rpms/nss_ldap/devel nss_ldap-265-depth.patch, NONE, 1.1 nss_ldap-265-ent_internal.patch, NONE, 1.1 nss_ldap-265-local_users.patch, NONE, 1.1 nss_ldap.spec, 1.118, 1.119 nss_ldap-257-over-recursion.patch, 1.1, NONE nss_ldap-264-ent_internal.patch, 1.1, NONE pam_ldap-176-exop-modify.patch, 1.1, NONE pam_ldap-180-bind.patch, 1.1, NONE pam_ldap-180-install-perms.patch, 1.1, NONE pam_ldap-180-local_users.patch, 1.6, NONE pam_ldap-182-manpointer.patch, 1.1, NONE pam_ldap-183-releaseconfig.patch, 1.1, NONE pam_ldap-184-broken-sasl-rebind.patch, 1.1, NONE pam_ldap-184-dnsconfig.patch, 1.1, NONE pam_ldap-184-nsrole.patch, 1.1, NONE pam_ldap-184-referral-passwd2.patch, 1.2, NONE
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Mar 25 22:58:07 UTC 2010
- Previous message: rpms/pam_ldap/devel README.TLS, NONE, 1.1 dlopen.sh, NONE, 1.1 pam_ldap-176-exop-modify.patch, NONE, 1.1 pam_ldap-180-install-perms.patch, NONE, 1.1 pam_ldap-182-manpointer.patch, NONE, 1.1 pam_ldap-183-releaseconfig.patch, NONE, 1.1 pam_ldap-184-nsrole.patch, NONE, 1.1 pam_ldap-185-dnsconfig.patch, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: File nss_ldap-265.tar.gz uploaded to lookaside cache by nalin
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: nalin
Update of /cvs/pkgs/rpms/nss_ldap/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv1224
Modified Files:
nss_ldap.spec
Added Files:
nss_ldap-265-depth.patch nss_ldap-265-ent_internal.patch
nss_ldap-265-local_users.patch
Removed Files:
nss_ldap-257-over-recursion.patch
nss_ldap-264-ent_internal.patch pam_ldap-176-exop-modify.patch
pam_ldap-180-bind.patch pam_ldap-180-install-perms.patch
pam_ldap-180-local_users.patch pam_ldap-182-manpointer.patch
pam_ldap-183-releaseconfig.patch
pam_ldap-184-broken-sasl-rebind.patch
pam_ldap-184-dnsconfig.patch pam_ldap-184-nsrole.patch
pam_ldap-184-referral-passwd2.patch
Log Message:
- resync with the version that was waiting for pam_ldap to complete review
- split out pam_ldap as a separate source package, update URL
- set config file to /etc/nss_ldap.conf, rootbindpw file /etc/nss_ldap.secret
- require a matching pam_ldap.so for upgrades
- drop %%post bits that care about pam_ldap
- drop buildrequires on pam-devel
- update to version 265
- add %pre logic for the upgrading-from-a-non-split-nss_ldap case
- drop no-longer-used .versions file
- add "rpc" and "rpcuser" to the list of users whom we default to ignoring
for looking up supplemental groups
- make mentions of nss_ldap.conf and %{name}.conf more consistent (rcritten)
nss_ldap-265-depth.patch:
Makefile.am | 2 +-
config.h.in | 5 +++++
configure.in | 8 ++++++++
depth.c | 24 ++++++++++++++++++++++++
depth.h | 3 +++
ldap-hosts.c | 26 ++++++++++++++++++++++++++
ldap-nss.c | 7 +++++++
7 files changed, 74 insertions(+), 1 deletion(-)
--- NEW FILE nss_ldap-265-depth.patch ---
Check if we can use thread-local storage, and if we can, use one to avoid a
self-deadlock if we recurse into our own host resolution routines from inside
of another lookup attempt.
