diff --git a/.gitignore b/.gitignore index 56994d1..7639ffb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openldap-2.4.39.tgz SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz +SOURCES/openldap-2.4.39.tgz diff --git a/.openldap.metadata b/.openldap.metadata index 2410a61..5df585c 100644 --- a/.openldap.metadata +++ b/.openldap.metadata @@ -1,2 +1,2 @@ -2b8e8401214867c361f7212e7058f95118b5bd6c SOURCES/openldap-2.4.39.tgz 444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz +2b8e8401214867c361f7212e7058f95118b5bd6c SOURCES/openldap-2.4.39.tgz diff --git a/SOURCES/libexec-generate-server-cert.sh b/SOURCES/libexec-generate-server-cert.sh index 1a66b8c..e2f4974 100755 --- a/SOURCES/libexec-generate-server-cert.sh +++ b/SOURCES/libexec-generate-server-cert.sh @@ -25,7 +25,7 @@ CERT_VALID_MONTHS=12 usage() { printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2 printf " [-p password-file] [-h hostnames]\n" >&2 - pritnf " [-a dns-alt-names] [-o]\n" >&2 + printf " [-a dns-alt-names] [-o]\n" >&2 exit 1 } @@ -102,7 +102,7 @@ certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \ -8 "$ALT_NAMES" \ &>/dev/null -rm -f $RANDOM_DATA +rm -f $CERT_RANDOM # tune permissions diff --git a/SOURCES/openldap-man-tls-reqcert.patch b/SOURCES/openldap-man-tls-reqcert.patch new file mode 100644 index 0000000..a435655 --- /dev/null +++ b/SOURCES/openldap-man-tls-reqcert.patch @@ -0,0 +1,53 @@ +From f7027b3118ea90d616d0ddeeb348f15ba91cd08b Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Wed, 13 Nov 2013 13:34:06 +0100 +Subject: [PATCH] Fix client manpage + +--- + doc/man/man5/ldap.conf.5 | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index 7f5bc64..bef0672 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -431,8 +431,8 @@ The environment variable RANDFILE can also be used to specify the filename. + This parameter is ignored with GnuTLS and Mozilla NSS. + .TP + .B TLS_REQCERT +-Specifies what checks to perform on server certificates in a TLS session, +-if any. The ++Specifies what checks to perform on server certificates in a TLS session. ++The + .B + can be specified as one of the following keywords: + .RS +@@ -441,19 +441,17 @@ can be specified as one of the following keywords: + The client will not request or check any server certificate. + .TP + .B allow +-The server certificate is requested. If no certificate is provided, +-the session proceeds normally. If a bad certificate is provided, it will ++The server certificate is requested. If a bad certificate is provided, it will + be ignored and the session proceeds normally. + .TP + .B try +-The server certificate is requested. If no certificate is provided, +-the session proceeds normally. If a bad certificate is provided, +-the session is immediately terminated. ++The server certificate is requested. If a bad certificate is provided, the ++session is immediately terminated. + .TP + .B demand | hard +-These keywords are equivalent. The server certificate is requested. If no +-certificate is provided, or a bad certificate is provided, the session +-is immediately terminated. This is the default setting. ++These keywords are equivalent and semantically same as ++.BR try . ++This is the default setting. + .RE + .TP + .B TLS_CRLCHECK +-- +1.8.3.1 + diff --git a/SOURCES/openldap-olcfrontend-config.patch b/SOURCES/openldap-olcfrontend-config.patch new file mode 100644 index 0000000..d7b81a6 --- /dev/null +++ b/SOURCES/openldap-olcfrontend-config.patch @@ -0,0 +1,24 @@ +From 6c0d57405831fdf51e778505000af3466a42af90 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Mon, 8 Sep 2014 13:32:04 +0200 +Subject: [PATCH] fix frontend config + +--- + servers/slapd/slapd.ldif | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/servers/slapd/slapd.ldif b/servers/slapd/slapd.ldif +index 6c7c43c..18549d8 100644 +--- a/servers/slapd/slapd.ldif ++++ b/servers/slapd/slapd.ldif +@@ -47,6 +47,7 @@ include: file://%SYSCONFDIR%/schema/core.ldif + # + dn: olcDatabase=frontend,cn=config + objectClass: olcDatabaseConfig ++objectClass: olcFrontendConfig + olcDatabase: frontend + # + # Sample global access control policy: +-- +1.9.3 + diff --git a/SOURCES/openldap-support-tlsv1-and-later.patch b/SOURCES/openldap-support-tlsv1-and-later.patch new file mode 100644 index 0000000..b8cc0f8 --- /dev/null +++ b/SOURCES/openldap-support-tlsv1-and-later.patch @@ -0,0 +1,54 @@ +Support TLSv1 and later. + +Author: Mark Reynolds +Backported-by: Jan Synacek +Upstream ITS: #7979 +Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00 + +--- openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:02:39.489493061 +0100 ++++ openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:23:07.239463097 +0100 +@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD + case SSL_ERROR_BAD_CERT_DOMAIN: + break; + default: +- success = SECFailure; ++ success = SECFailure; + break; + } + +@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg ) + NSSInitContext *initctx = NULL; + PK11SlotInfo *certdb_slot = NULL; + #endif ++ SSLVersionRange range; ++ SSLProtocolVariant variant; + SECStatus rc; + int done = 0; + +@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg ) + } + } + ++ /* ++ * Set the SSL version range. MozNSS SSL versions are the same as openldap's: ++ * ++ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* ++ */ ++ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ ++ range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; ++ variant = ssl_variant_stream; ++ SSL_VersionRangeSetDefault(variant, &range); ++ + NSS_SetDomesticPolicy(); + + PK11_SetPasswordFunc( tlsm_pin_prompt ); +--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200 ++++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100 +@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1) + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) ++#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4) + + /* OpenLDAP SASL options */ + #define LDAP_OPT_X_SASL_MECH 0x6100 diff --git a/SOURCES/slapd.ldif b/SOURCES/slapd.ldif index 9ce13ea..7b7f328 100644 --- a/SOURCES/slapd.ldif +++ b/SOURCES/slapd.ldif @@ -88,6 +88,7 @@ include: file:///etc/openldap/schema/core.ldif dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service index 7e0589c..050ee05 100644 --- a/SOURCES/slapd.service +++ b/SOURCES/slapd.service @@ -1,6 +1,11 @@ [Unit] Description=OpenLDAP Server Daemon After=syslog.target network.target +Documentation=man:slapd +Documentation=man:slapd-config +Documentation=man:slapd-hdb +Documentation=man:slapd-mdb +Documentation=file:///usr/share/doc/openldap-servers/guide.html [Service] Type=forking diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec index 4051012..08945e4 100644 --- a/SPECS/openldap.spec +++ b/SPECS/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.39 -Release: 3%{?dist} +Release: 6%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -50,6 +50,12 @@ Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch Patch20: openldap-ldapi-sasl.patch # rwm reference counting fix, pending upstream inclusion Patch21: openldap-rwm-reference-counting.patch +# upstreamed, ITS #7979 +Patch22: openldap-support-tlsv1-and-later.patch +# upstreamed, ITS #7933 +Patch23: openldap-olcfrontend-config.patch +# pending upstream inclusion, ITS #7744 +Patch24: openldap-man-tls-reqcert.patch # Fedora specific patches Patch100: openldap-autoconf-pkgconfig-nss.patch @@ -60,6 +66,7 @@ BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel # smbk5pwd overlay: BuildRequires: openssl-devel Requires: nss-tools +Requires(post): rpm, coreutils %description OpenLDAP is an open source suite of LDAP (Lightweight Directory Access @@ -167,6 +174,9 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch19 -p1 %patch20 -p1 %patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 %patch102 -p1 @@ -602,6 +612,20 @@ exit 0 %{_mandir}/man3/* %changelog +* Thu Dec 4 2014 Jan Synáček - 2.4.39-6 +- refix: slapd.ldif olcFrontend missing important/required objectclass (#1132094) + +* Fri Nov 28 2014 Jan Synáček - 2.4.39-5 +- add documentation reference to service file (#1087288) +- fix: tls_reqcert try has bad behavior (#1027613) + +* Tue Nov 25 2014 Jan Synáček - 2.4.39-4 +- support TLS 1.1 and later (#1160468) +- fix: /etc/openldap/certs directory is empty after installation (#1064251) +- fix: Typo in script to generate /usr/libexec/openldap/generate-server-cert.sh (#1087490) +- fix: remove correct tmp file when generating server cert (#1103101) +- fix: slapd.ldif olcFrontend missing important/required objectclass (#1132094) + * Wed Feb 26 2014 Jan Synáček - 2.4.39-3 - move tmpfiles config to correct location (#1069513)