Hello community, here is the log from the commit of package openldap2 for openSUSE:Factory checked in at 2016-01-30 11:30:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openldap2 (Old) and /work/SRC/openSUSE:Factory/.openldap2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2" Changes: -------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2-client.changes 2015-12-06 07:38:31.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2-client.changes 2016-01-30 11:30:52.000000000 +0100 @@ -2 +2,42 @@ -Wed Dec 2 12:51:10 UTC 2015 - h...@suse.com +Mon Jan 25 14:10:12 UTC 2016 - h...@suse.com + +- Relabel patch 0011-Enforce-minimum-DH-size-of-1024.patch + into 0010-Enforce-minimum-DH-size-of-1024.patch + +------------------------------------------------------------------- +Tue Dec 8 11:36:16 UTC 2015 - mich...@stroeder.com + +- Upgrade to upstream 2.4.43 release with accumulated bug fixes. +- Still build on SLES12 +- Loadable backend and overlay modules are now installed + into arch-specific path %{_libdir}/openldap +- All backends and overlays as modules for smaller memory footprint + on memory constrained systems +- Added extra package for back-sock +- Consequent use of %{_rundir} everywhere +- Rely on upstream ./configure script instead of any other + macro foo +- Dropped linking with libwrap +- Dropped 0004-libldap-use-gethostbyname_r.dif because this + work-around for nss_ldap is obsolete +- New sub-package openldap2-contrib with selected contrib/ overlays +- Replaced addonschema.tar.gz with separate schema sources +- Updated ldapns.schema from recent slapo-nssov source tree +- Added symbolic link to slapd executable in /usr/sbin/ +- Added more complex example configuration file + /etc/openldap/slapd.conf.example +- Set OPENLDAP_START_LDAPI="yes" in /etc/sysconfig/openldap +- Set OPENLDAP_REGISTER_SLP="no" in /etc/sysconfig/openldap +- Added patch for OpenLDAP ITS#7796 to avoid excessive + "not index" logging: + 0011-openldap-re24-its7796.patch +- Replaced openldap-rc.tgz with single source files +- Added soft dependency (Recommends) to cyrus-sasl +- Added soft dependency (Recommends) to cyrus-sasl-devel + to openldap2-devel +- Added patch for OpenLDAP ITS#8336 (assert in liblmdb): + 0012-openldap-re24-its8336.patch +- Remove obsolete patch 0001-build-adjustments.dif + +------------------------------------------------------------------- +Wed Dec 2 12:50:47 UTC 2015 - h...@suse.com @@ -39 +80 @@ -Thu Oct 1 11:08:59 UTC 2015 - h...@suse.com +Thu Oct 1 11:08:41 UTC 2015 - h...@suse.com --- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2015-12-06 07:38:31.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2.changes 2016-01-30 11:30:52.000000000 +0100 @@ -1,0 +2,41 @@ +Mon Jan 25 14:10:12 UTC 2016 - h...@suse.com + +- Relabel patch 0011-Enforce-minimum-DH-size-of-1024.patch + into 0010-Enforce-minimum-DH-size-of-1024.patch + +------------------------------------------------------------------- +Tue Dec 8 11:36:16 UTC 2015 - mich...@stroeder.com + +- Upgrade to upstream 2.4.43 release with accumulated bug fixes. +- Still build on SLES12 +- Loadable backend and overlay modules are now installed + into arch-specific path %{_libdir}/openldap +- All backends and overlays as modules for smaller memory footprint + on memory constrained systems +- Added extra package for back-sock +- Consequent use of %{_rundir} everywhere +- Rely on upstream ./configure script instead of any other + macro foo +- Dropped linking with libwrap +- Dropped 0004-libldap-use-gethostbyname_r.dif because this + work-around for nss_ldap is obsolete +- New sub-package openldap2-contrib with selected contrib/ overlays +- Replaced addonschema.tar.gz with separate schema sources +- Updated ldapns.schema from recent slapo-nssov source tree +- Added symbolic link to slapd executable in /usr/sbin/ +- Added more complex example configuration file + /etc/openldap/slapd.conf.example +- Set OPENLDAP_START_LDAPI="yes" in /etc/sysconfig/openldap +- Set OPENLDAP_REGISTER_SLP="no" in /etc/sysconfig/openldap +- Added patch for OpenLDAP ITS#7796 to avoid excessive + "not index" logging: + 0011-openldap-re24-its7796.patch +- Replaced openldap-rc.tgz with single source files +- Added soft dependency (Recommends) to cyrus-sasl +- Added soft dependency (Recommends) to cyrus-sasl-devel + to openldap2-devel +- Added patch for OpenLDAP ITS#8336 (assert in liblmdb): + 0012-openldap-re24-its8336.patch +- Remove obsolete patch 0001-build-adjustments.dif + +------------------------------------------------------------------- Old: ---- 0001-build-adjustments.dif 0004-libldap-use-gethostbyname_r.dif 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch 0011-Enforce-minimum-DH-size-of-1024.patch README.dynamic-overlays addonschema.tar.gz openldap-2.4.42.tgz openldap-rc.tgz New: ---- 0010-Enforce-minimum-DH-size-of-1024.patch 0011-openldap-re24-its7796.patch 0012-openldap-re24-its8336.patch README.module-loading SuSEfirewall2.openldap ldapns.schema openldap-2.4.43.tgz rfc2307bis.schema slapd.conf.example slapd.service start sysconfig.openldap yast.schema ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2-client.spec ++++++ --- /var/tmp/diff_new_pack.UGwmDj/_old 2016-01-30 11:30:55.000000000 +0100 +++ /var/tmp/diff_new_pack.UGwmDj/_new 2016-01-30 11:30:55.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package openldap2-client # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,52 +17,59 @@ %define run_test_suite 0 -%define version_main 2.4.42 +%define version_main 2.4.43 -%if ! %{defined _rundir} -%define _rundir %{_localstatedir}/run +%if %{suse_version} >= 1310 && %{suse_version} != 1315 +%define _rundir /run/slapd +%else +%define _rundir /var/run/slapd %endif Name: openldap2-client Summary: The OpenLDAP commandline client tools License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Clients -Version: 2.4.42 +Version: %{version_main} Release: 0 Url: http://www.openldap.org Source: openldap-%{version_main}.tgz -Source1: openldap-rc.tgz -Source2: addonschema.tar.gz Source3: DB_CONFIG Source4: sasl-slapd.conf -Source5: README.dynamic-overlays +Source5: README.module-loading Source6: schema2ldif Source7: baselibs.conf -Patch1: 0001-build-adjustments.dif +Source9: ldapns.schema +Source10: rfc2307bis.schema +Source11: yast.schema +Source12: slapd.conf.example +Source13: start +Source14: slapd.service +Source15: SuSEfirewall2.openldap +Source16: sysconfig.openldap Patch2: 0002-slapd.conf.dif Patch3: 0003-LDAPI-socket-location.dif -Patch4: 0004-libldap-use-gethostbyname_r.dif Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch -Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch -Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch +Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch +Patch11: 0011-openldap-re24-its7796.patch +Patch12: 0012-openldap-re24-its8336.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff BuildRequires: libopenssl-devel BuildRequires: libtool +Requires: libldap-2_4-2 = %{version_main} +Recommends: cyrus-sasl %if "%{name}" == "openldap2" BuildRequires: db-devel BuildRequires: openslp-devel -BuildRequires: tcpd-devel BuildRequires: unixODBC-devel Conflicts: openldap -Requires: libldap-2_4-2 = %{version_main} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -%if 0%{?suse_version} >= 1140 +%if %{suse_version} >= 1310 && %{suse_version} != 1315 # avoid cycle with krb5 BuildRequires: krb5-mini BuildRequires: pkgconfig(systemd) @@ -70,7 +77,6 @@ %endif %else Conflicts: openldap-client -Requires: libldap-2_4-2 = %{version_main} %endif # For /usr/bin/strings Requires(pre): binutils @@ -78,10 +84,10 @@ %if "%{name}" == "openldap2" %description -The Lightweight Directory Access Protocol (LDAP) is used to access -online directory services. It runs directly over TCP and can be used to -access a stand-alone LDAP directory service or to access a directory -service that has an X.500 back-end. +OpenLDAP is a client and server reference implementation of the +Lightweight Directory Access Protocol v3 (LDAPv3). + +The server provides several database backends and overlays. %package -n openldap2-back-perl Summary: OpenLDAP Perl Back-End @@ -93,6 +99,16 @@ The OpenLDAP Perl back-end allows you to execute Perl code specific to different LDAP operations. +%package -n openldap2-back-sock +Summary: OpenLDAP Socket Back-End +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version_main} +Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz + +%description -n openldap2-back-sock +The OpenLDAP socket back-end allows you to handle LDAP requests and +results with an external process listening on a Unix domain socket. + %package -n openldap2-back-meta Summary: OpenLDAP Meta Back-End Group: Productivity/Networking/LDAP/Servers @@ -115,6 +131,25 @@ stored in a Relational (SQL) Database as an LDAP subtree without the need to do any programming. +%package -n openldap2-contrib +Summary: OpenLDAP Contrib Modules +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version_main} + +%description -n openldap2-contrib +Various overlays found in contrib/: +allop +allowed Generates attributes indicating access rights +autogroup +cloak +denyop +lastbind writes last bind timestamp to entry +noopsrch handles no-op search control +nops +pw-sha2 generates/validates SHA-2 password hashes +pw-pbkdf2 generates/validates PBKDF2 password hashes +smbk5pwd generates Samba3 password hashes (heimdal krb disabled) + %package -n openldap2-doc Summary: OpenLDAP Documentation Group: Documentation/Other @@ -126,6 +161,7 @@ %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts + Authors: -------- The OpenLDAP Project <proj...