diff -up nss_ldap-265/config.h.in nss_ldap-265/config.h.in
--- nss_ldap-265/config.h.in 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/config.h.in 2010-01-08 17:29:49.000000000 -0500
@@ -304,6 +304,11 @@
/* Define to 1 if you have the <thread.h> header file. */
#undef HAVE_THREAD_H
+/* Define if your toolchain supports thread-local storage, which can be used
+ for detecting self- and mutual-recursion problems when performing
+ host/address lookups. */
+#undef HAVE_THREAD_LOCAL_STORAGE
+
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
diff -up nss_ldap-265/configure.in nss_ldap-265/configure.in
--- nss_ldap-265/configure.in 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/configure.in 2010-01-08 17:29:49.000000000 -0500
@@ -27,6 +27,14 @@ dnl
AC_ARG_ENABLE(debugging, [ --enable-debugging enable debug code ], [AC_DEFINE(DEBUG)])
+AC_MSG_CHECKING(for thread-local storage)
+AC_TRY_COMPILE([],[static __thread int _nss_ldap_recursion_count;],
+ [
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_THREAD_LOCAL_STORAGE,1,[Define if your toolchain supports thread-local storage, which can be used for detecting self- and mutual-recursion problems when performing host/address lookups.])
+ ],
+ AC_MSG_RESULT(no))
+
dnl
dnl --enable-paged-results is now deprecated; if this option is set,
dnl then paged results will be enabled by default. However, it can
diff -up nss_ldap-265/depth.c nss_ldap-265/depth.c
--- nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500
+++ nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500
@@ -0,0 +1,24 @@
+#include "config.h"
+#include "depth.h"
+
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+static __thread int depth = 0;
+
+int
+_nss_ldap_get_depth (void)
+{
+ return depth;
+}
+
+int
+_nss_ldap_inc_depth (void)
+{
+ return ++depth;
+}
+
+int
+_nss_ldap_dec_depth (void)
+{
+ return --depth;
+}
+#endif
diff -up nss_ldap-265/depth.h nss_ldap-265/depth.h
--- nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500
+++ nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500
@@ -0,0 +1,3 @@
+int _nss_ldap_get_depth (void);
+int _nss_ldap_inc_depth (void);
+int _nss_ldap_dec_depth (void);
diff -up nss_ldap-265/ldap-hosts.c nss_ldap-265/ldap-hosts.c
--- nss_ldap-265/ldap-hosts.c 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/ldap-hosts.c 2010-01-08 17:33:38.000000000 -0500
@@ -66,6 +66,7 @@ static char rcsId[] =
#include "ldap-nss.h"
#include "ldap-hosts.h"
#include "util.h"
+#include "depth.h"
#ifdef HAVE_PORT_AFTER_H
#include <port_after.h>
@@ -280,6 +281,11 @@ _nss_ldap_gethostbyname2_r (const char *
}
#endif
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
LA_INIT (a);
LA_STRING (a) = name;
LA_TYPE (a) = LA_TYPE_STRING;
@@ -355,6 +361,11 @@ _nss_ldap_gethostbyaddr_r (struct in_add
NSS_STATUS status;
ldap_args_t a;
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
/* if querying by IPv6 address, make sure the address is "normalized" --
* it should contain no leading zeros and all components of the address.
* still we can't fit an IPv6 address in an int, so who cares for now.
