644 index 00000000..e8e731aa --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/add-tlscacert-option-to-ldap-conf.patch @@ -0,0 +1,10 @@ +--- a/libraries/libldap/ldap.conf ++++ b/libraries/libldap/ldap.conf +@@ -11,3 +11,7 @@ + #SIZELIMIT 12 + #TIMELIMIT 15 + #DEREF never ++ ++# TLS certificates (needed for GnuTLS) ++TLS_CACERT /etc/ssl/certs/ca-certificates.crt ++ diff --git a/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch b/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch new file mode 100644 index 00000000..d3f56c39 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/autogroup-makefile.patch @@ -0,0 +1,35 @@ +--- a/contrib/slapd-modules/autogroup/Makefile ++++ b/contrib/slapd-modules/autogroup/Makefile +@@ -2,11 +2,11 @@ + + LDAP_SRC = ../../.. + LDAP_BUILD = ../../.. +-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ +- $(LDAP_BUILD)/libraries/liblber/liblber.la ++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd ++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \ ++ $(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la + +-LIBTOOL = $(LDAP_BUILD)/libtool ++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool + CC = gcc + OPT = -g -O2 -Wall + DEFS = +@@ -16,13 +16,13 @@ LIBS = $(LDAP_LIB) + PROGRAMS = autogroup.la + LTVER = 0:0:0 + +-prefix=/usr/local ++prefix=/usr + exec_prefix=$(prefix) +-ldap_subdir=/openldap ++ldap_subdir=/ldap + + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec +-moduledir = $(libexecdir)$(ldap_subdir) ++moduledir = $(libdir)$(ldap_subdir) + + .SUFFIXES: .c .o .lo + diff --git a/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch b/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch new file mode 100644 index 00000000..1b155291 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/contrib-modules-use-dpkg-buildflags.patch @@ -0,0 +1,40 @@ +Description: pass CFLAGS to contrib builds + $(CFLAGS) is missing from the compiler invocations for autogroup and + smbk5pwd, which means they're not being hardened. +Author: Simon Ruderich <simon@ruderich.org> +Bug-Debian: http://bugs.debian.org/663724 + +--- a/contrib/slapd-modules/autogroup/Makefile ++++ b/contrib/slapd-modules/autogroup/Makefile +@@ -27,12 +27,12 @@ moduledir = $(libexecdir)$(ldap_subdir) + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(OPT) $(CFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + autogroup.la: autogroup.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(OPT) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/smbk5pwd/Makefile ++++ b/contrib/slapd-modules/smbk5pwd/Makefile +@@ -46,12 +46,12 @@ moduledir = $(libexecdir)$(ldap_subdir) + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(OPT) $(CFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + smbk5pwd.la: smbk5pwd.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(OPT) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: diff --git a/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch b/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch new file mode 100644 index 00000000..31cf6527 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/do-not-second-guess-sonames.patch @@ -0,0 +1,68 @@ +Rip out code that second-guesses the libsasl soname / Debian shlibs. If +cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream +there, not kludged around upstream here! + +Debian bug #546885 + +Upstream ITS #6302 filed. + +--- a/libraries/libldap/cyrus.c ++++ b/libraries/libldap/cyrus.c +@@ -74,28 +74,6 @@ int ldap_int_sasl_init( void ) + /* XXX not threadsafe */ + static int sasl_initialized = 0; + +-#ifdef HAVE_SASL_VERSION +- /* stringify the version number, sasl.h doesn't do it for us */ +-#define VSTR0(maj, min, pat) #maj "." #min "." #pat +-#define VSTR(maj, min, pat) VSTR0(maj, min, pat) +-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \ +- SASL_VERSION_STEP) +- { int rc; +- sasl_version( NULL, &rc ); +- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || +- (rc & 0xffff) < SASL_VERSION_STEP) { +- char version[sizeof("xxx.xxx.xxxxx")]; +- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff, +- rc & 0xffff ); +- +- Debug( LDAP_DEBUG_ANY, +- "ldap_int_sasl_init: SASL library version mismatch:" +- " expected " SASL_VERSION_STRING "," +- " got %s\n", version, 0, 0 ); +- return -1; +- } +- } +-#endif + if ( sasl_initialized ) { + return 0; + } +--- a/servers/slapd/sasl.c ++++ b/servers/slapd/sasl.c +@@ -1145,26 +1145,6 @@ int slap_sasl_init( void ) + #endif + + #ifdef HAVE_CYRUS_SASL +-#ifdef HAVE_SASL_VERSION +- /* stringify the version number, sasl.h doesn't do it for us */ +-#define VSTR0(maj, min, pat) #maj "." #min "." #pat +-#define VSTR(maj, min, pat) VSTR0(maj, min, pat) +-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \ +- SASL_VERSION_STEP) +- +- sasl_version( NULL, &rc ); +- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || +- (rc & 0xffff) < SASL_VERSION_STEP) +- { +- char version[sizeof("xxx.xxx.xxxxx")]; +- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff, +- rc & 0xffff ); +- Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:" +- " expected %s, got %s\n", +- SASL_VERSION_STRING, version, 0 ); +- return -1; +- } +-#endif + + sasl_set_mutex( + ldap_pvt_sasl_mutex_new, diff --git a/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch b/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch new file mode 100644 index 00000000..cd9bc267 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/evolution-ntlm.patch @@ -0,0 +1,222 @@ +Patch from evolution-exchange (2.10.3). The ldap_ntlm_bind function is +actually called by evolution-data-server, checked at version 1.12.2. +Without this patch, the Exchange addressbook integration uses simple binds +with cleartext passwords. + +Russ checked with openldap-software for upstream's opinion on this patch +on 2007-12-21. Upstream had never received it as a patch submission and +given that it's apparently only for older Exchange servers that can't do +SASL and DIGEST-MD5, it's not very appealing. + +Bug#457374 