@openldap.org> @@ -145,6 +181,7 @@ # Conflicts: openldap-devel Requires: libldap-2_4-2 = %{version_main} +Recommends: cyrus-sasl-devel %description -n openldap2-devel This package provides the OpenLDAP libraries, header files, and @@ -171,11 +208,10 @@ %endif %prep -%setup -q -n openldap-%{version_main} -a1 -a2 -%patch1 -p1 +%setup -q -n openldap-%{version_main} %patch2 -p1 %patch3 -p1 -%patch4 -p1 +#%patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 @@ -183,48 +219,66 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 cp %{SOURCE5} . %build -%{?suse_update_config:%{suse_update_config -f build}} -libtoolize --force -autoreconf -export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE" +# %{?suse_update_config:%{suse_update_config -f build}} +#libtoolize --force +#autoreconf +# export CFLAGS="${RPM_OPT_FLAGS} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES" +export CFLAGS="-Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES" export STRIP="" -%configure \ - --localstatedir=%{_rundir}/slapd \ - --libexecdir=/usr/lib/openldap \ - --enable-wrappers \ +./configure \ + --prefix=/usr \ + --sysconfdir=%{_sysconfdir} \ + --libdir=%{_libdir} \ + --libexecdir=%{_libdir} \ + --localstatedir=%{_rundir} \ + --enable-wrappers=no \ --enable-spasswd \ --enable-modules \ --enable-shared \ --enable-dynamic \ - --with-tls \ + --with-tls=openssl \ --with-cyrus-sasl \ --enable-crypt \ --enable-ipv6=yes \ %if "%{name}" == "openldap2" --enable-aci \ - --enable-bdb \ - --enable-hdb \ + --enable-bdb=mod \ + --enable-hdb=mod \ --enable-rewrite \ - --enable-ldap=yes \ + --enable-ldap=mod \ --enable-meta=mod \ - --enable-monitor=yes \ + --enable-monitor=mod \ --enable-perl=mod \ + --enable-sock=mod \ --enable-sql=mod \ - --enable-mdb=yes \ + --enable-mdb=mod \ + --enable-relay=mod \ --enable-slp \ --enable-overlays=mod \ - --enable-syncprov=yes \ - --enable-ppolicy=yes \ + --enable-syncprov=mod \ + --enable-ppolicy=mod \ %else --disable-slapd \ %endif --enable-lmpasswd \ - --with-yielding-select + --with-yielding-select \ + || cat config.log make depend make %{?_smp_mflags} +%if "%{name}" == "openldap2" +# Build selected contrib overlays +for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +do + make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" +done +# One more level up needed because of passwd/sha2 +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB="" +%endif %check %if %run_test_suite @@ -252,50 +306,67 @@ %endif %install -mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/ -mkdir -p $RPM_BUILD_ROOT/usr/sbin -mkdir -p $RPM_BUILD_ROOT/%{_unitdir} -make STRIP="" DESTDIR=$RPM_BUILD_ROOT install -install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start -install -m 644 slapd.service $RPM_BUILD_ROOT/%{_unitdir} -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 -install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf -install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so* -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so* -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so* -install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/usr/sbin/schema2ldif +mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap +mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap +mkdir -p ${RPM_BUILD_ROOT}/usr/sbin +mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir} +make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +# Additional symbolic link to slapd executable in /usr/sbin/ +%if "%{name}" == "openldap2" +ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd +%endif +%if "%{name}" == "openldap2" +# Install selected contrib overlays +for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +do + make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +done +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +%endif +install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start +install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir} +mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d +mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2 +install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf +install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so* +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so* +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap.so* +install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif %if "%{name}" == "openldap2" %define DOCDIR %{_defaultdocdir}/%{name} -mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates -install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap -install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema -install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG -install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example -install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/ -install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap +mkdir -p ${RPM_BUILD_ROOT}/var/adm/fillup-templates +install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.openldap +install -m 644 %{SOURCE9} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE11} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap +install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG +install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example +install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/ +install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d` rm -rf doc/guide/release -install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \ - $RPM_BUILD_ROOT/%{DOCDIR}/images \ - $RPM_BUILD_ROOT/%{DOCDIR}/drafts -install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide -install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images -install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts +install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \ + ${RPM_BUILD_ROOT}/%{DOCDIR}/images \ + ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts +install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide +install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images +install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts install -m 644 ANNOUNCEMENT \ COPYRIGHT \ LICENSE \ README \ CHANGES \ %{SOURCE5} \ - $RPM_BUILD_ROOT/%{DOCDIR} + ${RPM_BUILD_ROOT}/%{DOCDIR} install -m 644 servers/slapd/slapd.ldif \ - $RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default -rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example -rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README -rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif* -rm -f $RPM_BUILD_ROOT%{_rundir}/slapd/openldap-data/DB_CONFIG.example + ${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default +rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example +rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README +rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif* +rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples # Provide SUSE policy symlink /usr/sbin/rcFOO -> /etc/init.d/FOO # /usr/sbin/service exists only since openSUSE 12.3: @@ -305,16 +376,15 @@ ln -s /sbin/service %{buildroot}%{_sbindir}/rcslapd %endif %endif -rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5 +rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct -rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la +rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la #put filelists into files cat >openldap2.filelist <<EOF @@ -328,36 +398,45 @@ %dir /etc/openldap/schema %config /etc/openldap/schema/*.schema %config /etc/openldap/schema/*.ldif -%config(noreplace) %attr(640, root, ldap) /etc/openldap/slapd.conf +%config(noreplace) %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf %config(noreplace) %attr(640, ldap, ldap) /var/lib/ldap/DB_CONFIG %config /var/lib/ldap/DB_CONFIG.example -%attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default +%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default +%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.example %config(noreplace) /etc/sasl2/slapd.conf %dir /usr/lib/openldap -%dir /usr/lib/openldap/modules -/usr/lib/openldap/modules/accesslog* -/usr/lib/openldap/modules/auditlog* -/usr/lib/openldap/modules/collect* -/usr/lib/openldap/modules/constraint* -/usr/lib/openldap/modules/dds* -/usr/lib/openldap/modules/deref* -/usr/lib/openldap/modules/dyngroup* -/usr/lib/openldap/modules/dynlist* -/usr/lib/openldap/modules/memberof* -/usr/lib/openldap/modules/pcache* -/usr/lib/openldap/modules/refint* -/usr/lib/openldap/modules/retcode* -/usr/lib/openldap/modules/rwm* -/usr/lib/openldap/modules/seqmod* -/usr/lib/openldap/modules/sssvlv* -/usr/lib/openldap/modules/translucent* -/usr/lib/openldap/modules/unique* -/usr/lib/openldap/modules/valsort* -/usr/lib/openldap/slapd +%dir /%{_libdir}/openldap +%{_libdir}/openldap/back_bdb* +%{_libdir}/openldap/back_hdb* +%{_libdir}/openldap/back_ldap* +%{_libdir}/openldap/back_mdb* +%{_libdir}/openldap/back_monitor* +%{_libdir}/openldap/back_relay* +%{_libdir}/openldap/accesslog* +%{_libdir}/openldap/auditlog* +%{_libdir}/openldap/collect* +%{_libdir}/openldap/constraint* +%{_libdir}/openldap/dds* +%{_libdir}/openldap/deref* +%{_libdir}/openldap/dyngroup* +%{_libdir}/openldap/dynlist* +%{_libdir}/openldap/memberof* +%{_libdir}/openldap/pcache* +%{_libdir}/openldap/ppolicy* +%{_libdir}/openldap/refint* +%{_libdir}/openldap/retcode* +%{_libdir}/openldap/rwm* +%{_libdir}/openldap/seqmod* +%{_libdir}/openldap/sssvlv* +%{_libdir}/openldap/syncprov* +%{_libdir}/openldap/translucent* +%{_libdir}/openldap/unique* +%{_libdir}/openldap/valsort* +%{_libdir}/slapd /usr/lib/openldap/start -/usr/lib/systemd/system/slapd.service -%dir %attr(0700, ldap, ldap) /var/lib/ldap -%dir %attr(0755, ldap, ldap) %ghost %{_rundir}/slapd +%{_unitdir}/slapd.service +%dir %attr(0750, ldap, ldap) /var/lib/ldap +%ghost %attr(0750, ldap, ldap) %{_rundir} %doc %{_mandir}/man8/sl* %doc %{_mandir}/man5/slapd.* %doc %{_mandir}/man5/slapd-bdb.