@@ -391,6 +402,11 @@ _nss_ldap_sethostent_r (nss_backend_t *
#endif
#if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H)
{
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
LOOKUP_SETENT (hosts_context);
}
#endif
@@ -403,6 +419,11 @@ _nss_ldap_endhostent_r (nss_backend_t *
#endif
#if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H)
{
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
LOOKUP_ENDENT (hosts_context);
}
#endif
@@ -435,6 +456,11 @@ _nss_ldap_gethostent_r (struct hostent *
{
NSS_STATUS status;
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_get_depth() > 0)
+ return NSS_STATUS_UNAVAIL;
+#endif
+
status = _nss_ldap_getent (&hosts_context,
result,
buffer,
diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c
--- nss_ldap-265/ldap-nss.c 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/ldap-nss.c 2010-01-08 17:29:49.000000000 -0500
@@ -93,6 +93,7 @@ static char rcsId[] =
#include "util.h"
#include "dnsconfig.h"
#include "pagectrl.h"
+#include "depth.h"
#if defined(HAVE_THREAD_H) && !defined(_AIX)
#ifdef HAVE_PTHREAD_ATFORK
@@ -578,6 +579,9 @@ _nss_ldap_enter (void)
debug ("==> _nss_ldap_enter");
NSS_LDAP_LOCK (__lock);
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_inc_depth();
+#endif
/*
* Patch for Debian Bug 130006:
@@ -623,6 +627,9 @@ _nss_ldap_leave (void)
}
#endif /* HAVE_SIGACTION */
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_dec_depth();
+#endif
NSS_LDAP_UNLOCK (__lock);
debug ("<== _nss_ldap_leave");
diff -up nss_ldap-265/Makefile.am nss_ldap-265/Makefile.am
--- nss_ldap-265/Makefile.am 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/Makefile.am 2010-01-08 17:31:45.000000000 -0500
@@ -23,7 +23,7 @@ nss_ldap_so_SOURCES = ldap-nss.c ldap-pw
ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \
ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c \
- vers.c
+ vers.c depth.c
nss_ldap_so_LDFLAGS = @nss_ldap_so_LDFLAGS@
nss_ldap-265-ent_internal.patch:
ldap-grp.c | 4 ++--
ldap-netgrp.c | 2 +-
ldap-nss.c | 14 +++++++++++++-
ldap-nss.h | 11 +++++++++++
4 files changed, 27 insertions(+), 4 deletions(-)
--- NEW FILE nss_ldap-265-ent_internal.patch ---
Distinguish between contexts that are somewhat persistent and one-offs
which are used to fulfill part of a larger request.
diff -up nss_ldap-265/ldap-grp.c nss_ldap-265/ldap-grp.c
--- nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500
+++ nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500
@@ -859,7 +859,7 @@ ng_chase (const char *dn, ldap_initgroup
LA_STRING (a) = dn;
LA_TYPE (a) = LA_TYPE_STRING;
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
{
return NSS_UNAVAIL;
}
@@ -931,7 +931,7 @@ ng_chase_backlink (const char ** members
LA_STRING_LIST (a) = filteredMembersOf;
LA_TYPE (a) = LA_TYPE_STRING_LIST_OR;
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
{
free (filteredMembersOf);
return NSS_UNAVAIL;
diff -up nss_ldap-265/ldap-netgrp.c nss_ldap-265/ldap-netgrp.c
--- nss_ldap-265/ldap-netgrp.c 2009-11-06 05:28:08.000000000 -0500
+++ nss_ldap-265/ldap-netgrp.c 2010-01-08 17:38:38.000000000 -0500
@@ -691,7 +691,7 @@ do_innetgr_nested (ldap_innetgr_args_t *
LA_TYPE (a) = LA_TYPE_STRING;
LA_STRING (a) = nested; /* memberNisNetgroup */
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
{
debug ("<== do_innetgr_nested: failed to initialize context");
return NSS_UNAVAIL;
diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c
--- nss_ldap-265/ldap-nss.c 2010-01-08 17:38:38.000000000 -0500
+++ nss_ldap-265/ldap-nss.c 2010-01-08 17:40:37.000000000 -0500
@@ -2043,6 +2043,7 @@ _nss_ldap_ent_context_init_locked (ent_c
debug ("<== _nss_ldap_ent_context_init_locked");
return NULL;
}
+ ctx->ec_internal = 0;
*pctx = ctx;
}
else
@@ -2104,7 +2105,8 @@ do_context_release (ent_context_t * ctx,
LS_INIT (ctx->ec_state);
- if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
+ if (!ctx->ec_internal &&
+ _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
{
do_close ();
}
@@ -2113,6 +2115,16 @@ do_context_release (ent_context_t * ctx,
free (ctx);
}
+ent_context_t *
+_nss_ldap_ent_context_init_internal_locked (ent_context_t ** pctx)
+{
+ ent_context_t *ctx;
+ ctx = _nss_ldap_ent_context_init_locked (pctx);
+ if (ctx != NULL)
+ ctx->ec_internal = 1;
+ return ctx;
+}
+
/*
* Clears a given context; we require the caller
* to acquire the lock.