filed against evolution-data-server asking if this support is +still required on 2007-12-21. + +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -2517,5 +2517,25 @@ ldap_parse_deref_control LDAP_P(( + LDAPControl **ctrls, + LDAPDerefRes **drp )); + ++/* ++ * hacks for NTLM ++ */ ++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) ++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) ++LDAP_F( int ) ++ldap_ntlm_bind LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp )); ++LDAP_F( int ) ++ldap_parse_ntlm_bind_result LDAP_P(( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge)); ++ + LDAP_END_DECL + #endif /* _LDAP_H */ +--- /dev/null ++++ b/libraries/libldap/ntlm.c +@@ -0,0 +1,138 @@ ++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ ++/* ++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. ++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file ++ */ ++ ++/* Mostly copied from sasl.c */ ++ ++#include "portable.h" ++ ++#include <stdlib.h> ++#include <stdio.h> ++ ++#include <ac/socket.h> ++#include <ac/string.h> ++#include <ac/time.h> ++#include <ac/errno.h> ++ ++#include "ldap-int.h" ++ ++int ++ldap_ntlm_bind( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp ) ++{ ++ BerElement *ber; ++ int rc; ++ ber_int_t id; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( msgidp != NULL ); ++ ++ if( msgidp == NULL ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ /* create a message to send */ ++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ assert( LBER_VALID( ber ) ); ++ ++ LDAP_NEXT_MSGID( ld, id ); ++ rc = ber_printf( ber, "{it{istON}" /*}*/, ++ id, LDAP_REQ_BIND, ++ ld->ld_version, dn, tag, ++ cred ); ++ ++ /* Put Server Controls */ ++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { ++ ld->ld_errno = LDAP_ENCODING_ERROR; ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ /* send the message */ ++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); ++ ++ if(*msgidp < 0) ++ return ld->ld_errno; ++ ++ return LDAP_SUCCESS; ++} ++ ++int ++ldap_parse_ntlm_bind_result( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge) ++{ ++ ber_int_t errcode; ++ ber_tag_t tag; ++ BerElement *ber; ++ ber_len_t len; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( res != NULL ); ++ ++ if ( ld == NULL || res == NULL ) { ++ return LDAP_PARAM_ERROR; ++ } ++ ++ if( res->lm_msgtype != LDAP_RES_BIND ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ ld->ld_error = NULL; ++ } ++ if ( ld->ld_matched ) { ++ LDAP_FREE( ld->ld_matched ); ++ ld->ld_matched = NULL; ++ } ++ ++ /* parse results */ ++ ++ ber = ber_dup( res->lm_ber ); ++ ++ if( ber == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ tag = ber_scanf( ber, "{ioa" /*}*/, ++ &errcode, challenge, &ld->ld_error ); ++ ber_free( ber, 0 ); ++ ++ if( tag == LBER_ERROR ) { ++ ld->ld_errno = LDAP_DECODING_ERROR; ++ return ld->ld_errno; ++ } ++ ++ ld->ld_errno = errcode; ++ ++ return( ld->ld_errno ); ++} ++ +--- a/libraries/libldap/Makefile.in ++++ b/libraries/libldap/Makefile.in +@@ -27,7 +27,7 @@ SRCS = bind.c open.c result.c error.c co + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ + tls2.c tls_o.c tls_g.c tls_m.c \ +- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ ++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \ + assertion.c deref.c ldif.c fetch.c + + OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ +@@ -40,7 +40,7 @@ OBJS = bind.lo open.lo result.lo error.l + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ + tls2.lo tls_o.lo tls_g.lo tls_m.lo \ +- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ ++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + + LDAP_INCDIR= ../../include +--- a/libraries/libldap_r/Makefile.in ++++ b/libraries/libldap_r/Makefile.in +@@ -29,7 +29,7 @@ XXSRCS = apitest.c test.c \ + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ + tls2.c tls_o.c tls_g.c tls_m.c \ +- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ ++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \ + assertion.c deref.c ldif.c fetch.c + SRCS = threads.c rdwr.c rmutex.c tpool.c rq.c \ + thr_posix.c thr_cthreads.c thr_thr.c thr_nt.c \ +@@ -47,7 +47,7 @@ OBJS = threads.lo rdwr.lo rmutex.lo tpoo + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ + tls2.lo tls_o.lo tls_g.lo tls_m.lo \ +- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ ++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + + LDAP_INCDIR= ../../include diff --git a/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch b/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch new file mode 100644 index 00000000..418fe35b --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/fix-build-top-mk.patch @@ -0,0 +1,11 @@ +--- a/build/top.mk ++++ b/build/top.mk +@@ -20,7 +20,7 @@ + RELEASEDATE= @OPENLDAP_RELEASE_DATE@ + + @SET_MAKE@ +-SHELL = /bin/sh ++SHELL = @SHELL@ + + top_builddir = @top_builddir@ + diff --git a/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch b/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch new file mode 100644 index 00000000..1f0ca88f --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/fix-ftbfs-binutils-gold.patch @@ -0,0 +1,64 @@ +--- a/configure.in ++++ b/configure.in +@@ -1214,7 +1214,7 @@ if test $ol_link_tls = no ; then + ol_with_tls=gnutls + ol_link_tls=yes + +- TLS_LIBS="-lgnutls" ++ TLS_LIBS="-lgnutls -lgcrypt" + + AC_DEFINE(HAVE_GNUTLS, 1, + [define if you have GNUtls]) +--- a/libraries/libldap/Makefile.in ++++ b/libraries/libldap/Makefile.in +@@ -51,21 +51,21 @@ LIB_DEFS = -DLDAP_LIBRARY + XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(LDAP_LIBLUTIL_A) + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) +-UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) ++UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(TLS_LIBS) + ifneq (,$(VERSION_OPTION)) + VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map + endif + + apitest: $(XLIBS) apitest.o +- $(LTLINK) -o $@ apitest.o $(LIBS) ++ $(LTLINK) -o $@ apitest.o $(LIBS) $(TLS_LIBS) + dntest: $(XLIBS) dntest.o +- $(LTLINK) -o $@ dntest.o $(LIBS) ++ $(LTLINK) -o $@ dntest.o $(LIBS) $(TLS_LIBS) + ftest: $(XLIBS) ftest.o +- $(LTLINK) -o $@ ftest.o $(LIBS) ++ $(LTLINK) -o $@ ftest.o $(LIBS) $(TLS_LIBS) + ltest: $(XLIBS) test.o +- $(LTLINK) -o $@ test.o $(LIBS) ++ $(LTLINK) -o $@ test.o $(LIBS) $(TLS_LIBS) + urltest: $(XLIBS) urltest.o +- $(LTLINK) -o $@ urltest.o $(LIBS) ++ $(LTLINK) -o $@ urltest.o $(LIBS) $(TLS_LIBS) + + CFFILES=ldap.conf + +--- a/libraries/libldap_r/Makefile.in ++++ b/libraries/libldap_r/Makefile.in +@@ -60,7 +60,7 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $( + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + XXXLIBS = $(LTHREAD_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) +-UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) ++UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) $(TLS_LIBS) + ifneq (,$(VERSION_OPTION)) + VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map" + endif +@@ -80,9 +80,9 @@ clean-local: FORCE + depend-common: .links + + apitest: $(XLIBS) apitest.o +- $(LTLINK) -o $@ apitest.o $(LIBS) ++ $(LTLINK) -o $@ apitest.o $(LIBS) $(TLS_LIBS) + ltest: $(XLIBS) test.o +- $(LTLINK) -o $@ test.o $(LIBS) ++ $(LTLINK) -o $@ test.o $(LIBS) $(TLS_LIBS) + + install-local: $(CFFILES) FORCE + -$(MKDIR) $(DESTDIR)$(libdir) diff --git a/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch b/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch new file mode 100644 index 00000000..ab6e2b70 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/getaddrinfo-is-threadsafe.patch @@ -0,0 +1,43 @@ +Author: Steve Langasek <vorlon@debian.org> + +OpenLDAP upstream conservatively assumes that certain resolver functions +(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we +know that the glibc implementations of these functions are thread-safe, so +we should bypass the use of this mutex. This fixes a locking problem when +an application uses libldap and libnss-ldap is also used for hosts +resolution. + +Closes Debian bug #340601. + +Not suitable for forwarding upstream; might be made suitable by adding a +configure-time check for glibc and disabling the mutex only on known +thread-safe implementations. + +--- a/libraries/libldap/os-ip.c ++++ b/libraries/libldap/os-ip.c +@@ -602,13 +602,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf * + hints.ai_socktype = socktype; + snprintf(serv, sizeof serv, "%d", port ); + +- /* most getaddrinfo(3) use non-threadsafe resolver libraries */ +- LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex); +- + err = getaddrinfo( host, serv, &hints, &res ); +- +- LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex); +- + if ( err != 0 ) { + osip_debug(ld, "ldap_connect_to_host: getaddrinfo failed: %s\n", + AC_GAI_STRERROR(err), 0, 0); +--- a/libraries/libldap/util-int.c ++++ b/libraries/libldap/util-int.c +@@ -431,9 +431,7 @@ int ldap_pvt_get_hname( + int rc; + #if defined( HAVE_GETNAMEINFO ) + +- LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex ); + rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 ); +- LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex ); + if ( rc ) *err = (char *)AC_GAI_STRERROR( rc ); + return rc; + diff --git a/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch b/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch new file mode 100644 index 00000000..f6fa7ec8 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/heimdal-fix.patch @@ -0,0 +1,23 @@ +Author: Mattias Ellert <mattias.ellert@fysast.uu.se> +Description: adapt parameters of hdb_generate_key_set_password() to heimdal 1.6~git20120311 + . + With version heimdal 1.6~git20120311 heimdal schanged the number of parameters + of function hdb_generate_key_set_password(), implementing a fallback to "default" + values when NULL-values are passed for these parameters. + . + This patch does exactly that. + . +Bug-Debian: 664930 +Reviewed-by: Peter Marschall <peter@adpm.de> + +--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c ++++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c +@@ -470,7 +470,7 @@ static int smbk5pwd_exop_passwd( + } + + ret = hdb_generate_key_set_password(context, ent.principal, +- qpw->rs_new.bv_val, &ent.keys.val, &nkeys); ++ qpw->rs_new.bv_val, NULL, 0, &ent.keys.val, &nkeys); + ent.keys.len = nkeys; + hdb_seal_keys(context, db, &ent); + krb5_free_principal( context, ent.principal ); diff --git a/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch b/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch new file mode 100644 index 00000000..47fc88af --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/index-files-created-as-root.patch @@ -0,0 +1,37 @@ +Document in the man page that slapindex should be run as the same user +as slapd, and print a warning if it's run as root (since Debian defaults +to running slapd as openldap). + +Not suitable for upstream in this form. This patch needs to be reworked +to check the BerkeleyDB database ownership and only warn if running as +root with a database that's not owned by root. + +Upstream ITS #5356 filed requesting better handling of this. Current +upstream discussion leans towards putting the check into the database +backend and aborting if slapd is run as a different user than the database +owner, which is an even better fix. + +--- a/doc/man/man8/slapindex.8 ++++ b/doc/man/man8/slapindex.8 +@@ -148,6 +148,10 @@ + should not be running (at least, not in read-write + mode) when you do this to ensure consistency of the database. + .LP ++slapindex ought to be run as the user specified for ++.BR slapd (8) ++to ensure correct database permissions. ++.LP + This command provides ample opportunity for the user to obtain + and drink their favorite beverage. + .SH EXAMPLES +--- a/servers/slapd/slapindex.c ++++ b/servers/slapd/slapindex.c +@@ -34,6 +34,8 @@ + int + slapindex( int argc, char **argv ) + { ++ if (geteuid() == 0) ++ fprintf( stderr, "\nWARNING!