* @@ -417,20 +496,37 @@ %_libdir/libldap*.a EOF cat > openldap2-back-perl.filelist <<EOF -/usr/lib/openldap/modules/back_perl* +%{_libdir}/openldap/back_perl* %doc %{_mandir}/man5/slapd-perl.* EOF +cat > openldap2-back-sock.filelist <<EOF +%{_libdir}/openldap/back_sock* +%doc %{_mandir}/man5/slapd-sock.* +EOF cat > openldap2-back-meta.filelist <<EOF -/usr/lib/openldap/modules/back_meta* +%{_libdir}/openldap/back_meta* %doc %{_mandir}/man5/slapd-meta.* EOF cat > openldap2-back-sql.filelist <<EOF -/usr/lib/openldap/modules/back_sql* +%{_libdir}/openldap/back_sql* %doc %{_mandir}/man5/slapd-sql.* %doc servers/slapd/back-sql/examples %doc servers/slapd/back-sql/docs/bugs %doc servers/slapd/back-sql/docs/install EOF +cat > openldap2-contrib.filelist <<EOF +%{_libdir}/openldap/allowed.* +%{_libdir}/openldap/allop.* +%{_libdir}/openldap/autogroup.* +%{_libdir}/openldap/lastbind.* +%{_libdir}/openldap/noopsrch.* +%{_libdir}/openldap/nops.* +%{_libdir}/openldap/pw-sha2.* +%{_libdir}/openldap/pw-pbkdf2.* +%{_libdir}/openldap/denyop.* +%{_libdir}/openldap/cloak.* +%{_libdir}/openldap/smbk5pwd.* +EOF cat >openldap2-doc.filelist <<EOF %dir %{DOCDIR} %doc %{DOCDIR}/drafts @@ -442,20 +538,20 @@ cat openldap2-client.filelist libldap.filelist openldap2-devel.filelist \ openldap2-devel-static.filelist | %else -cat openldap2.filelist openldap2-back-perl.filelist \ +cat openldap2.filelist openldap2-back-perl.filelist openldap2-back-sock.filelist \ openldap2-back-meta.filelist openldap2-back-sql.filelist \ - openldap2-doc.filelist compat-libldap.filelist | + openldap2-doc.filelist openldap2-contrib.filelist | %endif grep -v "%dir " |sed -e "s|^.* ||" |grep "^/" |while read name ; do - rm -rf $RPM_BUILD_ROOT$name + rm -rf ${RPM_BUILD_ROOT}${name} done %if "%{name}" == "openldap2" %pre /usr/sbin/groupadd -g 70 -o -r ldap || : -/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/bash -c "User for OpenLDAP" -d /var/lib/ldap ldap || : +/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || : if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then - touch /var/run/enable_slapd_service + touch %{_rundir}/enable_slapd_service fi %service_add_pre slapd.service @@ -467,7 +563,7 @@ %{fillup_only -n openldap ldap} %{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER} %service_add_post slapd.service -if [ -f /var/run/enable_slapd_service ]; then +if [ -f %{_rundir}/enable_slapd_service ]; then /usr/bin/systemctl --quiet enable slapd fi @@ -483,6 +579,9 @@ %files -n openldap2-back-perl -f openldap2-back-perl.filelist %defattr(-,root,root) +%files -n openldap2-back-sock -f openldap2-back-sock.filelist +%defattr(-,root,root) + %files -n openldap2-back-meta -f openldap2-back-meta.filelist %defattr(-,root,root) @@ -492,6 +591,9 @@ %files -n openldap2-doc -f openldap2-doc.filelist %defattr(-,root,root) +%files -n openldap2-contrib -f openldap2-contrib.filelist +%defattr(-,root,root) + %else %post -n libldap-2_4-2 -p /sbin/ldconfig ++++++ openldap2.spec ++++++ --- /var/tmp/diff_new_pack.UGwmDj/_old 2016-01-30 11:30:55.000000000 +0100 +++ /var/tmp/diff_new_pack.UGwmDj/_new 2016-01-30 11:30:55.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package openldap2 # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,52 +17,59 @@ %define run_test_suite 0 -%define version_main 2.4.42 +%define version_main 2.4.43 -%if ! %{defined _rundir} -%define _rundir %{_localstatedir}/run +%if %{suse_version} >= 1310 && %{suse_version} != 1315 +%define _rundir /run/slapd +%else +%define _rundir /var/run/slapd %endif Name: openldap2 Summary: The OpenLDAP Server License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Clients -Version: 2.4.42 +Version: %{version_main} Release: 0 Url: http://www.openldap.org Source: openldap-%{version_main}.tgz -Source1: openldap-rc.tgz -Source2: addonschema.tar.gz Source3: DB_CONFIG Source4: sasl-slapd.conf -Source5: README.dynamic-overlays +Source5: README.module-loading Source6: schema2ldif Source7: baselibs.conf -Patch1: 0001-build-adjustments.dif +Source9: ldapns.schema +Source10: rfc2307bis.schema +Source11: yast.schema +Source12: slapd.conf.example +Source13: start +Source14: slapd.service +Source15: SuSEfirewall2.openldap +Source16: sysconfig.openldap Patch2: 0002-slapd.conf.dif Patch3: 0003-LDAPI-socket-location.dif -Patch4: 0004-libldap-use-gethostbyname_r.dif Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch -Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch -Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch +Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch +Patch11: 0011-openldap-re24-its7796.patch +Patch12: 0012-openldap-re24-its8336.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff BuildRequires: libopenssl-devel BuildRequires: libtool +Requires: libldap-2_4-2 = %{version_main} +Recommends: cyrus-sasl %if "%{name}" == "openldap2" BuildRequires: db-devel BuildRequires: openslp-devel -BuildRequires: tcpd-devel BuildRequires: unixODBC-devel Conflicts: openldap -Requires: libldap-2_4-2 = %{version_main} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -%if 0%{?suse_version} >= 1140 +%if %{suse_version} >= 1310 && %{suse_version} != 1315 # avoid cycle with krb5 BuildRequires: krb5-mini BuildRequires: pkgconfig(systemd) @@ -70,7 +77,6 @@ %endif %else Conflicts: openldap-client -Requires: libldap-2_4-2 = %{version_main} %endif # For /usr/bin/strings Requires(pre): binutils @@ -78,10 +84,10 @@ %if "%{name}" == "openldap2" %description -The Lightweight Directory Access Protocol (LDAP) is used to access -online directory services. It runs directly over TCP and can be used to -access a stand-alone LDAP directory service or to access a directory -service that has an X.500 back-end. +OpenLDAP is a client and server reference implementation of the +Lightweight Directory Access Protocol v3 (LDAPv3). + +The server provides several database backends and overlays. %package -n openldap2-back-perl Summary: OpenLDAP Perl Back-End @@ -93,6 +99,16 @@ The OpenLDAP Perl back-end allows you to execute Perl code specific to different LDAP operations. +%package -n openldap2-back-sock +Summary: OpenLDAP Socket Back-End +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version_main} +Provides: openldap2:/usr/share/man/man5/slapd-sock.5.gz + +%description -n openldap2-back-sock +The OpenLDAP socket back-end allows you to handle LDAP requests and +results with an external process listening on a Unix domain socket. + %package -n openldap2-back-meta Summary: OpenLDAP Meta Back-End Group: Productivity/Networking/LDAP/Servers @@ -115,6 +131,25 @@ stored in a Relational (SQL) Database as an LDAP subtree without the need to do any programming. +%package -n openldap2-contrib +Summary: OpenLDAP Contrib Modules +Group: Productivity/Networking/LDAP/Servers +Requires: openldap2 = %{version_main} + +%description -n openldap2-contrib +Various overlays found in contrib/: +allop +allowed Generates attributes indicating access rights +autogroup +cloak +denyop +lastbind writes last bind timestamp to entry +noopsrch handles no-op search control +nops +pw-sha2 generates/validates SHA-2 password hashes +pw-pbkdf2 generates/validates PBKDF2 password hashes +smbk5pwd generates Samba3 password hashes (heimdal krb disabled) + %package -n openldap2-doc Summary: OpenLDAP Documentation Group: Documentation/Other @@ -126,6 +161,7 @@ %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts + Authors: -------- The OpenLDAP Project <proj...@openldap.org> @@ -145,6 +181,7 @@ # Conflicts: openldap-devel Requires: libldap-2_4-2 = %{version_main} +Recommends: cyrus-sasl-devel %description -n openldap2-devel This package provides the OpenLDAP libraries, header files, and @@ -171,11 +208,10 @@ %endif %prep -%setup -q -n openldap-%{version_main} -a1 -a2 -%patch1 -p1 +%setup -q -n openldap-%{version_main} %patch2 -p1 %patch3 -p1 -%patch4 -p1 +#%patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 @@ -183,49 +219,65 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 cp %{SOURCE5} . %build -%{?suse_update_config:%{suse_update_config -f build}} -libtoolize --force -autoreconf -export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE" +# %{?suse_update_config:%{suse_update_config -f build}} +#libtoolize --force +#autoreconf +# export CFLAGS="${RPM_OPT_FLAGS} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES" +export CFLAGS="-Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES" export STRIP="" -%configure \ - --localstatedir=%{_rundir}/slapd \ - --libexecdir=/usr/lib/openldap \ - --enable-wrappers \ +./configure \ + --prefix=/usr \ + --sysconfdir=%{_sysconfdir} \ + --libdir=%{_libdir} \ + --libexecdir=%{_libdir} \ + --localstatedir=%{_rundir} \ + --enable-wrappers=no \ --enable-spasswd \ --enable-modules \ --enable-shared \ --enable-dynamic \ - --with-tls \ + --with-tls=openssl \ --with-cyrus-sasl \ --enable-crypt \ --enable-ipv6=yes \ %if "%{name}" == "openldap2" --enable-aci \ - --enable-bdb \ - --enable-hdb \ + --enable-bdb=mod \ + --enable-hdb=mod \ --enable-rewrite \ - --enable-ldap=yes \ + --enable-ldap=mod \ --enable-meta=mod \ - --enable-monitor=yes \ + --enable-monitor=mod \ --enable-perl=mod \ + --enable-sock=mod \ --enable-sql=mod \ - --enable-mdb=yes \ + --enable-mdb=mod \ + --enable-relay=mod \ --enable-slp \ --enable-overlays=mod \ - --enable-syncprov=yes \ - --enable-ppolicy=yes \ + --enable-syncprov=mod \ + --enable-ppolicy=mod \ %else --disable-slapd \ %endif --enable-lmpasswd \ - --with-yielding-select + --with-yielding-select \ + || cat config.log make depend make %{?