diff -up nss_ldap-265/ldap-nss.h nss_ldap-265/ldap-nss.h
--- nss_ldap-265/ldap-nss.h 2010-01-08 17:38:38.000000000 -0500
+++ nss_ldap-265/ldap-nss.h 2010-01-08 17:42:34.000000000 -0500
@@ -574,6 +574,8 @@ struct ent_context
ldap_state_t ec_state; /* eg. for services */
int ec_msgid; /* message ID */
LDAPMessage *ec_res; /* result chain */
+ int ec_internal; /* this context is just a part of a larger
+ * query for information */
ldap_service_search_descriptor_t *ec_sd; /* current sd */
struct berval *ec_cookie; /* cookie for paged searches */
int ec_eof; /* reached notional end of file */
@@ -769,6 +771,15 @@ ent_context_t *_nss_ldap_ent_context_ini
ent_context_t *_nss_ldap_ent_context_init_locked (ent_context_t **);
/*
+ * _nss_ldap_ent_context_init_internal_locked() has the same
+ * behaviour, except it marks the context as one that's being
+ * used to fetch additional data used in answering a request, i.e.
+ * that this isn't the "main" context
+ */
+
+ent_context_t *_nss_ldap_ent_context_init_internal_locked (ent_context_t **);
+
+/*
* _nss_ldap_ent_context_release() is used to manually free a context
*/
void _nss_ldap_ent_context_release (ent_context_t **);
nss_ldap-265-local_users.patch:
ldap.conf | 3 +++
1 file changed, 3 insertions(+)
--- NEW FILE nss_ldap-265-local_users.patch ---
Configure by default to fail, quickly, requests for supplemental group
information for "root", "ldap", and assorted other users as whom services
run or who are mentioned by the DBus configuration. This patch will never
be pretty.
--- pam_ldap-180/ldap.conf 2005-08-17 18:35:13.000000000 -0400
+++ pam_ldap-180/ldap.conf 2006-02-09 14:14:05.000000000 -0500
@@ -177,6 +177,9 @@
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
+# Just assume that there are no supplemental groups for these named users
+nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
+
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
Index: nss_ldap.spec
===================================================================
RCS file: /cvs/pkgs/rpms/nss_ldap/devel/nss_ldap.spec,v
retrieving revision 1.118
retrieving revision 1.119
diff -u -p -r1.118 -r1.119
--- nss_ldap.spec 16 Feb 2010 00:24:44 -0000 1.118
+++ nss_ldap.spec 25 Mar 2010 22:58:06 -0000 1.119
@@ -1,136 +1,79 @@
-%define pam_ldap_version 184
+%global tmpsuffix 8aa689ed-d62c-4003-ad78-aa1d09887ef4
+
Summary: NSS library and PAM module for LDAP
Name: nss_ldap
-Version: 264
-Release: 9%{?dist}
-Source0: ftp://ftp.padl.com/pub/nss_ldap-%{version}.tar.gz
-Source1: ftp://ftp.padl.com/pub/pam_ldap-%{pam_ldap_version}.tar.gz
+Version: 265
+Release: 4%{?dist}
+URL: http://www.padl.com/OSS/nss_ldap.html
+License: LGPLv2+
+Group: System Environment/Base
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+Source0: ftp://ftp.padl.com//pub/nss_ldap-%{version}.tar.gz
Source5: README.TLS
Source6: version.c
Source7: dlopen.sh
-Patch0: pam_ldap-184-dnsconfig.patch
-Patch1: pam_ldap-180-local_users.patch
-Patch3: pam_ldap-180-install-perms.patch
-Patch4: pam_ldap-180-bind.patch
-Patch6: nss_ldap-257-over-recursion.patch
-Patch7: pam_ldap-182-manpointer.patch
+Patch6: nss_ldap-265-depth.patch
Patch8: nss_ldap-254-soname.patch
Patch11: nss_ldap-257-initgroups-minimum_uid.patch
-Patch13: pam_ldap-176-exop-modify.patch
Patch15: nss_ldap-257-mozldap.patch
-Patch16: pam_ldap-184-referral-passwd2.patch
Patch17: nss_ldap-259-res_init.patch
-Patch19: pam_ldap-184-broken-sasl-rebind.patch
-Patch20: pam_ldap-184-nsrole.patch
Patch21: nss_ldap-264-checkcase.patch