\nRunnig as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n"); + ID id; + int rc = EXIT_SUCCESS; + const char *progname = "slapindex"; diff --git a/recipes-support/openldap/openldap-2.4.39/install-strip.patch b/recipes-support/openldap/openldap-2.4.39/install-strip.patch new file mode 100644 index 00000000..2992b703 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/install-strip.patch @@ -0,0 +1,14 @@ +# This patch ensures that the install operations which strip +# programs and libraries (LTINSTALL) work in a cross build +# environment. +--- openldap-2.2.24/.pc/install-strip.patch/build/top.mk 2005-01-20 09:00:55.000000000 -0800 ++++ openldap-2.2.24/build/top.mk 2005-04-16 13:48:20.536710376 -0700 +@@ -116,7 +116,7 @@ + LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ + $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) + +-LTINSTALL = $(LIBTOOL) --mode=install $(INSTALL) ++LTINSTALL = STRIPPROG="" $(LIBTOOL) --mode=install $(top_srcdir)/contrib/ldapc++/install-sh -c + LTFINISH = $(LIBTOOL) --mode=finish + + # Misc UNIX commands used in build environment diff --git a/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch b/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch new file mode 100644 index 00000000..e8aab912 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/ldap-conf-tls-cacertdir.patch @@ -0,0 +1,29 @@ +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -317,7 +317,7 @@ certificates in separate individual file + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. +-This parameter is ignored with GnuTLS. ++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS. + + When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key + database. If <path> contains a Mozilla NSS cert/key database and +@@ -428,7 +428,7 @@ This parameter is ignored with GnuTLS. + Specifies the file to obtain random bits from when /dev/[u]random is + not available. Generally set to the name of the EGD/PRNGD socket. + The environment variable RANDFILE can also be used to specify the filename. +-This parameter is ignored with GnuTLS and Mozilla NSS. ++This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS. + .TP + .B TLS_REQCERT <level> + Specifies what checks to perform on server certificates in a TLS session, +@@ -461,7 +461,7 @@ Specifies if the Certificate Revocation + used to verify if the server certificates have not been revoked. This + requires + .B TLS_CACERTDIR +-parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. ++parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS. + .B <level> + can be specified as one of the following keywords: + .RS diff --git a/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch b/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch new file mode 100644 index 00000000..a482bbfc --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/ldapi-socket-place.patch @@ -0,0 +1,16 @@ +Move the ldapi socket to /var/run/slapd from /var/run, since /var/run +is only writable by root and slapd runs as openldap. + +Debian-specific. + +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -39,7 +39,7 @@ + #define LDAP_ENV_PREFIX "LDAP" + + /* default ldapi:// socket */ +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi" + + /* + * SLAPD DEFINITIONS diff --git a/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch b/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch new file mode 100644 index 00000000..fb28f490 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/libldap-symbol-versions.patch @@ -0,0 +1,161 @@ +Add symbol versioning to the public LDAP libraries. This is required for +library transitions, such as the current transition from 2.1 to 2.4, +since programs will sometimes have both libraries loaded by different +dependency chains during the transition. + +Not yet contributed upstream. + +Upstream ITS #5365 filed requesting symbol versioning for libldap and +libber. + +--- a/libraries/libldap_r/Makefile.in ++++ b/libraries/libldap_r/Makefile.in +@@ -61,6 +61,9 @@ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + XXXLIBS = $(LTHREAD_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map" ++endif + + .links : Makefile + @for i in $(XXSRCS); do \ +--- a/build/top.mk ++++ b/build/top.mk +@@ -104,6 +104,9 @@ LTFLAGS_MOD = $(@PLAT@_LTFLAGS_MOD) + # LINK_LIBS referenced in library and module link commands. + LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS) + ++# option to pass to $(CC) to support library symbol versioning, if any ++VERSION_OPTION = @VERSION_OPTION@ ++ + LTSTATIC = @LTSTATIC@ + + LTLINK = $(LIBTOOL) --mode=link \ +@@ -113,7 +116,7 @@ LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) + $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c + + LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ +- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) ++ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS) + + LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ + $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c +--- a/build/openldap.m4 ++++ b/build/openldap.m4 +@@ -1136,3 +1136,54 @@ AC_DEFUN([OL_SSL_COMPAT], + #endif + ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])]) + ]) ++ ++dnl ==================================================================== ++dnl check for symbol versioning support ++AC_DEFUN([OL_SYMBOL_VERSIONING], ++[AC_CACHE_CHECK([for .symver assembler directive], ++ [ol_cv_asm_symver_directive],[ ++cat > conftest.s <<EOF ++${libc_cv_dot_text} ++_sym: ++.symver _sym,sym@VERS ++EOF ++if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then ++ ol_cv_asm_symver_directive=yes ++else ++ ol_cv_asm_symver_directive=no ++fi ++rm -f conftest*]) ++AC_CACHE_CHECK([for ld --version-script], ++ [ol_cv_ld_version_script_option],[ ++if test $ol_cv_asm_symver_directive = yes; then ++ cat > conftest.s <<EOF ++${libc_cv_dot_text} ++_sym: ++.symver _sym,sym@VERS ++EOF ++ cat > conftest.map <<EOF ++VERS_1 { ++ global: sym; ++}; ++ ++VERS_2 { ++ global: sym; ++} VERS_1; ++EOF ++ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then ++ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared ++ -o