_smp_mflags} %if "%{name}" == "openldap2" +# Build selected contrib overlays +for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +do + make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" +done +# One more level up needed because of passwd/sha2 +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB="" %endif %check @@ -254,50 +306,67 @@ %endif %install -mkdir -p $RPM_BUILD_ROOT/usr/lib/openldap/ -mkdir -p $RPM_BUILD_ROOT/usr/sbin -mkdir -p $RPM_BUILD_ROOT/%{_unitdir} -make STRIP="" DESTDIR=$RPM_BUILD_ROOT install -install -m 755 start $RPM_BUILD_ROOT/usr/lib/openldap/start -install -m 644 slapd.service $RPM_BUILD_ROOT/%{_unitdir} -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 -install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf -install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so* -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so* -chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so* -install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/usr/sbin/schema2ldif +mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap +mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap +mkdir -p ${RPM_BUILD_ROOT}/usr/sbin +mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir} +make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +# Additional symbolic link to slapd executable in /usr/sbin/ +%if "%{name}" == "openldap2" +ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd +%endif +%if "%{name}" == "openldap2" +# Install selected contrib overlays +for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +do + make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +done +# slapo-smbk5pwd only for Samba password hashes +make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +%endif +install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start +install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir} +mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d +mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2 +install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf +install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so* +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so* +chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap.so* +install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif %if "%{name}" == "openldap2" %define DOCDIR %{_defaultdocdir}/%{name} -mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates -install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap -install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema -install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG -install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example -install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/ -install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap +mkdir -p ${RPM_BUILD_ROOT}/var/adm/fillup-templates +install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.openldap +install -m 644 %{SOURCE9} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE11} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap +install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG +install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example +install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/ +install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d` rm -rf doc/guide/release -install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \ - $RPM_BUILD_ROOT/%{DOCDIR}/images \ - $RPM_BUILD_ROOT/%{DOCDIR}/drafts -install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide -install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images -install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts +install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \ + ${RPM_BUILD_ROOT}/%{DOCDIR}/images \ + ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts +install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide +install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images +install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts install -m 644 ANNOUNCEMENT \ COPYRIGHT \ LICENSE \ README \ CHANGES \ %{SOURCE5} \ - $RPM_BUILD_ROOT/%{DOCDIR} + ${RPM_BUILD_ROOT}/%{DOCDIR} install -m 644 servers/slapd/slapd.ldif \ - $RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default -rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example -rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README -rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif* -rm -f $RPM_BUILD_ROOT%{_rundir}/slapd/openldap-data/DB_CONFIG.example + ${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default +rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example +rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README +rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif* +rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples # Provide SUSE policy symlink /usr/sbin/rcFOO -> /etc/init.d/FOO # /usr/sbin/service exists only since openSUSE 12.3: @@ -307,16 +376,15 @@ ln -s /sbin/service %{buildroot}%{_sbindir}/rcslapd %endif %endif -rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5 -rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5 +rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5 +rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct -rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la +rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la #put filelists into files cat >openldap2.filelist <<EOF @@ -330,36 +398,45 @@ %dir /etc/openldap/schema %config /etc/openldap/schema/*.schema %config /etc/openldap/schema/*.ldif -%config(noreplace) %attr(640, root, ldap) /etc/openldap/slapd.conf +%config(noreplace) %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf %config(noreplace) %attr(640, ldap, ldap) /var/lib/ldap/DB_CONFIG %config /var/lib/ldap/DB_CONFIG.example -%attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default +%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default +%config %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.example %config(noreplace) /etc/sasl2/slapd.conf %dir /usr/lib/openldap -%dir /usr/lib/openldap/modules -/usr/lib/openldap/modules/accesslog* -/usr/lib/openldap/modules/auditlog* -/usr/lib/openldap/modules/collect* -/usr/lib/openldap/modules/constraint* -/usr/lib/openldap/modules/dds* -/usr/lib/openldap/modules/deref* -/usr/lib/openldap/modules/dyngroup* -/usr/lib/openldap/modules/dynlist* -/usr/lib/openldap/modules/memberof* -/usr/lib/openldap/modules/pcache* -/usr/lib/openldap/modules/refint* -/usr/lib/openldap/modules/retcode* -/usr/lib/openldap/modules/rwm* -/usr/lib/openldap/modules/seqmod* -/usr/lib/openldap/modules/sssvlv* -/usr/lib/openldap/modules/translucent* -/usr/lib/openldap/modules/unique* -/usr/lib/openldap/modules/valsort* -/usr/lib/openldap/slapd +%dir /%{_libdir}/openldap +%{_libdir}/openldap/back_bdb* +%{_libdir}/openldap/back_hdb* +%{_libdir}/openldap/back_ldap* +%{_libdir}/openldap/back_mdb* +%{_libdir}/openldap/back_monitor* +%{_libdir}/openldap/back_relay* +%{_libdir}/openldap/accesslog* +%{_libdir}/openldap/auditlog* +%{_libdir}/openldap/collect* +%{_libdir}/openldap/constraint* +%{_libdir}/openldap/dds* +%{_libdir}/openldap/deref* +%{_libdir}/openldap/dyngroup* +%{_libdir}/openldap/dynlist* +%{_libdir}/openldap/memberof* +%{_libdir}/openldap/pcache* +%{_libdir}/openldap/ppolicy* +%{_libdir}/openldap/refint* +%{_libdir}/openldap/retcode* +%{_libdir}/openldap/rwm* +%{_libdir}/openldap/seqmod* +%{_libdir}/openldap/sssvlv* +%{_libdir}/openldap/syncprov* +%{_libdir}/openldap/translucent* +%{_libdir}/openldap/unique* +%{_libdir}/openldap/valsort* +%{_libdir}/slapd /usr/lib/openldap/start -/usr/lib/systemd/system/slapd.service -%dir %attr(0700, ldap, ldap) /var/lib/ldap -%dir %attr(0755, ldap, ldap) %ghost %{_rundir}/slapd +%{_unitdir}/slapd.service +%dir %attr(0750, ldap, ldap) /var/lib/ldap +%ghost %attr(0750, ldap, ldap) %{_rundir} %doc %{_mandir}/man8/sl* %doc %{_mandir}/man5/slapd.* %doc %{_mandir}/man5/slapd-bdb.* @@ -380,11 +457,6 @@ %doc %{DOCDIR}/CHANGES %doc %{DOCDIR}/slapd.ldif.default EOF -%if %suse_version < 1130 -cat >>openldap2.filelist <<EOF -/usr/sbin/openldap-2.3-slapcat -EOF -%endif # # cat > openldap2-client.filelist <<EOF @@ -424,20 +496,37 @@ %_libdir/libldap*.a EOF cat > openldap2-back-perl.filelist <<EOF -/usr/lib/openldap/modules/back_perl* +%{_libdir}/openldap/back_perl* %doc %{_mandir}/man5/slapd-perl.* EOF +cat > openldap2-back-sock.filelist <<EOF +%{_libdir}/openldap/back_sock* +%doc %{_mandir}/man5/slapd-sock.* +EOF cat > openldap2-back-meta.filelist <<EOF -/usr/lib/openldap/modules/back_meta* +%{_libdir}/openldap/back_meta* %doc %{_mandir}/man5/slapd-meta.* EOF cat > openldap2-back-sql.filelist <<EOF -/usr/lib/openldap/modules/back_sql* +%{_libdir}/openldap/back_sql* %doc %{_mandir}/man5/slapd-sql.* %doc servers/slapd/back-sql/examples %doc servers/slapd/back-sql/docs/bugs %doc servers/slapd/back-sql/docs/install EOF +cat > openldap2-contrib.filelist <<EOF +%{_libdir}/openldap/allowed.* +%{_libdir}/openldap/allop.* +%{_libdir}/openldap/autogroup.* +%{_libdir}/openldap/lastbind.* +%{_libdir}/openldap/noopsrch.* +%{_libdir}/openldap/nops.* +%{_libdir}/openldap/pw-sha2.* +%{_libdir}/openldap/pw-pbkdf2.* +%{_libdir}/openldap/denyop.* +%{_libdir}/openldap/cloak.* +%{_libdir}/openldap/smbk5pwd.* +EOF cat >openldap2-doc.filelist <<EOF %dir %{DOCDIR} %doc %{DOCDIR}/drafts @@ -449,32 +538,20 @@ cat openldap2-client.filelist libldap.filelist openldap2-devel.filelist \ openldap2-devel-static.filelist | %else -cat openldap2.filelist openldap2-back-perl.filelist \ +cat openldap2.filelist openldap2-back-perl.filelist openldap2-back-sock.filelist \ openldap2-back-meta.filelist openldap2-back-sql.filelist \ - openldap2-doc.filelist + openldap2-doc.filelist openldap2-contrib.filelist | %endif grep -v "%dir " |sed -e "s|^.