-Patch22: nss_ldap-264-ent_internal.patch
-Patch23: pam_ldap-183-releaseconfig.patch
+Patch22: nss_ldap-265-ent_internal.patch
Patch24: nss_ldap-264-cloexec.patch
+Patch25: nss_ldap-265-local_users.patch
-URL: http://www.padl.com/
-License: LGPLv2+
-Group: System Environment/Base
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, automake, libtool
-BuildRequires: openssl-devel, openssl-static, pam-devel
+BuildRequires: openssl-devel, openssl-static
BuildRequires: cyrus-sasl-devel >= 2.1
BuildRequires: openldap-devel >= 2.0.27
BuildRequires: openldap-evolution-devel
BuildRequires: krb5-devel >= 1.4
Requires: nscd
-Obsoletes: pam_ldap
-Requires(post): grep, mktemp, sed, textutils, /sbin/ldconfig
+Requires(pre): coreutils
+Requires(post): coreutils, /sbin/ldconfig
+Requires: /%{_lib}/security/pam_ldap.so
%description
-This package includes two LDAP access clients: nss_ldap and pam_ldap.
Nss_ldap is a set of C library extensions that allow X.500 and LDAP
directory servers to be used as a primary source of aliases, ethers,
groups, hosts, networks, protocol, users, RPCs, services, and shadow
passwords (instead of or in addition to using flat files or NIS).
-Pam_ldap is a module for Linux-PAM that supports password changes, V2
-clients, Netscape's SSL, ypldapd, Netscape Directory Server password
-policies, access authorization, and crypted hashes.
-
%prep
-%setup -q -c -a 1
+%setup -q
cp %{SOURCE5} .
-cp nss_ldap-%{version}/ldap.conf ldap.conf.nss_ldap
-cp pam_ldap-%{pam_ldap_version}/ldap.conf ldap.conf.pam_ldap
-
-cp nss_ldap-%{version}/resolve.c pam_ldap-%{pam_ldap_version}/
-cp nss_ldap-%{version}/resolve.h pam_ldap-%{pam_ldap_version}/
-cp nss_ldap-%{version}/snprintf.c pam_ldap-%{pam_ldap_version}/
-cp nss_ldap-%{version}/snprintf.h pam_ldap-%{pam_ldap_version}/
-
-pushd nss_ldap-%{version}
+%patch6 -p1 -b .depth
%patch8 -p1 -b .soname
%patch17 -p1 -b .res_init
-#%patch21 -p1 -b .checkcase
+%patch21 -p1 -b .checkcase
%patch22 -p1 -b .ent_internal
%patch24 -p1 -b .cloexec
+%patch25 -p1 -b .local_users
+sed -i -e 's,^ldap.conf$,%{name}.conf,g' *.5
+sed -i -e 's,^/etc/ldap\.,/etc/%{name}.,g' *.5
+sed -i -e 's,ldap.secret,%{name}.secret,g' *.5
+sed -i -e 's,(ldap.conf),(%{name}.conf),g' *.5
autoreconf -f -i
-popd
-
-pushd pam_ldap-%{pam_ldap_version}
-%patch0 -p1 -b .dnsconfig
-%patch3 -p1 -b .install-perms
-%patch4 -p1 -b .bind
-%patch1 -p1 -b .local_users
-%patch7 -p1 -b .manpointer
-%patch13 -p1 -b .exop-modify
-%patch16 -p1 -b .referral-passwd2
-%patch19 -p1 -b .broken-sasl-rebind
-%patch20 -p1 -b .nsrole
-%patch23 -p1 -b .releaseconfig
-autoreconf -f -i
-popd
-
-rm -f pam.d/*.pam_console
-
-cp nss_ldap-%{version}/ANNOUNCE ANNOUNCE.nss_ldap
-cp nss_ldap-%{version}/AUTHORS AUTHORS.nss_ldap
-cp nss_ldap-%{version}/ChangeLog ChangeLog.nss_ldap
-cp nss_ldap-%{version}/COPYING COPYING.nss_ldap
-cp nss_ldap-%{version}/NEWS NEWS.nss_ldap
-cp nss_ldap-%{version}/README README.nss_ldap
-cp nss_ldap-%{version}/nsswitch.ldap nsswitch.ldap
-cp pam_ldap-%{pam_ldap_version}/AUTHORS AUTHORS.pam_ldap
-cp pam_ldap-%{pam_ldap_version}/ChangeLog ChangeLog.pam_ldap
-cp pam_ldap-%{pam_ldap_version}/COPYING COPYING.pam_ldap
-cp pam_ldap-%{pam_ldap_version}/COPYING.LIB COPYING.LIB.pam_ldap
-cp pam_ldap-%{pam_ldap_version}/NEWS NEWS.pam_ldap
-cp pam_ldap-%{pam_ldap_version}/README README.pam_ldap
-
-cp %{_datadir}/libtool/config/config.{sub,guess} nss_ldap-%{version}/
-cp %{_datadir}/libtool/config/config.{sub,guess} pam_ldap-%{pam_ldap_version}/
+cp %{_datadir}/libtool/config/config.{sub,guess} .
