[openldap] fix: smbk5pwd module computes invalid LM hashes

jvcelak jvcelak at fedoraproject.org
Thu Jul 19 12:31:42 UTC 2012 

commit 9e7cf6735d89fe926e1cec097477489963dd7708
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Thu Jul 19 14:27:10 2012 +0200

    fix: smbk5pwd module computes invalid LM hashes
    
    Resolves: #841560

 openldap-smbk5pwd-overlay.patch |   64 ++++++++++++++++++++++++++------------
 openldap.spec                   |    1 +
 2 files changed, 45 insertions(+), 20 deletions(-)
---
diff --git a/openldap-smbk5pwd-overlay.patch b/openldap-smbk5pwd-overlay.patch
index 4242483..9f14b38 100644
--- a/openldap-smbk5pwd-overlay.patch
+++ b/openldap-smbk5pwd-overlay.patch
@@ -1,21 +1,30 @@
 Compile smbk5pwd together with other overlays.
 
-Resolves: 550895
 Author: Jan Šafránek <jsafrane at redhat.com>
+Resolves: #550895
 
---- openldap-2.4.24.orig/contrib/slapd-modules/smbk5pwd/README
-+++ openldap-2.4.24/contrib/slapd-modules/smbk5pwd/README
+Update to link against OpenSSL, avoid to compile with unsupported backend.
+
+Author: Jan Vcelak <jvcelak at redhat.com>
+Resolves: #841560
+
+diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
+index f20ad94..b6433ff 100644
+--- a/contrib/slapd-modules/smbk5pwd/README
++++ b/contrib/slapd-modules/smbk5pwd/README
 @@ -1,3 +1,8 @@
-+*******************************************************
-+Red Hat note: Kerberos support is NOT compiled into
-+this version of smbk5pwd because we do not use Heimdal.
-+*******************************************************
++******************************************************************************
++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
++******************************************************************************
 +
  This directory contains a slapd overlay, smbk5pwd, that extends the
  PasswordModify Extended Operation to update Kerberos keys and Samba
  password hashes for an LDAP user.
---- openldap-2.4.24.orig/servers/slapd/overlays/Makefile.in
-+++ openldap-2.4.24/servers/slapd/overlays/Makefile.in
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index 3af20e8..ef73663 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
 @@ -33,7 +33,8 @@ SRCS = overlays.c \
  	syncprov.c \
  	translucent.c \
@@ -26,15 +35,7 @@ Author: Jan Šafránek <jsafrane at redhat.com>
  OBJS = statover.o \
  	@SLAPD_STATIC_OVERLAYS@ \
  	overlays.o
-@@ -46,14 +47,14 @@ LTONLY_MOD = $(LTONLY_mod)
- LDAP_INCDIR= ../../../include       
- LDAP_LIBDIR= ../../../libraries
- 
--MOD_DEFS = -DSLAPD_IMPORT
-+MOD_DEFS = -DSLAPD_IMPORT -DDO_SAMBA
- 
- shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
- NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC at _LDAP_LIBS)
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC at _LDAP_LIBS)
  UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC at _LDAP_LIBS)
  
  LIBRARY = ../liboverlays.a
@@ -43,13 +44,36 @@ Author: Jan Šafránek <jsafrane at redhat.com>
  
  XINCPATH = -I.. -I$(srcdir)/..
  XDEFS = $(MODULES_CPPFLAGS)
-@@ -125,6 +126,9 @@ unique.la : unique.lo
+@@ -125,6 +126,12 @@ unique.la : unique.lo
  valsort.la : valsort.lo
  	$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
  
++smbk5pwd.lo : smbk5pwd.c
++	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
 +smbk5pwd.la : smbk5pwd.lo
-+	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo -lldap -L../../../libraries/libldap/.libs/ $(LINK_LIBS)
++	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
 +
  install-local:	$(PROGRAMS)
  	@if test -n "$?" ; then \
  		$(MKDIR) $(DESTDIR)$(moduledir); \
+diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+index d4d7f6f..37f55da 100644
+--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
++++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+@@ -68,9 +68,11 @@ static ObjectClass *oc_krb5KDCEntry;
+ #ifdef HAVE_GNUTLS
+ #include <gcrypt.h>
+ typedef unsigned char DES_cblock[8];
+-#else
++#elif HAVE_OPENSSL
+ #include <openssl/des.h>
+ #include <openssl/md4.h>
++#else
++#error Unsupported crypto backend.
+ #endif
+ #include "ldap_utf8.h"
+ 
+-- 
+1.7.10.4
+
diff --git a/openldap.spec b/openldap.spec
index 7bf1645..453ec7e 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -626,6 +626,7 @@ exit 0
 %changelog
 * Thu Jul 19 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.31-5
 - fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013)
+- fix: smbk5pwd module computes invalid LM hashes (#841560)
 
 * Wed Jul 18 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.31-4
 - modify the package build process

More information about the scm-commits mailing list