conftest.so conftest.o ++ -Wl,--version-script,conftest.map ++ 1>&AS_MESSAGE_LOG_FD]); ++ then ++ ol_cv_ld_version_script_option=yes ++ else ++ ol_cv_ld_version_script_option=no ++ fi ++ else ++ ol_cv_ld_version_script_option=no ++ fi ++else ++ ol_cv_ld_version_script_option=no ++fi ++rm -f conftest*])]) +--- a/configure.in ++++ b/configure.in +@@ -1909,6 +1909,13 @@ else + fi + AC_SUBST(LTSTATIC)dnl + ++VERSION_OPTION="" ++OL_SYMBOL_VERSIONING ++if test $ol_cv_ld_version_script_option = yes ; then ++ VERSION_OPTION="-Wl,--version-script=" ++fi ++AC_SUBST(VERSION_OPTION) ++ + dnl ---------------------------------------------------------------- + if test $ol_enable_wrappers != no ; then + AC_CHECK_HEADERS(tcpd.h,[ +--- /dev/null ++++ b/libraries/libldap/libldap.map +@@ -0,0 +1,7 @@ ++OPENLDAP_2.4_2 { ++ global: ++ ldap_*; ++ ldif_*; ++ local: ++ *; ++}; +--- a/libraries/libldap/Makefile.in ++++ b/libraries/libldap/Makefile.in +@@ -52,6 +52,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $( + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map ++endif + + apitest: $(XLIBS) apitest.o + $(LTLINK) -o $@ apitest.o $(LIBS) +--- a/libraries/liblber/Makefile.in ++++ b/libraries/liblber/Makefile.in +@@ -38,6 +38,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A) + XXLIBS = + NT_LINK_LIBS = $(AC_LIBS) + UNIX_LINK_LIBS = $(AC_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map" ++endif + + dtest: $(XLIBS) dtest.o + $(LTLINK) -o $@ dtest.o $(LIBS) +--- /dev/null ++++ b/libraries/liblber/liblber.map +@@ -0,0 +1,8 @@ ++OPENLDAP_2.4_2 { ++ global: ++ ber_*; ++ der_alloc; ++ lutil_*; ++ local: ++ *; ++}; diff --git a/recipes-support/openldap/openldap-2.4.39/man-slapd.patch b/recipes-support/openldap/openldap-2.4.39/man-slapd.patch new file mode 100644 index 00000000..5f551375 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/man-slapd.patch @@ -0,0 +1,60 @@ +Patch the slapd man page to not refer to a header file that isn't +installed with the slapd package and to reference the correct path +for slapd. + +Debian-specific. + +--- a/doc/man/man8/slapd.8 ++++ b/doc/man/man8/slapd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B /usr/sbin/slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -103,11 +103,10 @@ + will not fork or disassociate from the invoking terminal. Some general + operation and status messages are printed for any value of \fIdebug-level\fP. + \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a +-different kind of debugging information. See <ldap_log.h> for details. +-Comma-separated arrays of friendly names can be specified to select +-debugging output of the corresponding debugging information. +-All the names recognized by the \fIloglevel\fP directive +-described in \fBslapd.conf\fP(5) are supported. ++different kind of debugging information. Comma-separated arrays of friendly ++names can be specified to select debugging output of the corresponding ++debugging information. All the names recognized by the \fIloglevel\fP ++directive described in \fBslapd.conf\fP(5) are supported. + If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed, + and slapd exits. + +@@ -317,7 +316,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ /usr/sbin/slapd + .ft + .fi + .LP +@@ -328,7 +327,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ /usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255 + .ft + .fi + .LP +@@ -336,7 +335,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ /usr/sbin/slapd \-Tt + .ft + .fi + .LP diff --git a/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch b/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch new file mode 100644 index 00000000..8e7812d2 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/no-AM_INIT_AUTOMAKE.patch @@ -0,0 +1,25 @@ +Description: don't use AM_INIT_AUTOMAKE macro when we aren't using automake + Calling AM_INIT_AUTOMAKE() in configure.in serves no purpose if we're not + using automake, and it confuses autoreconf. Use AC_INIT() instead. +Author: Steve Langasek <vorlon@debian.org> + +--- a/configure.in ++++ b/configure.in +@@ -26,7 +26,8 @@ dnl Configure.in for OpenLDAP + AC_COPYRIGHT([[Copyright 1998-2014 The OpenLDAP Foundation. All rights reserved. + Restrictions apply, see COPYRIGHT and LICENSE files.]]) + AC_REVISION([$Id: 81bd528fb5194c83d688db355737b7715448b958 $]) +-AC_INIT([OpenLDAP],,[http://www.openldap.org/its/]) ++AC_INIT([OpenLDAP],[$OL_VERSION],[http://www.openldap.org/its/]) ++AC_PROG_MAKE_SET + m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>]) + AC_CONFIG_SRCDIR(build/version.sh)dnl + dnl ---------------------------------------------------------------- +@@ -69,7 +70,6 @@ dnl Determine host platform + dnl we try not to use this for much + AC_CANONICAL_TARGET([]) + +-AM_INIT_AUTOMAKE([$OL_PACKAGE],[$OL_VERSION], [no defines])dnl + AC_SUBST(PACKAGE)dnl + AC_SUBST(VERSION)dnl + AC_DEFINE_UNQUOTED(OPENLDAP_PACKAGE,"$PACKAGE",Package) diff --git a/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch b/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch new file mode 100644 index 00000000..db76aa7a --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/no-bdb-ABI-second-guessing.patch @@ -0,0 +1,42 @@ +Author: Steve Langasek <vorlon@debian.org> +Description: don't second-guess BDB ABI + OpenLDAP upstream conservatively assumes that any change to the version + number of libdb can result in an API-breaking change that could impact + the database. In Debian, we know that such changes require bumping the + library soname and changing the package name, and demand such rigor from + our package maintainers even when upstreams don't deliver; so any such + check in the source code works against the packaging system by forcing + database upgrades when we know none are required. Disable this check + so we rely on the packaging system to do its job. +Bug-Debian: http://bugs.debian.org/651333 +Forwarded: not-needed + +--- a/servers/slapd/back-bdb/init.c ++++ b/servers/slapd/back-bdb/init.c +@@ -762,7 +762,7 @@ bdb_back_initialize( + bi->bi_controls = controls; + + { /* version check */ +- int major, minor, patch, ver; ++ int major, minor, patch; + char *version = db_version( &major, &minor, &patch ); + #ifdef HAVE_EBCDIC + char v2[1024]; +@@ -776,17 +776,6 @@ bdb_back_initialize( + version = v2; + #endif + +- ver = (major << 24) | (minor << 16) | patch; +- if( ver != DB_VERSION_FULL ) { +- /* fail if a versions don't match */ +- Debug( LDAP_DEBUG_ANY, +- LDAP_XSTRING(bdb_back_initialize) ": " +- "BDB library version mismatch:" +- " expected " DB_VERSION_STRING "," +- " got %s\n", version, 0, 0 ); +- return -1; +- } +- + Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_back_initialize) + ": %s\n", version, 0, 0 ); + } diff --git a/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch b/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch new file mode 100644 index 00000000..5ea240f6 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/sasl-default-path.patch @@ -0,0 +1,55 @@ +Add /etc/ldap/sasl2 to the SASL configuration search path. + +Not submitted upstream. Somewhat Debian-specific and probably not of +interest upstream. + +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -63,4 +63,6 @@ + /* dn of the default "monitor" subentry */ + #define SLAPD_MONITOR_DN "cn=Monitor" + ++#define SASL_CONFIGPATH LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2" ++ + #endif /* _LDAP_CONFIG_H */ +--- a/servers/slapd/sasl.c ++++ b/servers/slapd/sasl.c +@@ -1103,12 +1103,38 @@ static const rewrite_mapper slapd_mapper + }; + #endif + ++static int ++slap_sasl_getconfpath( void * context, char ** path ) ++{ ++ char * sasl_default_configpath; ++ size_t len; ++ ++#if SASL_VERSION_MAJOR >= 2 ++ sasl_default_configpath = "/usr/lib/sasl2"; ++#else ++ sasl_default_configpath = "/usr/lib/sasl"; ++#endif ++ ++ len = strlen(SASL_CONFIGPATH) + 1 /* colon */ + ++ strlen(sasl_default_configpath) + 1 /* \0 */; ++ *path = malloc( len ); ++ if ( *path == NULL ) ++ return SASL_FAIL; ++ ++ if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH, ++ sasl_default_configpath ) != len-1 ) ++ return SASL_FAIL; ++ ++ return SASL_OK; ++} ++ + int slap_sasl_init( void ) + { + #ifdef HAVE_CYRUS_SASL + int rc; + static sasl_callback_t server_callbacks[] = { + { SASL_CB_LOG, &slap_sasl_log, NULL }, ++ { SASL_CB_GETCONFPATH, &slap_sasl_getconfpath, NULL }, + { SASL_CB_GETOPT, &slap_sasl_getopt, NULL }, + { SASL_CB_LIST_END, NULL, NULL } + }; diff --git a/recipes-support/openldap/openldap-2.4.39/series b/recipes-support/openldap/openldap-2.4.39/series new file mode 100644 index 00000000..2f47de32 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/series @@ -0,0 +1,21 @@ +man-slapd +evolution-ntlm +slapi-errorlog-file +ldapi-socket-place +wrong-database-location +index-files-created-as-root +sasl-default-path +libldap-symbol-versions +getaddrinfo-is-threadsafe +do-not-second-guess-sonames +contrib-modules-use-dpkg-buildflags +smbk5pwd-makefile +autogroup-makefile +ldap-conf-tls-cacertdir +add-tlscacert-option-to-ldap-conf +fix-ftbfs-binutils-gold +fix-build-top-mk +no-AM_INIT_AUTOMAKE +switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff +no-bdb-ABI-second-guessing +heimdal-fix diff --git a/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch b/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch new file mode 100644 index 00000000..48994512 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/slapi-errorlog-file.patch @@ -0,0 +1,16 @@ +The slapi error log file defaults to /var/errors given our setting +of --localstatedir. Move it to /var/log/slapi-errors instead. + +Debian-specific. + +--- a/servers/slapd/slapi/slapi_overlay.c ++++ b/servers/slapd/slapi/slapi_overlay.c +@@ -930,7 +930,7 @@ int slapi_over_config( BackendDB *be, Co + ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex ); + + if ( slapi_log_file == NULL ) +- slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" ); ++ slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" ); + + rc = slapi_int_init_object_extensions(); + if ( rc != 0 ) diff --git a/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch b/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch new file mode 100644 index 00000000..17d1b566 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/smbk5pwd-makefile.patch @@ -0,0 +1,53 @@ +--- a/contrib/slapd-modules/smbk5pwd/Makefile ++++ b/contrib/slapd-modules/smbk5pwd/Makefile +@@ -14,17 +14,17 @@ + + LDAP_SRC = ../../.. + LDAP_BUILD = ../../.. +-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ +- $(LDAP_BUILD)/libraries/liblber/liblber.la ++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/debian/build/servers/slapd -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd ++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \ ++ $(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la + + SSL_INC = +-SSL_LIB = -lcrypto ++SSL_LIB = -lgcrypt + +-HEIMDAL_INC = -I/usr/heimdal/include +-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv ++HEIMDAL_INC = -I/usr/include ++HEIMDAL_LIB = -lkrb5 -lkadm5srv + +-LIBTOOL = $(LDAP_BUILD)/libtool ++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool + CC = gcc + OPT = -g -O2 -Wall + # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. +@@ -35,13 +35,13 @@ LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_ + PROGRAMS = smbk5pwd.la + LTVER = 0:0:0 + +-prefix=/usr/local ++prefix=/usr + exec_prefix=$(prefix) +-ldap_subdir=/openldap ++ldap_subdir=/ldap + + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec +-moduledir = $(libexecdir)$(ldap_subdir) ++moduledir = $(libdir)$(ldap_subdir) + + .SUFFIXES: .c .o .lo + +@@ -55,7 +55,7 @@ smbk5pwd.la: smbk5pwd.lo + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +- rm -rf *.o *.lo *.la .libs ++ $(LIBTOOL) --mode=clean rm -f + + install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) diff --git a/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch b/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch new file mode 100644 index 00000000..df2801f3 