%build
-# We're building modules here, so make sure -fPIC is always used.
-CFLAGS="$RPM_OPT_FLAGS -fPIC"; export CFLAGS
-
-# Build pam_ldap.
-pushd pam_ldap-%{pam_ldap_version}
-%configure --libdir=/%{_lib}
-make %{?_smp_mflags}
-popd
-
-pushd nss_ldap-%{version}
+# Build with static copies of as may of the dependent libraries as we can, so
+# that we can bind references symbols the module uses to the copy bundled into
+# the module, and hide them from any calling applications.
%configure \
- --with-ldap=openldap \
- --enable-schema-mapping \
- --enable-rfc2307bis \
- --enable-configurable-krb5-ccname-gssapi
-make %{?_smp_mflags} LIBS="-Wl,-Bstatic -L%{_libdir}/evolution-openldap/%{_lib} -lldap -llber -lssl -lcrypto -Wl,-Bdynamic -lz -lsasl2 -lgssapi_krb5 -ldl -lpthread_nonshared -lnsl -lresolv"
-popd
-
-# Check that the modules are actually loadable.
-%{SOURCE7} ./nss_ldap-%{version}/nss_ldap.so
-%{SOURCE7} -lpam ./pam_ldap-%{pam_ldap_version}/pam_ldap.so
+ --with-ldap-lib=openldap \
+ --enable-rfc2307bis \
+ --with-ldap-conf-file=%{_sysconfdir}/%{name}.conf \
+ --with-ldap-secret-file=%{_sysconfdir}/%{name}.secret \
+ --enable-configurable-krb5-ccname-gssapi
+env PATH=`pwd`:"$PATH" make %{?_smp_mflags} LIBS="-L%{_libdir}/evolution-openldap/%{_lib} -Wl,-Bstatic -lldap -llber -lssl -lcrypto -Wl,-Bdynamic -lz -lsasl2 -lgssapi_krb5 -ldl -lpthread_nonshared -lnsl -lresolv"
+
+# Check that the module is actually loadable.
+sh %{SOURCE7} ./nss_ldap.so
%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
-mkdir -p $RPM_BUILD_ROOT/{etc,%{_lib}/security,%{_libdir}}
# Let the nss_ldap install target do its thing, skipping the chown/chgrp bits
# and making sure we only get one libc version, even on multilib boxen.
@@ -139,68 +82,91 @@ mkdir -p $RPM_BUILD_ROOT/{etc,%{_lib}/se
# more than which version of libc was available at build time. People tend to
# assume that's also the nss_ldap version, too, so forget that.
libcver=%{version}
-make -C nss_ldap-%{version} install \
- DESTDIR=$RPM_BUILD_ROOT \
- INST_UID=`id -un` INST_GID=`id -gn` \
- LIBC_VERS=$libcver
+make install \
+ DESTDIR=$RPM_BUILD_ROOT \
+ INST_UID=`id -un` INST_GID=`id -gn` \
+ LIBC_VERS=$libcver
# Install the direct-linking symlink.
ln -s libnss_ldap-$libcver.so $RPM_BUILD_ROOT/%{_libdir}/libnss_ldap.so
-# Install the module for PAM.
