[openldap] fix: smbk5pwd module computes invalid LM hashes
jvcelak
jvcelak at fedoraproject.org
Thu Jul 19 12:31:42 UTC 2012
commit 9e7cf6735d89fe926e1cec097477489963dd7708
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Thu Jul 19 14:27:10 2012 +0200
fix: smbk5pwd module computes invalid LM hashes
Resolves: #841560
openldap-smbk5pwd-overlay.patch | 64 ++++++++++++++++++++++++++------------
openldap.spec | 1 +
2 files changed, 45 insertions(+), 20 deletions(-)
---
diff --git a/openldap-smbk5pwd-overlay.patch b/openldap-smbk5pwd-overlay.patch
index 4242483..9f14b38 100644
--- a/openldap-smbk5pwd-overlay.patch
+++ b/openldap-smbk5pwd-overlay.patch
@@ -1,21 +1,30 @@
Compile smbk5pwd together with other overlays.
-Resolves: 550895
Author: Jan Šafránek <jsafrane at redhat.com>
+Resolves: #550895
---- openldap-2.4.24.orig/contrib/slapd-modules/smbk5pwd/README
-+++ openldap-2.4.24/contrib/slapd-modules/smbk5pwd/README
+Update to link against OpenSSL, avoid to compile with unsupported backend.
+
+Author: Jan Vcelak <jvcelak at redhat.com>
+Resolves: #841560
+
+diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
+index f20ad94..b6433ff 100644
+--- a/contrib/slapd-modules/smbk5pwd/README
++++ b/contrib/slapd-modules/smbk5pwd/README
@@ -1,3 +1,8 @@
-+*******************************************************
-+Red Hat note: Kerberos support is NOT compiled into
-+this version of smbk5pwd because we do not use Heimdal.
-+*******************************************************
++******************************************************************************
++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
++******************************************************************************
+
This directory contains a slapd overlay, smbk5pwd, that extends the
PasswordModify Extended Operation to update Kerberos keys and Samba
password hashes for an LDAP user.
---- openldap-2.4.24.orig/servers/slapd/overlays/Makefile.in
-+++ openldap-2.4.24/servers/slapd/overlays/Makefile.in
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index 3af20e8..ef73663 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
syncprov.c \
translucent.c \
@@ -26,15 +35,7 @@ Author: Jan Šafránek <jsafrane at redhat.com>
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
-@@ -46,14 +47,14 @@ LTONLY_MOD = $(LTONLY_mod)
- LDAP_INCDIR= ../../../include
- LDAP_LIBDIR= ../../../libraries
-
--MOD_DEFS = -DSLAPD_IMPORT
-+MOD_DEFS = -DSLAPD_IMPORT -DDO_SAMBA
-
- shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA)
- NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC at _LDAP_LIBS)
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC at _LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC at _LDAP_LIBS)
LIBRARY = ../liboverlays.a
@@ -43,13 +44,36 @@ Author: Jan Šafránek <jsafrane at redhat.com>
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
-@@ -125,6 +126,9 @@ unique.la : unique.lo
+@@ -125,6 +126,12 @@ unique.la : unique.lo
valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
++smbk5pwd.lo : smbk5pwd.c
++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
+smbk5pwd.la : smbk5pwd.lo
-+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo -lldap -L../../../libraries/libldap/.libs/ $(LINK_LIBS)
++ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \
+diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+index d4d7f6f..37f55da 100644
+--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
++++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+@@ -68,9 +68,11 @@ static ObjectClass *oc_krb5KDCEntry;
+ #ifdef HAVE_GNUTLS
+ #include <gcrypt.h>
+ typedef unsigned char DES_cblock[8];
+-#else
++#elif HAVE_OPENSSL
+ #include <openssl/des.h>
+ #include <openssl/md4.h>
++#else
++#error Unsupported crypto backend.
+ #endif
+ #include "ldap_utf8.h"
+
+--
+1.7.10.4
+
diff --git a/openldap.spec b/openldap.spec
index 7bf1645..453ec7e 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -626,6 +626,7 @@ exit 0
%changelog
* Thu Jul 19 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.31-5
- fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013)
+- fix: smbk5pwd module computes invalid LM hashes (#841560)
* Wed Jul 18 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.31-4
- modify the package build process
More information about the scm-commits
mailing list