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch @@ -0,0 +1,40 @@ +From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de> +Date: Tue, 18 May 2010 17:47:05 +0200 +Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. + Open all modules with RTLD_GLOBAL, needed so that back_perl can load + non-trivial Perl extensions that require symbols from back_perl.so itself. +Bug-Debian: http://bugs.debian.org/327585 + +--- +--- a/servers/slapd/module.c ++++ b/servers/slapd/module.c +@@ -117,6 +117,20 @@ int module_unload( const char *file_name + return -1; /* not found */ + } + ++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) ++{ ++ lt_dlhandle handle = 0; ++ lt_dladvise advise; ++ ++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) ++ && !lt_dladvise_global (&advise)) ++ handle = lt_dlopenadvise (filename, advise); ++ ++ lt_dladvise_destroy (&advise); ++ ++ return handle; ++} ++ + int module_load(const char* file_name, int argc, char *argv[]) + { + module_loaded_t *module; +@@ -180,7 +194,7 @@ int module_load(const char* file_name, i + * to calling Debug. This is because Debug is a macro that expands + * into multiple function calls. + */ +- if ((module->lib = lt_dlopenext(file)) == NULL) { ++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { + error = lt_dlerror(); + #ifdef HAVE_EBCDIC + strcpy( ebuf, error ); diff --git a/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch b/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch new file mode 100644 index 00000000..25d96cb6 --- /dev/null +++ b/recipes-support/openldap/openldap-2.4.39/wrong-database-location.patch @@ -0,0 +1,74 @@ +Move the default slapd database location to /var/lib/ldap instead of +/var/openldap-data. + +Debian-specific. + +--- a/doc/man/man5/slapd-bdb.5 ++++ b/doc/man/man5/slapd-bdb.5 +@@ -131,7 +131,7 @@ Specify the directory where the BDB file + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap\-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + .B dirtyread + Allow reads of modified but not yet committed data. +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -2007,7 +2007,7 @@ suffix "dc=our\-domain,dc=com" + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-directory LOCALSTATEDIR/openldap\-data ++directory LOCALSTATEDIR/lib/ldap + # Indices to maintain + index objectClass eq + index cn,sn,mail pres,eq,approx,sub +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -47,7 +47,7 @@ + /* location of the default slapd config file */ + #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf" + #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" +-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" ++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap" + #define SLAPD_DEFAULT_DB_MODE 0600 + #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata" + /* default max deref depth for aliases */ +--- a/servers/slapd/Makefile.in ++++ b/servers/slapd/Makefile.in +@@ -445,9 +445,9 @@ install-conf: FORCE + + install-db-config: FORCE + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) +- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data ++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ +- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example ++ $(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example + +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -2051,7 +2051,7 @@ olcSuffix: "dc=our\-domain,dc=com" + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-olcDbDirectory: LOCALSTATEDIR/openldap\-data ++olcDbDirectory: LOCALSTATEDIR/lib/ldap + # Indices to maintain + olcDbIndex: objectClass eq + olcDbIndex: cn,sn,mail pres,eq,approx,sub +--- a/doc/man/man5/slapd-mdb.5 ++++ b/doc/man/man5/slapd-mdb.5 +@@ -52,7 +52,7 @@ Specify the directory where the LMDB fil + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap\-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR} + Specify flags for finer-grained control of the LMDB library's operation. diff --git a/recipes-support/openldap/openldap_2.4.39.bb b/recipes-support/openldap/openldap_2.4.39.bb new file mode 100644 index 00000000..3048c8ee --- /dev/null +++ b/recipes-support/openldap/openldap_2.4.39.bb @@ -0,0 +1,182 @@ +# OpenLDAP, a license free (see http://www.OpenLDAP.org/license.html) +# +DESCRIPTION = "OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol." +HOMEPAGE = "http://www.OpenLDAP.org/license.html" +# The OpenLDAP Public License - see the HOMEPAGE - defines +# the license. www.openldap.org claims this is Open Source +# (see http://www.openldap.org), the license appears to be +# basically BSD. opensource.org does not record this license +# at present (so it is apparently not OSI certified). +LICENSE = "OpenLDAP" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=f2bdbaa4f50199a00b6de2ca7ec1db05" +SECTION = "libs" + +# patches taken from Debian +SRC_URI = "\ + ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${P}.tgz \ + file://man-slapd.patch \ + file://evolution-ntlm.patch \ + file://slapi-errorlog-file.patch \ + file://ldapi-socket-place.patch \ + file://wrong-database-location.patch \ + file://index-files-created-as-root.patch \ + file://sasl-default-path.patch \ + file://libldap-symbol-versions.patch \ + file://getaddrinfo-is-threadsafe.patch \ + file://do-not-second-guess-sonames.patch \ + file://contrib-modules-use-dpkg-buildflags.patch \ + file://smbk5pwd-makefile.patch \ + file://autogroup-makefile.patch \ + file://ldap-conf-tls-cacertdir.patch \ + file://add-tlscacert-option-to-ldap-conf.patch \ + file://fix-ftbfs-binutils-gold.patch \ + file://fix-build-top-mk.patch \ + file://no-AM_INIT_AUTOMAKE.patch \ + file://switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff.patch \ + file://no-bdb-ABI-second-guessing.patch \ + file://heimdal-fix.patch \ +" +SRC_URI[md5sum] = "b0d5ee4b252c841dec6b332d679cf943" +SRC_URI[sha256sum] = "8267c87347103fef56b783b24877c0feda1063d3cb85d070e503d076584bf8a7" + +DEPENDS = "util-linux groff-native db" + +PR = "r0" +# The original top.mk used INSTALL, not INSTALL_STRIP_PROGRAM when +# installing .so and executables, this fails in cross compilation +# environments +SRC_URI += "file://install-strip.patch" + +# inherit autotools +inherit autotools-brokensep + +# CV SETTINGS +# Required to work round AC_FUNC_MEMCMP which gets the wrong answer +# when cross compiling (should be in site?) +EXTRA_OECONF += "ac_cv_func_memcmp_working=yes" + +# CONFIG DEFINITIONS +# The following is necessary because it cannot be determined for a +# cross compile automagically. Select should yield fine on all OE +# systems... +EXTRA_OECONF += "--with-yielding-select=yes" +# Shared libraries are nice... +EXTRA_OECONF += "--enable-dynamic" + +PACKAGECONFIG ??