* ||" |grep "^/" |while read name ; do - rm -rf $RPM_BUILD_ROOT$name + rm -rf ${RPM_BUILD_ROOT}${name} done %if "%{name}" == "openldap2" %pre /usr/sbin/groupadd -g 70 -o -r ldap || : -/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/bash -c "User for OpenLDAP" -d /var/lib/ldap ldap || : -# try to figure out if a db update is needed -if [ ${1:-0} -gt 1 ] && [ -f /usr/lib/openldap/slapd ] && - /usr/bin/strings /usr/lib/openldap/slapd | \ - grep "slapd 2.3" 2>&1 > /dev/null; -then - # create a backup of the schema shipped with 2.3 - # at least core.schema changed between 2.3 and 2.4 - TEMPDIR=`mktemp -d /etc/openldap/schema.backup.XXXXXX` - echo "Schema backup created in $TEMPDIR" - cp -p --remove-destination /etc/openldap/schema/* $TEMPDIR - echo $TEMPDIR > /etc/openldap/UPDATE_NEEDED ; -fi +/usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || : if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then - touch /var/run/enable_slapd_service + touch %{_rundir}/enable_slapd_service fi %service_add_pre slapd.service @@ -486,7 +563,7 @@ %{fillup_only -n openldap ldap} %{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER} %service_add_post slapd.service -if [ -f /var/run/enable_slapd_service ]; then +if [ -f %{_rundir}/enable_slapd_service ]; then /usr/bin/systemctl --quiet enable slapd fi @@ -502,6 +579,9 @@ %files -n openldap2-back-perl -f openldap2-back-perl.filelist %defattr(-,root,root) +%files -n openldap2-back-sock -f openldap2-back-sock.filelist +%defattr(-,root,root) + %files -n openldap2-back-meta -f openldap2-back-meta.filelist %defattr(-,root,root) @@ -511,6 +591,9 @@ %files -n openldap2-doc -f openldap2-doc.filelist %defattr(-,root,root) +%files -n openldap2-contrib -f openldap2-contrib.filelist +%defattr(-,root,root) + %else %post -n libldap-2_4-2 -p /sbin/ldconfig ++++++ 0002-slapd.conf.dif ++++++ --- /var/tmp/diff_new_pack.UGwmDj/_old 2016-01-30 11:30:55.000000000 +0100 +++ /var/tmp/diff_new_pack.UGwmDj/_new 2016-01-30 11:30:55.000000000 +0100 @@ -1,35 +1,38 @@ -From a8be17d4a1db1c6ee24b328f3f34e21ccb02ca3f Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp <rha...@suse.de> -Date: Wed, 16 Jun 2010 14:05:49 +0200 -Subject: slapd.conf - - diff --git a/servers/slapd/slapd.conf b/servers/slapd/slapd.conf -index 4938b85..9caf292 100644 +index 4938b85..b9bec75 100644 --- a/servers/slapd/slapd.conf +++ b/servers/slapd/slapd.conf -@@ -3,6 +3,10 @@ +@@ -2,7 +2,11 @@ + # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # - include %SYSCONFDIR%/schema/core.schema -+include %SYSCONFDIR%/schema/cosine.schema -+include %SYSCONFDIR%/schema/inetorgperson.schema -+include %SYSCONFDIR%/schema/rfc2307bis.schema -+include %SYSCONFDIR%/schema/yast.schema +-include %SYSCONFDIR%/schema/core.schema ++include /etc/openldap/schema/core.schema ++include /etc/openldap/schema/cosine.schema ++include /etc/openldap/schema/inetorgperson.schema ++include /etc/openldap/schema/rfc2307bis.schema ++include /etc/openldap/schema/yast.schema # Define global ACLs to disable default read access. -@@ -10,8 +14,8 @@ include %SYSCONFDIR%/schema/core.schema +@@ -10,13 +14,13 @@ include %SYSCONFDIR%/schema/core.schema # service AND an understanding of referrals. #referral ldap://root.openldap.org -pidfile %LOCALSTATEDIR%/run/slapd.pid -argsfile %LOCALSTATEDIR%/run/slapd.args -+pidfile %LOCALSTATEDIR%/slapd.pid -+argsfile %LOCALSTATEDIR%/slapd.args ++pidfile /run/slapd/slapd.pid ++argsfile /run/slapd/slapd.args # Load dynamic backend modules: - # modulepath %MODULEDIR% +-# modulepath %MODULEDIR% ++# modulepath /usr/lib/openldap + # moduleload back_bdb.la +-# moduleload back_hdb.la ++moduleload back_hdb.la + # moduleload back_ldap.la + + # Sample security restrictions @@ -26,20 +30,30 @@ argsfile %LOCALSTATEDIR%/run/slapd.args # security ssf=1 update_ssf=112 simple_bind=64 @@ -75,9 +78,12 @@ # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") -@@ -52,6 +66,8 @@ argsfile %LOCALSTATEDIR%/run/slapd.args +@@ -50,8 +64,10 @@ argsfile %LOCALSTATEDIR%/run/slapd.args + # BDB database definitions + ####################################################################### - database bdb +-database bdb ++database hdb suffix "dc=my-domain,dc=com" +checkpoint 1024 5 +cachesize 10000 @@ -92,6 +98,3 @@ +directory /var/lib/ldap # Indices to maintain index objectClass eq --- -1.7.10.4 - ++++++ 0011-Enforce-minimum-DH-size-of-1024.patch -> 0010-Enforce-minimum-DH-size-of-1024.patch ++++++ ++++++ 0011-openldap-re24-its7796.patch ++++++ diff --git a/servers/slapd/back-bdb/filterindex.c b/servers/slapd/back-bdb/filterindex.c index 71e3ea4..bafef72 100644 --- a/servers/slapd/back-bdb/filterindex.c +++ b/servers/slapd/back-bdb/filterindex.c @@ -741,7 +741,7 @@ equality_candidates( &db, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= bdb_equality_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -858,7 +858,7 @@ approx_candidates( &db, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= bdb_approx_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -978,7 +978,7 @@ substring_candidates( &db, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= bdb_substring_candidates: (%s) not indexed\n", sub->sa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -1095,7 +1095,7 @@ inequality_candidates( &db, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= bdb_inequality_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; diff --git a/servers/slapd/back-mdb/filterindex.c b/servers/slapd/back-mdb/filterindex.c index 58c1cc8..20c58b7 100644 --- a/servers/slapd/back-mdb/filterindex.c +++ b/servers/slapd/back-mdb/filterindex.c @@ -709,7 +709,7 @@ equality_candidates( &dbi, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= mdb_equality_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -825,7 +825,7 @@ approx_candidates( &dbi, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= mdb_approx_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -944,7 +944,7 @@ substring_candidates( &dbi, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= mdb_substring_candidates: (%s) not indexed\n", sub->sa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -1060,7 +1060,7 @@ inequality_candidates( &dbi, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= mdb_inequality_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; ++++++ 0012-openldap-re24-its8336.patch ++++++ >From fd7bfbc0df0ade534bea84914d385ecf2a73f678 Mon Sep 17 00:00:00 2001 From: Howard Chu <h...@openldap.org> Date: Tue, 8 Dec 2015 18:17:24 +0000 Subject: ITS#8336 fix page_search_root assert on FreeDB Let "illegal" branch pages thru on the FreeDB - the condition is only temporary and will be fixed by the time rebalance finishes. diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c index fa0c9e5..a624cba 100644 --- a/libraries/liblmdb/mdb.c +++ b/libraries/liblmdb/mdb.c @@ -5279,7 +5279,11 @@ mdb_page_search_root(MDB_cursor *mc, MDB_val *key, int flags) indx_t i; DPRINTF(("branch page %"Z"u has %u keys", mp->mp_pgno, NUMKEYS(mp))); - mdb_cassert(mc, NUMKEYS(mp) > 1); + /* Don't assert on branch pages in the FreeDB. We can get here + * while in the process of rebalancing a FreeDB branch page; we must + * let that proceed. ITS#8336 + */ + mdb_cassert(mc, !mc->mc_dbi || NUMKEYS(mp) > 1); DPRINTF(("found index 0 to page %"Z"u", NODEPGNO(NODEPTR(mp, 0)))); if (flags & (MDB_PS_FIRST|MDB_PS_LAST)) { ++++++ README.module-loading ++++++ All of the OpenLDAP backends (except back-config) and overlays are now compiled as dynamic modules in our packages. If you want to use any of these in your setup make sure to put the correct "olcModuleLoad" or "moduleload" statements in your configuration. For details please see the slapd-config(5) and slapd.conf(5) manpages (depending on which config mechanism you use). For a list of the included dynamic modules list all modules files: ls /usr/lib*/openldap/*.so Or just the backend files: ls /usr/lib*/openldap/back_*.so Documentations for the overlays can be found in the respective man pages or the OpenLDAP Administration Guide which is part of the "openldap2-doc" package. Backend man-pages: man 5 slapo-<back_name> Overlays man-pages: man 5 slapo-<name> ++++++ SuSEfirewall2.openldap ++++++ ## Name: OpenLDAP Server ## Description: Opens ports for the OpenLDAP Server (slapd). # space separated list of allowed TCP ports TCP="ldap ldaps" # space separated list of allowed UDP ports UDP="ldap" # space separated list of allowed RPC services RPC="" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST="" ++++++ ldapns.schema ++++++ # $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $ # LDAP Name Service Additional Schema # http://www.iana.org/assignments/gssapi-service-names attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 'Auxiliary object class for adding authorizedService attribute' SUP top AUXILIARY MAY authorizedService ) objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxiliary object class for adding host attribute' SUP top AUXILIARY MAY host ) ++++++ openldap-2.4.42.tgz -> openldap-2.4.43.tgz ++++++ ++++ 6915 lines of diff (skipped) ++++++ rfc2307bis.schema ++++++ # builtin # #attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' # DESC 'An integer uniquely identifying a user in an administrative domain' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 # SINGLE-VALUE ) # builtin # #attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' # DESC 'An integer uniquely identifying a group in an # administrative domain' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 # SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' DESC 'Service port number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' DESC 'Service protocol name' SUP name ) attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'IP protocol number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' DESC 'ONC RPC number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IPv4 addresses as a dotted decimal omitting leading zeros or IPv6 addresses as defined in RFC2373' SUP name ) attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP network as