[openldap] new upstream release (2.4.28)
jvcelak
jvcelak at fedoraproject.org
Wed Nov 30 17:59:32 UTC 2011
commit ad3da8cc0414a625c91ccfc2f3be980fe1b63446
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Fri Nov 25 23:12:51 2011 +0100
new upstream release (2.4.28)
- upstream changes:
- server: support for delta-syncrepl in multi master replication
- server: add experimental backend - MDB
- server: dynamic configuration for passwd, perl, shell, sock,
and sql backends
- server: support passwords in APR1
- library: support for Wahl (draft)
- a lot of bugfixes
- remove patches which were merged upstream
.gitignore | 2 +-
openldap-constraint-overlay-config.patch | 81 -----------
openldap-cve-onebyte-buffer-overflow.patch | 55 -------
openldap-dds-overlay-tolerance.patch | 29 ----
openldap-man-ldap-sync.patch | 25 ----
openldap-man-slapo-unique.patch | 31 ----
openldap-nss-free-peer-cert.patch | 28 ----
openldap-nss-handshake-threadsafe.patch | 96 ------------
openldap-nss-init-threadsafe.patch | 217 ----------------------------
openldap-nss-memleak-free-certs.patch | 40 -----
openldap-nss-reqcert-hostname.patch | 28 ----
openldap-nss-verifycert.patch | 209 ---------------------------
openldap-nss-wildcards.patch | 17 ---
openldap-security-pie.patch | 8 +-
openldap.spec | 64 ++++-----
slapd.conf.obsolete | 141 ++++++++++++++++++
slapd.ldif | 94 ++++++++++++
sources | 2 +-
18 files changed, 266 insertions(+), 901 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 6fb7efc..4199374 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-/openldap-2.4.26.tgz
+/openldap-2.4.28.tgz
diff --git a/openldap-security-pie.patch b/openldap-security-pie.patch
index 42725b2..025c3d4 100644
--- a/openldap-security-pie.patch
+++ b/openldap-security-pie.patch
@@ -3,10 +3,10 @@ address space layout randomization (ASLD).
Author: Thomas Woerner <twoerner at redhat.com>
---- openldap-2.4.24.orig/servers/slapd/Makefile.in
-+++ openldap-2.4.24/servers/slapd/Makefile.in
-@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a
- cp slapi/.libs/libslapi.a .
+--- a/servers/slapd/Makefile.in
++++ b/servers/slapd/Makefile.in
+@@ -263,7 +263,7 @@ slapi/libslapi.la: FORCE
+ (cd slapi; $(MAKE) $(MFLAGS) all)
slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \
diff --git a/openldap.spec b/openldap.spec
index 5931826..2ab1913 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -5,8 +5,8 @@
%global evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
Name: openldap
-Version: 2.4.26
-Release: 6%{?dist}
+Version: 2.4.28
+Release: 1%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@@ -30,20 +30,8 @@ Patch3: openldap-reentrant-gethostby.patch
Patch4: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ldaprc-currentdir.patch
Patch6: openldap-userconfig-setgid.patch
-Patch7: openldap-nss-free-peer-cert.patch
-Patch8: openldap-nss-init-threadsafe.patch
-Patch9: openldap-nss-reqcert-hostname.patch
-Patch10: openldap-nss-verifycert.patch
-Patch11: openldap-nss-memleak-free-certs.patch
-Patch12: openldap-constraint-overlay-config.patch
-Patch13: openldap-dds-overlay-tolerance.patch
-Patch14: openldap-man-slapo-unique.patch
-Patch15: openldap-nss-wildcards.patch
-Patch16: openldap-dns-priority.patch
-Patch17: openldap-man-ldap-sync.patch
-Patch18: openldap-nss-handshake-threadsafe.patch
-Patch19: openldap-syncrepl-unset-tls-options.patch
-Patch20: openldap-cve-onebyte-buffer-overflow.patch
+Patch7: openldap-dns-priority.patch
+Patch8: openldap-syncrepl-unset-tls-options.patch
# Fedora specific patches
Patch100: openldap-fedora-systemd.patch
@@ -136,29 +124,17 @@ programs needed for accessing and modifying OpenLDAP directories.