-pushd pam_ldap-%{pam_ldap_version}
-make install DESTDIR=$RPM_BUILD_ROOT
+# Remove a doc file from /etc; we'll include it as a %%doc file.
+rm -f $RPM_BUILD_ROOT/etc/nsswitch.ldap
+
+# The makefile assumes installation into /lib, which is incorrect.
+rm -f $RPM_BUILD_ROOT/%{_libdir}/../%{_libdir}/libnss_ldap.so.2
# Install the default configuration file, but change the search bases to
# something generic to avoid overloading padl.com servers and to match
# good practice when using DNS domains in example configurations.
-sed 's|dc=padl|dc=example|g' ldap.conf > $RPM_BUILD_ROOT/etc/ldap.conf
-chmod 644 $RPM_BUILD_ROOT/etc/ldap.conf
-popd
-
-# Remove a doc file from /etc; we'll included it as a %%doc file.
-rm -f $RPM_BUILD_ROOT/etc/nsswitch.ldap
+sed 's|dc=padl|dc=example|g' ldap.conf > $RPM_BUILD_ROOT/etc/%{name}.conf
+chmod 644 $RPM_BUILD_ROOT/etc/%{name}.conf
-# The makefile assumes installation into /lib, which is incorrect.
-rm -f $RPM_BUILD_ROOT/%{_libdir}/../%{_libdir}/libnss_ldap.so.2
+# Create an ldap.secret file.
+touch $RPM_BUILD_ROOT/etc/%{name}.secret
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
+%pre
+# If we didn't already have a config file for this package, but we did have one
+# for the old %{name} package, copy the configuration to a temporary location.
+if ! test -s %{_sysconfdir}/%{name}.conf ; then
+ if test -s %{_sysconfdir}/ldap.conf ; then
+ cp -p %{_sysconfdir}/ldap.conf %{_sysconfdir}/%{name}.conf.%{tmpsuffix}
+ fi
+fi
+if ! test -s %{_sysconfdir}/%{name}.secret ; then
+ if test -s %{_sysconfdir}/ldap.secret ; then
+ cp -p %{_sysconfdir}/ldap.secret %{_sysconfdir}/%{name}.secret.%{tmpsuffix}
+ fi
+fi
+
%post
/sbin/ldconfig
-# Fix a logic mismatch between what the version of authconfig in RHL 7.2 would
-# generate and this version of pam_ldap.
-if grep -q '^account required /lib/security/pam_ldap.so$' /etc/pam.d/system-auth ; then
- newfile=`mktemp /etc/pam.d/system-auth-XXXXXX`
- if [ ! -z "$newfile" ] ; then
- cat /etc/pam.d/system-auth > $newfile
- sed 's,account required /lib/security/pam_ldap.so,account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_ldap.so,g' $newfile > /etc/pam.d/system-auth
- rm -f $newfile
- fi
+# If we created a temporary configuration in %%pre, replace the one our package
+# put down with the old one.
+if test -s %{_sysconfdir}/%{name}.conf.%{tmpsuffix} ; then
+ mv %{_sysconfdir}/%{name}.conf.%{tmpsuffix} %{_sysconfdir}/%{name}.conf
+fi
+if test -s %{_sysconfdir}/%{name}.secret.%{tmpsuffix} ; then
+ mv %{_sysconfdir}/%{name}.secret.%{tmpsuffix} %{_sysconfdir}/%{name}.secret
fi
%postun -p /sbin/ldconfig
%files
-%defattr(-,root,root)
+%defattr(-,root,root,-)
+%doc README.TLS ANNOUNCE AUTHORS ChangeLog COPYING NEWS README nsswitch.ldap
%attr(0755,root,root) /%{_libdir}/libnss_ldap-*.so
%attr(0755,root,root) /%{_libdir}/libnss_ldap.so.?