a dotted decimal, eg. 192.168, omitting leading zeros' SUP name SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, omitting leading zeros' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC address in maximal, colon separated hex notation, eg. 00:00:92:90:ee:e2' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.bootparamd parameter' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC 'Name of a A generic NIS map' SUP name ) attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' DESC 'A generic NIS entry' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secret key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY DESC 'Additional attributes for shadow passwords' MUST uid MAY ( userPassword $ description $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag ) ) objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY DESC 'Abstraction of a group of accounts' MUST gidNumber MAY ( userPassword $ memberUid $ description ) ) objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL DESC 'Abstraction an Internet Protocol service. Maps an IP port and protocol (such as tcp or udp) to one or more names; the distinguished value of the cn attribute denotes the services canonical name' MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description ) objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL DESC 'Abstraction of an IP protocol. Maps a protocol number to one or more names. The distinguished value of the cn attribute denotes the protocols canonical name' MUST ( cn $ ipProtocolNumber ) MAY description ) objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL DESC 'Abstraction of an Open Network Computing (ONC) [RFC1057] Remote Procedure Call (RPC) binding. This class maps an ONC RPC number to a name. The distinguished value of the cn attribute denotes the RPC services canonical name' MUST ( cn $ oncRpcNumber ) MAY description ) objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY DESC 'Abstraction of a host, an IP device. The distinguished value of the cn attribute denotes the hosts canonical name. Device SHOULD be used as a structural class' MUST ( cn $ ipHostNumber ) MAY ( userPassword $ l $ description $ manager ) ) objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL DESC 'Abstraction of a network. The distinguished value of the cn attribute denotes the networks canonical name' MUST ipNetworkNumber MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL DESC 'Abstraction of a netgroup. May refer to other netgroups' MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL DESC 'A generic abstraction of a NIS map' MUST nisMapName MAY description ) objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL DESC 'An entry in a NIS map' MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY DESC 'A device with a MAC address; device SHOULD be used as a structural class' MAY macAddress ) objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY DESC 'A device with boot parameters; device SHOULD be used as a structural class' MAY ( bootFile $ bootParameter ) ) objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY DESC 'An object with a public and secret key' MUST ( cn $ nisPublicKey $ nisSecretKey ) MAY ( uidNumber $ description ) ) objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY DESC 'Associates a NIS domain with a naming context' MUST nisDomain ) objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST ( automountMapName ) MAY description ) objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL DESC 'Automount information' MUST ( automountKey $ automountInformation ) MAY description ) ## namedObject is needed for groups without members objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top STRUCTURAL MAY cn ) ++++++ slapd.conf.example ++++++ ############################################################################ # See slapd.conf(5) for details on configuration options. # This file SHOULD NOT be world readable. # # Important note: # You surely have to adjust some settings to meet your (security) # requirements. # At least you should replace suffix "dc=example,dc=com" by # something meaningful for your setup. # If you plan to use OpenLDAP server as backend for Samba and/or Kerberos # KDC then you MUST add decent ACLs for protecting user credentials! # # Read the man pages before changing something! # # You can debug the config by running (as root while slapd stopped): # /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535 ############################################################################ #--------------------------------------------------------------------------- # slapd global parameters #--------------------------------------------------------------------------- # serverID must be unique across all provider replicas # for using multi-master replication (MMR) serverID 99 # only alter this when you know what you're doing #threads 4 # Run-time files pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # for more debugging set: #loglevel config stats stats2 loglevel stats #--------------------------------------------------------------------------- # Load runtime loadable modules #--------------------------------------------------------------------------- # Load additional backend modules installed by package 'openldap2' # The following backends are statically built-in and therefore don't have # to be loaded here: # config, ldif, monitor, bdb, hdb, ldap, mdb, relay #moduleload back_ #moduleload back_ #moduleload back_mdb #moduleload back_meta #moduleload back_sock # Load additional overlay modules installed by package 'openldap2' # The following overlay are statically built-in and therefore don't have # to be loaded here: # ppolicy, syncprov #moduleload accesslog #moduleload constraint #moduleload dds #moduleload deref #moduleload dynlist #moduleload memberof moduleload refint #moduleload sssvlv #moduleload translucent moduleload unique #moduleload valsort # Load additional overlay modules installed by package 'openldap2-contrib' #moduleload allowed #moduleload lastbind #moduleload noopsrch #moduleload pw-pbkdf2 #moduleload pw-sha2 #moduleload smbk5pwd #--------------------------------------------------------------------------- # Include schema files #--------------------------------------------------------------------------- # Schema files installed by package 'openldap2' include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/ppolicy.schema #include /etc/openldap/schema/yast.schema # Schema file installed by package 'dhcp-server' #include /etc/openldap/schema/dhcp.schema # Schema file installed by package 'samba' #include /etc/openldap/schema/samba3.schema # Schema file installed by package 'krb5-plugin-kdb-ldap' #include /usr/share/doc/packages/krb5/kerberos.schema #--------------------------------------------------------------------------- # Transport Layer Security (TLS) configuration #--------------------------------------------------------------------------- # require at least TLS 1.0 and highly secure ciphers #TLSProtocolMin 3.1 #TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH # TLS certificate and key files #TLSCACertificateFile /etc/ssl/ca-bundle.pem #TLSCertificateFile /etc/openldap/ssl.crt/server.crt #TLSCertificateKeyFile /etc/openldap/ssl.key/server.key # For enabling Perfect Forward Secrecy (PFS), see dhparam(1) #TLSDHParamFile /etc/openldap/ssl.key/dhparam #--------------------------------------------------------------------------- # Password hashing #--------------------------------------------------------------------------- #password-hash {CRYPT} # Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations #password-crypt-salt-format "$6$%.12s" #--------------------------------------------------------------------------- # Security requirements #--------------------------------------------------------------------------- #disallow bind_anon #require bind LDAPv3 strong # SSF value for ldapi:// localSSF 256 # minimum required SSF value (security strength factor) # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 #security ssf=128 update_ssf=256 simple_bind=128 security ssf=0 #--------------------------------------------------------------------------- # Global access control (ACLs) #--------------------------------------------------------------------------- # Root DSE: allow anyone to read it access to dn.base="" by * read # Sub schema sub entry: allow anyone to read it access to dn.base="cn=Subschema" by * read #--------------------------------------------------------------------------- # Authz-DN mappings #--------------------------------------------------------------------------- # If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used # System user root is mapped to the rootdn in database dc=example,dc=com # which has also read access on config and monitor databases authz-regexp "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com" # Map local system user to LDAP entry # if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used authz-regexp "gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth" "ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))" # this maps the attribute uid to a LDAP entry # if one of the typical password-based SASL mechs was used authz-regexp "uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth" "ldap:///dc=example,dc=com??sub?(uid=$1)" # this maps the attribute uid to a LDAP entry # if one of the Kerberos based SASL mechs was used #authz-regexp # "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth" # "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))" # Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used #authz-regexp # "(.