pushd openldap-%{version}
-%patch0 -p1 -b .manpages
-%patch1 -p1 -b .security-pie
-%patch2 -p1 -b .sql-linking
-%patch3 -p1 -b .reentrant-gethostby
-%patch4 -p1 -b .smbk5pwd-overlay
-%patch5 -p1 -b .ldaprc-currentdir
-%patch6 -p1 -b .userconfig-setgid
-%patch7 -p1 -b .nss-free-peer-cert
-%patch8 -p1 -b .nss-init-threadsafe
-%patch9 -p1 -b .nss-reqcert-hostname
-%patch10 -p1 -b .nss-verifycert
-%patch11 -p1 -b .nss-memleak-free-certs
-%patch12 -p1 -b .constraint-overlay-config
-%patch13 -p1 -b .dds-overlay-tolerance
-%patch14 -p1 -b .man-slapo-unique
-%patch15 -p1 -b .nss-wildcards
-%patch16 -p1 -b .dns-priority
-%patch17 -p1 -b .man-ldap-sync
-%patch18 -p1 -b .nss-handshake-threadsafe
-%patch19 -p1 -b .syncrepl-unset-tls-options
-%patch20 -p1 -b .cve-onebyte-buffer-overflow
-
-%patch100 -p1 -b .fedora-systemd
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+
+%patch100 -p1
cp %{_datadir}/libtool/config/config.{sub,guess} build/
@@ -638,6 +614,16 @@ exit 0
%{evolution_connector_prefix}/
%changelog
+* Wed Nov 30 2011 Jan Vcelak <jvcelak at redhat.com> 2.4.28-1
+- new upstream release
+ + server: support for delta-syncrepl in multi master replication
+ + server: add experimental backend - MDB
+ + server: dynamic configuration for passwd, perl, shell, sock, and sql backends
+ + server: support passwords in APR1
+ + library: support for Wahl (draft)
+ + a lot of bugfixes
+- remove patches which were merged upstream
+
* Tue Nov 01 2011 Jan Vcelak <jvcelak at redhat.com> 2.4.26-6
- package cleanup:
+ hardened build: switch from LDFLAGS to RPM macros
diff --git a/slapd.conf.obsolete b/slapd.conf.obsolete
new file mode 100644
index 0000000..6def6d2
--- /dev/null
+++ b/slapd.conf.obsolete
@@ -0,0 +1,141 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+include /etc/openldap/schema/corba.schema
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/duaconf.schema
+include /etc/openldap/schema/dyngroup.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/java.schema
+include /etc/openldap/schema/misc.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/openldap.schema
+include /etc/openldap/schema/ppolicy.schema
+include /etc/openldap/schema/collective.schema
+
+# Allow LDAPv2 client connections. This is NOT the default.
+allow bind_v2
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral ldap://root.openldap.org
+
+pidfile /var/run/openldap/slapd.pid
+argsfile /var/run/openldap/slapd.args
+
+# Load dynamic backend modules
+# - modulepath is architecture dependent value (32/64-bit system)
+# - back_sql.la overlay requires openldap-server-sql package
+# - dyngroup.la and dynlist.la cannot be used at the same time
+
+# modulepath /usr/lib/openldap
+# modulepath /usr/lib64/openldap
+
+# moduleload accesslog.la
+# moduleload auditlog.la
+# moduleload back_sql.la
+# moduleload chain.la
+# moduleload collect.la
+# moduleload constraint.la
+# moduleload dds.la
+# moduleload deref.la
+# moduleload dyngroup.la
+# moduleload dynlist.la
+# moduleload memberof.la
+# moduleload pbind.la
+# moduleload pcache.la
+# moduleload ppolicy.la
+# moduleload refint.la
+# moduleload retcode.la
+# moduleload rwm.la
+# moduleload seqmod.la
+# moduleload smbk5pwd.la
+# moduleload sssvlv.la
+# moduleload syncprov.la
+# moduleload translucent.la
+# moduleload unique.la
+# moduleload valsort.la
+
+# The next three lines allow use of TLS for encrypting connections using a
+# dummy test certificate which you can generate by changing to
+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
+# slapd.pem so that the ldap user or group can read it. Your client software
+# may balk at self-signed certificates, however.
+# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
+# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
+
+# Sample security restrictions
+# Require integrity protection (prevent hijacking)
+# Require 112-bit (3DES or better) encryption for updates
+# Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+# Root DSE: allow anyone to read it
+# Subschema (sub)entry DSE: allow anyone to read it
+# Other DSEs:
+# Allow self write access
+# Allow authenticated users read access
+# Allow anonymous users to authenticate
+# Directives needed to implement policy:
+# access to dn.base="" by * read
+# access to dn.base="cn=Subschema" by * read
+# access to *
+# by self write
+# by users read
+# by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn. (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+# enable on-the-fly configuration (cn=config)
+database config
+access to *
+ by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+ by * none
+
+# enable server status monitoring (cn=monitor)
+database monitor
+access to *
+ by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
+ by dn.exact="cn=Manager,dc=my-domain,dc=com" read
+ by * none
+
+#######################################################################
+# database definitions
+#######################################################################
+
+database hdb
+suffix "dc=my-domain,dc=com"
+checkpoint 1024 15
+rootdn "cn=Manager,dc=my-domain,dc=com"
+# Cleartext passwords, especially for the rootdn, should
+# be avoided. See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+# rootpw secret
+# rootpw {crypt}ijFYNcSNctBYg
+
+# The database directory MUST exist prior to running slapd AND
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory /var/lib/ldap
+
+# Indices to maintain for this database
+index objectClass eq,pres
+index ou,cn,mail,surname,givenname eq,pres,sub
+index uidNumber,gidNumber,loginShell eq,pres
+index uid,memberUid eq,pres,sub
+index nisMapName,nisMapEntry eq,pres,sub
+
+# Replicas of this database
+#replogfile /var/lib/ldap/openldap-master-replog
+#replica host=ldap-1.example.com:389 starttls=critical
+# bindmethod=sasl saslmech=GSSAPI
+# authcId=host/ldap-master.example.com at EXAMPLE.COM
diff --git a/slapd.ldif b/slapd.ldif
new file mode 100644
index 0000000..7f0fa1b
--- /dev/null
+++ b/slapd.ldif
@@ -0,0 +1,94 @@
+#
+# See slapd.d(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+#
+#
+# Define global ACLs to disable default read access.
+#
+olcArgsFile: /var/run/slapd.args
+olcPidFile: /var/run/slapd.pid
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+# Require integrity protection (prevent hijacking)
+# Require 112-bit (3DES or better) encryption for updates
+# Require 64-bit encryption for simple bind
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+#
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath: /usr/lib64/openldap
+#olcModuleload: back_bdb.la
+#olcModuleload: back_hdb.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_shell.la
+
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+
+# Frontend settings
+#
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+# Root DSE: allow anyone to read it
+# Subschema (sub)entry DSE: allow anyone to read it
+# Other DSEs:
+# Allow self write access
+# Allow authenticated users read access
+# Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+# by self write
+# by users read
+# by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn. (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+#
+dn: olcDatabase=bdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcBdbConfig
+olcDatabase: bdb
+olcSuffix: dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+# Cleartext passwords, especially for the rootdn, should
+# be avoided. See slappasswd(8) and slapd-config(5) for details.
+# Use of strong authentication encouraged.
+olcRootPW: secret
+# The database directory MUST exist prior to running slapd AND
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+olcDbDirectory: /var/openldap-data
+# Indices to maintain
+olcDbIndex: objectClass eq
diff --git a/sources b/sources
index e809d56..3c387a0 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-f36f3086031dd56ae94f722ffae8df5e openldap-2.4.26.tgz
+196023e552eeb259e048edcd61a9645b openldap-2.4.28.tgz
More information about the scm-commits
mailing list