= "openssl modules \ + ldap meta monitor null passwd shell proxycache dnssrv \ + bdb hdb mdb sasl \ +" +#--with-tls with TLS/SSL support auto|openssl|gnutls [auto] +PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls" +PACKAGECONFIG[openssl] = "--with-tls=openssl,,openssl" + +PACKAGECONFIG[sasl] = "--with-cyrus-sasl,--without-cyrus-sasl,cyrus-sasl" +PACKAGECONFIG[modules] = "lt_cv_dlopen_self=yes --enable-modules,--disable-modules,libtool" + +# SLAPD options +# +# UNIX crypt(3) passwd support: +EXTRA_OECONF += "--enable-crypt" + +EXTRA_OECONF += "--enable-ipv6" + +# SLAPD BACKEND +# +# The backend must be set by the configuration. This controls the +# required database, the default database, bdb, is turned off but +# can be turned back on again and it *is* below! The monitor backend +# is also disabled. If you try to change the backends but fail to +# enable a single one the build will fail in an obvious way. +# +# EXTRA_OECONF += "--disable-bdb --disable-hdb --disable-monitor" +# +# Backends="bdb dnssrv hdb ldap ldbm meta monitor null passwd perl shell sql" +# +# Note that multiple backends can be built. The ldbm backend requires a +# build-time choice of database API. The bdb backend forces this to be +# DB4. To use the gdbm (or other) API the Berkely database module must +# be removed from the build. +md = "${libexecdir}/openldap" +# +#--enable-bdb enable Berkeley DB backend no|yes|mod yes +# The Berkely DB is the standard choice. This version of OpenLDAP requires +# the version 4 implementation or better. +PACKAGECONFIG[bdb] = "--enable-bdb=mod,--enable-bdb=no,db" + +#--enable-dnssrv enable dnssrv backend no|yes|mod no +PACKAGECONFIG[dnssrv] = "--enable-dnssrv=mod,--enable-dnssrv=no" + +#--enable-hdb enable Hierarchical DB backend no|yes|mod no +# This forces ldbm to use Berkeley too, remove to use gdbm +PACKAGECONFIG[hdb] = "--enable-hdb=mod,--enable-hdb=no,db" + +#--enable-ldap enable ldap backend no|yes|mod no +PACKAGECONFIG[ldap] = "--enable-ldap=mod,--enable-ldap=no," + +#--enable-ldbm enable ldbm backend no|yes|mod no +# ldbm requires further specification of the underlying database API, because +# bdb is enabled above this must be set to berkeley, however the config +# defaults this correctly so --with-ldbm-api is *not* set. The build will +# fail if bdb is removed, but no database is built to provide the +# support for ldbm +# guide.html:<P>back-ldbm was both slow and unreliable. Its byzantine indexing code was prone to spontaneous corruption, as were the underlying database libraries that were commonly used (e.g. GDBM or NDBM). back-bdb and back-hdb are superior in every aspect, with simplified indexing to avoid index corruption, fine-grained locking for greater concurrency, hierarchical caching for greater performance, streamlined on-disk format for greater efficiency and portability, and full transaction support for greater reliability.</P> +# configure: WARNING: unrecognized options: --disable-silent-rules, --enable-ldbm, --with-ldbm-api +#PACKAGECONFIG[ldbm] = "--enable-ldbm=mod --with-ldbm-api=gdbm,--enable-ldbm-no,gdbm" + +#--enable-meta enable metadirectory backend no|yes|mod no +PACKAGECONFIG[meta] = "--enable-meta=mod,--enable-meta=no," + +#--enable-monitor enable monitor backend no|yes|mod yes +PACKAGECONFIG[monitor] = "--enable-monitor=mod,--enable-monitor=no," + +#--enable-null enable null backend no|yes|mod no +PACKAGECONFIG[null] = "--enable-null=mod,--enable-null=no," + +#--enable-passwd enable passwd backend no|yes|mod no +PACKAGECONFIG[passwd] = "--enable-passwd=mod,--enable-passwd=no," + +# disabling perl support - host contamination issues +# +#--enable-perl enable perl backend no|yes|mod no +# This requires a loadable perl dynamic library, if enabled without +# doing something appropriate (building perl?) the build will pick +# up the build machine perl - not good (inherit perlnative?) +# PACKAGECONFIG[perl] = "--enable-perl=mod,--enable-perl=no,perl" + +#--enable-shell enable shell backend no|yes|mod no +# configure: WARNING: Use of --without-threads is recommended with back-shell +PACKAGECONFIG[shell] = "--enable-shell=mod --without-threads,--enable-shell=no," + +#--enable-sql enable sql backend no|yes|mod no +# sql requires some sql backend which provides sql.h, sqlite* provides +# sqlite.h (which may be compatible but hasn't been tried.) +PACKAGECONFIG[sql] = "--enable-sql=mod,--enable-sql=no,sqlite3" + +#--enable-dyngroup Dynamic Group overlay no|yes|mod no +# This is a demo, Proxy Cache defines init_module which conflicts with the +# same symbol in dyngroup +PACKAGECONFIG[dyngroup] = "--enable-dyngroup=mod,--enable-dyngroup=no," + +#--enable-proxycache Proxy Cache overlay no|yes|mod no +PACKAGECONFIG[proxycache] = "--enable-proxycache=mod,--enable-proxycache=no," + +#--enable-mdb enable mdb database backend no|yes|mod no +PACKAGECONFIG[mdb] = "--enable-mdb=mod,--enable-mdb=no," + +CPPFLAGS_append = " -D_GNU_SOURCE" + +do_configure() { + cp ${STAGING_DATADIR_NATIVE}/libtool/config/ltmain.sh ${S}/build + rm -f ${S}/libtool + rm -f ${S}/libtool + aclocal + libtoolize --force --copy + gnu-configize + autoconf + oe_runconf +} + +FILES_${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libdir}/*.a ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so" +FILES_${PN}-dbg += "${libexecdir}/openldap/.debug" + |