+)" # "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))" #=========================================================================== # Database specific configuration sections below # Required order of databases: # config (first), ...others..., monitor (last) #=========================================================================== #--------------------------------------------------------------------------- # cn=config // Configuration database (always first!) # see slapd-config(5) #--------------------------------------------------------------------------- database config # Cleartext passwords, especially for the rootdn, should # be avoid! See slappasswd(8) and slapd.conf(5) for details. # Best thing is not to set rootpw at all! # For local config access by root use LDAPI with SASL/EXTERNAL instead # (see above). #rootpw secret access to dn.subtree="cn=config" by dn.exact="cn=root,dc=example,dc=com" manage by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read by * none #--------------------------------------------------------------------------- # dc=example,dc=com // Example MDB database to be used by normal clients # see slapd-mdb(5) #--------------------------------------------------------------------------- database mdb suffix "dc=example,dc=com" # rootdn has to be set for overlays' internal operations rootdn "cn=root,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid! See slappasswd(8) and slapd.conf(5) for details. # Best thing is not to set rootpw at all! rootpw secret # The database directory MUST exist prior to running slapd and # SHOULD only be accessible by the slapd user 'ldap'. # mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db directory /var/lib/ldap/example-db # Permissions of database files created mode 0600 # extra information to be available in cn=monitor for this database monitoring on # Perform ACL checks on the content of a new entry being added add_content_acl on # backend-specific database parameters checkpoint 1024 5 # 100 MB (you can raise the limit later) maxsize 104857600 # Indices to maintain # # Whenever you change indexing configuration you have to re-run slapindex # while slapd being stopped! # Don't forget to fix ownership/permissions of newly generated index files # afterwards! # set always! index objectClass eq # for typical address book use index cn,sn,givenName,mail eq,sub # for user management index uid,uidNumber,gidNumber eq # for authz-regexp mapping of Kerberos principal name #index krbPrincipalName,krbPrincipalAlias eq # for authz-regexp mapping of client cert subject DNs #index seeAlso eq # for syncrepl index entryUUID,entryCSN eq # access control lists (ACLs) for dc=example,dc=com # see slapd.access(5) for details on access control lists (ACLs) # full read access also to 'userPassword' for group of replicas # and control is forwarded to subsequent ACLs access to dn.subtree=dc=example,dc=com by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read by * break # write-only access to 'userPassword' for user, auth access else access to attrs=userPassword by self =w by * auth # 'userPKCS' must only be accessible by self access to attrs=userPKCS12 by self write by * none # No access to history of passwords #access to # attrs=pwdHistory # by * none # Catch-all ACL for the rest access to dn.subtree=dc=example,dc=com by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage by self read by users read by * auth # see slapo-ppolicy(5) overlay ppolicy # Default password policy entry #ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com # Hash clear-text userPassword values sent in with add/modify operations #ppolicy_hash_cleartext # Return AccountLocked error code to client #ppolicy_use_lockout # see slapo-refint(5) overlay refint refint_attributes member seeAlso refint_nothing cn=dummy # Check sub-tree wide uniqueness of certain attributes # see slapo-unique(5) # you have to add eq-index for efficient uniqueness check! # Note that filter part is currently ignored because of OpenLDAP ITS#6825 overlay unique unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub" unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))" #unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub" #unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub" #unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub" #unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub" #overlay syncprov #mirrormode on #--------------------------------------------------------------------------- # cn=monitor // Monitoring database (always last!) # see slapd-monitor(5) #--------------------------------------------------------------------------- database monitor access to dn.subtree="cn=monitor" by dn.exact="cn=root,dc=example,dc=com" write by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write by users read ++++++ slapd.service ++++++ [Unit] Description=OpenLDAP Server Daemon After=syslog.target network.target [Service] Type=forking ExecStart=/usr/lib/openldap/start [Install] WantedBy=multi-user.target ++++++ start ++++++ #! /bin/sh # Copyright (c) 1997-2000 SuSE GmbH Nuernberg, Germany. # Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany. # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # # Author: Carsten Hoeger # Ralf Haferkamp # # /etc/init.d/ldap # ### BEGIN INIT INFO # Provides: ldap # Required-Start: $network $remote_fs # Required-Stop: $network $remote_fs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: OpenLDAP Server (slapd) # Description: Start and Stop the OpenLDAP Server (slapd) to # provide LDAP directory services. ### END INIT INFO # Determine the base and follow a runlevel link name. base=${0##*/} link=${base#*[SK][0-9][0-9]} test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap SLAPD_BIN=/usr/sbin/slapd LDAP_URLS="" LDAPS_URLS="" LDAPI_URLS="" SLAPD_CONFIG_ARG="-F /etc/openldap/slapd.d" SLAPD_PID_DIR="/var/run/slapd/" test -x $SLAPD_BIN || exit 5 # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num><num> # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status . /etc/rc.status # First reset status of this service rc_reset function init_ldap_listener_urls(){ case "$OPENLDAP_START_LDAP" in [Yy][Ee][Ss]) if [ -n "$OPENLDAP_LDAP_INTERFACES" ] then for iface in $OPENLDAP_LDAP_INTERFACES ;do LDAP_URLS="$LDAP_URLS ldap://$iface" done else LDAP_URLS="ldap:///" fi ;; esac } function init_ldapi_listener_urls(){ case "$OPENLDAP_START_LDAPI" in [Yy][Ee][Ss]) if [ -n "$OPENLDAP_LDAPI_INTERFACES" ] then for iface in $OPENLDAP_LDAPI_INTERFACES ;do esc_iface=`echo "$iface" | sed -e s'/\\//\\%2f/'g` LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface" done else LDAPI_URLS="ldapi:///" fi ;; esac } function init_ldaps_listener_urls(){ case "$OPENLDAP_START_LDAPS" in [Yy][Ee][Ss]) if [ -n "$OPENLDAP_LDAPS_INTERFACES" ] then for iface in $OPENLDAP_LDAPS_INTERFACES ;do LDAPS_URLS="$LDAPS_URLS ldaps://$iface" done else LDAPS_URLS="ldaps:///" fi ;; esac } function check_connection(){ SLAPD_TIMEOUT=10 START=$( date +%s) while [ $(( $( date +%s) - ${START} )) -lt ${SLAPD_TIMEOUT} ]; do ldapsearch -x -H "$LDAP_URLS $LDAPI_URLS $LDAPS_URLS" -b "" -s base &>/dev/null LDAPSEARCH_RC=$? if [ ${LDAPSEARCH_RC} -ge 0 ] && [ ${LDAPSEARCH_RC} -le 80 ] ; then break else sleep 1 fi done } depth=0; function chown_database_dirs_bconfig() { ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}') for dir in $ldapdir; do [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ chown -R $OPENLDAP_USER $dir 2>/dev/null [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null done } function chown_database_dirs() { ldapdir=`grep ^directory $1 | awk '{print $2}'` for dir in $ldapdir; do [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ chown -R $OPENLDAP_USER $dir 2>/dev/null [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null done includes=`grep ^include $1 | awk '{print $2}'` if [ $depth -le 50 ]; then depth=$(( $depth + 1 )); for i in $includes; do chown_database_dirs "$i" ; done fi } USER_CMD="" GROUP_CMD="" [ ! "x$OPENLDAP_USER" = "x" ] && USER_CMD="-u $OPENLDAP_USER" [ ! "x$OPENLDAP_GROUP" = "x" ] && GROUP_CMD="-g $OPENLDAP_GROUP" [ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf" if [ -f /etc/openldap/UPDATE_NEEDED ]; then rc_failed 6 echo " The configuration of your LDAP server needs to be updated." echo " Please see /usr/share/doc/packages/openldap2/README.update" echo " for details." echo " After the update please remove the file:" echo " /etc/openldap/UPDATE_NEEDED" rc_status -v exit fi # chown backend directories if OPENLDAP_CHOWN_DIRS ist set if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null chown_database_dirs_bconfig "/etc/openldap/slapd.d" # assume back-config usage if slapd.conf is not present but slapd.d is elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null chown_database_dirs_bconfig "/etc/openldap/slapd.d" else chown_database_dirs "/etc/openldap/slapd.conf" chgrp $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null fi if test -f /etc/sasl2/slapd.conf ; then chgrp $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null chmod 640 /etc/sasl2/slapd.conf 2>/dev/null fi if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/} if test -f $keytabfile ; then chgrp $OPENLDAP_GROUP $keytabfile 2>/dev/null chmod g+r $keytabfile 2>/dev/null fi fi fi fi if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then export KRB5_KTNAME=$OPENLDAP_KRB5_KEYTAB fi case "$OPENLDAP_REGISTER_SLP" in [Yy][Ee][Ss]) SLAPD_SLP_REG="-o slp=on" ;; *) SLAPD_SLP_REG="-o slp=off" ;; esac init_ldap_listener_urls init_ldapi_listener_urls init_ldaps_listener_urls if [ ! -d $SLAPD_PID_DIR ]; then mkdir -p $SLAPD_PID_DIR chown ldap:ldap $SLAPD_PID_DIR fi echo -n "Starting ldap-server" exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \ $SLAPD_CONFIG_ARG $USER_CMD $GROUP_CMD \ $OPENLDAP_SLAPD_PARAMS $SLAPD_SLP_REG ++++++ sysconfig.openldap ++++++ ## Path: Network/LDAP ## Description: Basic Configuration of the OpenLDAP Directory