-%attr(0755,root,root) /%{_lib}/security/*.so*
%attr(0755,root,root) %{_libdir}/libnss_ldap.so
%attr(0644,root,root) %{_mandir}/man5/*.5*
-%attr(0644,root,root) %config(noreplace) /etc/ldap.conf
-%doc README.TLS
-%doc nsswitch.ldap *.nss_ldap *.pam_ldap
-%doc pam_ldap-%{pam_ldap_version}/pam.d
-%doc pam_ldap-%{pam_ldap_version}/ldapns.schema
-%doc pam_ldap-%{pam_ldap_version}/ns-pwd-policy.schema
+%attr(0644,root,root) %config(noreplace) /etc/%{name}.conf
+%attr(0600,root,root) %ghost %config(noreplace) /etc/%{name}.secret
%changelog
-* Mon Feb 15 2010 Nalin Dahyabhai <nalin at redhat.com> 264-9
-- switch to linking with the evolution-specific libldap, because that's still
+* Fri Feb 19 2010 Nalin Dahyabhai <nalin at redhat.com> 265-4
+- make mentions of nss_ldap.conf and %%{name}.conf more consistent (rcritten)
+
+* Mon Feb 15 2010 Nalin Dahyabhai <nalin at redhat.com> 265-3
+- switch to linking with the evo-specific libldap, because that's still
available as a static library (#565065)
-- drop no-longer-used .versions files of our own
+- add "rpc" and "rpcuser" to the list of users whom we default to ignoring
+ for looking up supplemental groups
+
+* Mon Jan 18 2010 Nalin Dahyabhai <nalin at redhat.com> 265-2
+- fix source URLs
+- drop no-longer-used .versions file
+
+* Fri Jan 8 2010 Nalin Dahyabhai <nalin at redhat.com> 265-1
+- split out pam_ldap as a separate source package, update URL
+- set config file to /etc/nss_ldap.conf, rootbindpw file /etc/nss_ldap.secret
+- require a matching pam_ldap.so for upgrades
+- drop %%post bits that care about pam_ldap
+- drop buildrequires on pam-devel
+- update to version 265
+- add %%pre logic for the upgrading-from-a-non-split-nss_ldap case
* Wed Nov 4 2009 Nalin Dahyabhai <nalin at redhat.com> 264-8
- add "rtkit" and "pulse" to the list of users whom we default to ignoring
@@ -232,7 +198,7 @@ fi
* Mon Apr 6 2009 Nalin Dahyabhai <nalin at redhat.com> - 264/184-100
- split pam_ldap off into a separate binary package
-- require /%{_lib}/security/pam_ldap.so to pull in pam_ldap on upgrades
+- require /%%{_lib}/security/pam_ldap.so to pull in pam_ldap on upgrades
- require our configuration file to come from somewhere
- remove some cruft
- move the %%postun that fixes up pam configs to the pam_ldap package
--- nss_ldap-257-over-recursion.patch DELETED ---
--- nss_ldap-264-ent_internal.patch DELETED ---
--- pam_ldap-176-exop-modify.patch DELETED ---
--- pam_ldap-180-bind.patch DELETED ---
--- pam_ldap-180-install-perms.patch DELETED ---
--- pam_ldap-180-local_users.patch DELETED ---
--- pam_ldap-182-manpointer.patch DELETED ---
--- pam_ldap-183-releaseconfig.patch DELETED ---
--- pam_ldap-184-broken-sasl-rebind.patch DELETED ---
--- pam_ldap-184-dnsconfig.patch DELETED ---
--- pam_ldap-184-nsrole.patch DELETED ---
--- pam_ldap-184-referral-passwd2.patch DELETED ---
- Previous message: rpms/pam_ldap/devel README.TLS, NONE, 1.1 dlopen.sh, NONE, 1.1 pam_ldap-176-exop-modify.patch, NONE, 1.1 pam_ldap-180-install-perms.patch, NONE, 1.1 pam_ldap-182-manpointer.patch, NONE, 1.1 pam_ldap-183-releaseconfig.patch, NONE, 1.1 pam_ldap-184-nsrole.patch, NONE, 1.1 pam_ldap-185-dnsconfig.patch, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: File nss_ldap-265.tar.gz uploaded to lookaside cache by nalin
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list