Server ## Type: yesno ## Default: yes ## ServiceRestart: ldap # # If set to "no" the LDAP server will not accept any "normal" LDAP connections # but just connections over "ldaps" or "ldapi". Setting this to "no" does only # make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set # "yes". # OPENLDAP_START_LDAP="yes" ## Type: yesno ## Default: no ## ServiceRestart: ldap # # If set to "yes" the "ldap over ssl" feature of slapd will be enabled. Don't # forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile" options # to the /etc/openldap/slapd.conf (man slapd.conf). # Note: Don't confuse this with "START_TLS", the preferred method for # making encrypted LDAP connections, which is enabled as soon as You # specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your config # file # OPENLDAP_START_LDAPS="no" ## Type: yesno ## Default: no ## ServiceRestart: ldap # # If set to "yes", "ldap over IPC" feature of slapd will be enabled. # The ldap server creates a Unix domain socket as /var/run/slapd/ldapi. # Default: no # OPENLDAP_START_LDAPI="yes" ## Type: string ## Default: "" ## ServiceRestart: ldap # # If not empty, additional parameters for slapd daemon. # Default: "" # OPENLDAP_SLAPD_PARAMS="" ## Type: string ## Default: ldap ## ServiceRestart: ldap # # specifies a user, as which the openldap server should be executed # Default: ldap # OPENLDAP_USER="ldap" ## Type: string ## Default: ldap ## ServiceRestart: ldap # # specifies a group, as which the openldap server should be executed # Default: ldap # OPENLDAP_GROUP="ldap" ## Type: yesno ## Default: yes ## ServiceRestart: ldap # # If set to "yes" the init scripts will change the owner/group of the # different backend database directories (e.g. /var/lib/ldap) to the # user/group specified above # OPENLDAP_CHOWN_DIRS="yes" ## Type: string ## Default: "" ## ServiceRestart: ldap # # Use this to specify the interfaces that the server such accept # LDAP connections from. The values are specified in the format # <address>:<port>, where address is an IP address and port is the # portnumber, the daemon should listen to (defaulting to 389). If this # parameter is empty the server will attach to all interfaces. This # parameter is only evaluated if "OPENLDAP_START_LDAP" is set to # "yes" # Default: "" # OPENLDAP_LDAP_INTERFACES="" ## Type: string ## Default: "" ## ServiceRestart: ldap # # Use this to specify the interfaces that the server such accept # LDAPS connections from. The values are specified in the format # <address>:<port>, where address is an IP address and port is the # portnumber, the daemon should listen to (defaulting to 636). If this # parameter is empty the server will attach to all interfaces. This # parameter is only evaluated if "OPENLDAP_START_LDAPS" is set to # "yes" # Default: "" # OPENLDAP_LDAPS_INTERFACES="" ## Type: string ## Default: "" ## ServiceRestart: ldap # # Use this to specify the paths of the Unix Domain Sockets that # the server should create an accept incoming LDAPI connections # on. This parameter is only evaluated if "OPENLDAP_START_LDAPI" # is set to "yes". # Default: "" # OPENLDAP_LDAPI_INTERFACES="" ## Type: yesno ## Default: "yes" ## ServiceRestart: ldap # # If set to "no" the LDAP server will not try itself at a running SLP # daemon. # Default: "yes" # OPENLDAP_REGISTER_SLP="no" ## Type: string ## Default: "" ## ServiceRestart: ldap # # Set this to the name of the keytab, if you want to use a non-default # Kerberos Keytab. If OPENLDAP_CHOWN_DIRS is set to "yes" the permissions of # this file will be changed so that the group OPENLDAP_GROUP has read # access to the file. # Example: OPENLDAP_KRB5_KEYTAB="FILE:/etc/openldap/krb5.keytab # Default: "" # OPENLDAP_KRB5_KEYTAB="" ## Type: string ## Default: "files" ## ServiceRestart: ldap # # Here you can configure which of the configuration backends you want to # use. Possible values are "files" for slapd.conf(5) styleconfiguration or # "ldap" for the slapd-config(5) LDAP based configuration backend. # OPENLDAP_CONFIG_BACKEND="" ## Type: yesno ## Default: "yes" ## ServiceRestart: ldap # # Here you can configure if the slapd shall start with or without memory limit. # OPENLDAP_MEMORY_LIMIT="yes" ++++++ yast.schema ++++++ ## Some macros objectidentifier SUSE 1.3.6.1.4.1.7057 objectidentifier SUSE.YaST SUSE:10.1 objectidentifier SUSE.YaST.ModuleConfig SUSE:10.1.2 objectidentifier SUSE.YaST.ModuleConfig.OC SUSE.YaST.ModuleConfig:1 objectidentifier SUSE.YaST.ModuleConfig.Attr SUSE.YaST.ModuleConfig:2 # Attributes # deprecated # #attributetype ( SUSE.YaST.ModuleConfig.Attr:1 NAME ( 'userConfigDn' ) # DESC 'Where is the configuration for user management stored' # EQUALITY distinguishedNameMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributetype ( SUSE.YaST.ModuleConfig.Attr:2 NAME ( 'suseDefaultBase' ) DESC 'Base DN where new Objects should be created by default' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:3 NAME ( 'suseNextUniqueId' ) DESC 'Next unused unique ID, can be used to generate directory wide uniqe IDs' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:4 NAME ( 'suseMinUniqueId' ) DESC 'lower Border for Unique IDs' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:5 NAME ( 'suseMaxUniqueId' ) DESC 'upper Border for Unique IDs' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:6 NAME ( 'suseDefaultTemplate' ) DESC 'The DN of a template that should be used by default' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:7 NAME ( 'suseSearchFilter' ) DESC 'Search filter to localize Objects' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # deprecated # #attributetype ( SUSE.YaST.ModuleConfig.Attr:8 NAME ( 'DefaultObjectClass' ) # DESC 'ObjectClass that new Objects should use' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # #attributetype ( SUSE.YaST.ModuleConfig.Attr:9 NAME ( 'suseRequiredAttribute' ) # DESC '' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # #attributetype ( SUSE.YaST.ModuleConfig.Attr:10 NAME ( 'allowedAttribute' ) # DESC '' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( SUSE.YaST.ModuleConfig.Attr:11 NAME ( 'suseDefaultValue' ) DESC 'an Attribute-Value-Assertions to define defaults for specific Attributes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( SUSE.YaST.ModuleConfig.Attr:12 NAME ( 'suseNamingAttribute' ) DESC 'AttributeType that should be used as the RDN' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:15 NAME ( 'suseSecondaryGroup' ) DESC 'seconday group DN' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributetype ( SUSE.YaST.ModuleConfig.Attr:16 NAME ( 'suseMinPasswordLength' ) DESC 'minimum Password length for new users' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:17 NAME ( 'suseMaxPasswordLength' ) DESC 'maximum Password length for new users' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:18 NAME ( 'susePasswordHash' ) DESC 'Hash method to use for new users' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:19 NAME ( 'suseSkelDir' ) DESC '' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( SUSE.YaST.ModuleConfig.Attr:20 NAME ( 'susePlugin' ) DESC 'plugin to use upon user/ group creation' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( SUSE.YaST.ModuleConfig.Attr:21 NAME ( 'suseMapAttribute' ) DESC '' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( SUSE.YaST.ModuleConfig.Attr:22 NAME ( 'suseImapServer' ) DESC '' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:23 NAME ( 'suseImapAdmin' ) DESC '' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:24 NAME ( 'suseImapDefaultQuota' ) DESC '' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( SUSE.YaST.ModuleConfig.Attr:25 NAME ( 'suseImapUseSsl' ) DESC '' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # ObjectClasses objectClass ( SUSE.YaST.ModuleConfig.OC:2 NAME 'suseModuleConfiguration' SUP top STRUCTURAL DESC 'Contains configuration of Management Modules' MUST ( cn ) MAY ( suseDefaultBase )) objectClass ( SUSE.YaST.ModuleConfig.OC:3 NAME 'suseUserConfiguration' SUP suseModuleConfiguration STRUCTURAL DESC 'Configuration of user management tools' MAY ( suseMinPasswordLength $ suseMaxPasswordLength $ susePasswordHash $ suseSkelDir $ suseNextUniqueId $ suseMinUniqueId $ suseMaxUniqueId $ suseDefaultTemplate $ suseSearchFilter $ suseMapAttribute )) objectClass ( SUSE.YaST.ModuleConfig.OC:4 NAME 'suseObjectTemplate' SUP top STRUCTURAL DESC 'Base Class for Object-Templates' MUST ( cn ) MAY ( susePlugin $ suseDefaultValue $ suseNamingAttribute )) objectClass ( SUSE.YaST.ModuleConfig.OC:5 NAME 'suseUserTemplate' SUP suseObjectTemplate STRUCTURAL DESC 'User object template' MUST ( cn ) MAY ( suseSecondaryGroup )) objectClass ( SUSE.YaST.ModuleConfig.OC:6 NAME 'suseGroupTemplate' SUP suseObjectTemplate STRUCTURAL DESC 'Group object template' MUST ( cn )) objectClass ( SUSE.YaST.ModuleConfig.OC:7 NAME 'suseGroupConfiguration' SUP suseModuleConfiguration STRUCTURAL DESC 'Configuration of user management tools' MAY ( suseNextUniqueId $ suseMinUniqueId $ suseMaxUniqueId $ suseDefaultTemplate $ suseSearchFilter $ suseMapAttribute )) objectClass ( SUSE.YaST.ModuleConfig.OC:8 NAME 'suseCaConfiguration' SUP suseModuleConfiguration STRUCTURAL DESC 'Configuration of CA management tools') objectClass ( SUSE.YaST.ModuleConfig.OC:9 NAME 'suseDnsConfiguration' SUP suseModuleConfiguration STRUCTURAL DESC 'Configuration of mail server management tools') objectClass ( SUSE.YaST.ModuleConfig.OC:10 NAME 'suseDhcpConfiguration' SUP suseModuleConfiguration STRUCTURAL DESC 'Configuration of DHCP server management tools') objectClass ( SUSE.YaST.ModuleConfig.OC:11 NAME 'suseMailConfiguration' SUP suseModuleConfiguration STRUCTURAL DESC 'Configuration of IMAP user management tools' MUST ( suseImapServer $ suseImapAdmin $ suseImapDefaultQuota $ suseImapUseSsl ))