On Tue, Nov 09, 2010 at 03:25:20PM +0100, Pierre-Emmanuel André wrote:
> Hi,
>
> Our version of OpenLDAP is a "bit" outdated..
> The following diff will upgrade it to the latest
> stable version aka 2.4.23.
>
> As discussed with anothers porters, the "best" plan seems
> to be:
>
> + upgrade databases/openldap to 2.4.23
> + provide databases/openldap23 wich will contain only
> the -server part of our current version (2.3.43).
>
> Important thing to know about this upgrade:
> + ldbm backend has been removed. You must backup all
> your data *before* the upgrade (pkg_add will warn you)
> + the default backend will be bdb
> + slurp has been removed
>
> You will need the following diff to unbreak some apps (evolution-data-server,
> evolution, evolution-exchange, seahorse, zarafa, ruby-ldap). All of
> these has been found by landry@ while doing a bulk with this upgrade (thanks).
>
> Stephan@ tried it on his production server (with success). I use it too.
> I would like to thanks ajacoutot@,bernd@,jasper@,landry@,sthen@ and stephan@
> for their help/avdices/comments/tests !
>
> Please test this upgrade and give me feedbacks.
>
Updated diff:
+ fix a typo in PLIST-server (spotted by Mikolaj Kucharski)
+ add a rc script
--
Pierre-Emmanuel André <pea at raveland.org>
GPG key: 0x7AE329DC
Index: Makefile
===================================================================
RCS file: /cvs/ports/databases/openldap/Makefile,v
retrieving revision 1.96
diff -u -p -r1.96 Makefile
--- Makefile 6 Nov 2010 22:50:02 -0000 1.96
+++ Makefile 10 Nov 2010 14:01:44 -0000
@@ -3,18 +3,16 @@
COMMENT-main= Open source LDAP software (client)
COMMENT-server= Open source LDAP software (server)
-DISTNAME= openldap-2.3.43
+DISTNAME= openldap-2.4.23
PKGNAME-main= ${DISTNAME:S/-/-client-/}
PKGNAME-server= ${DISTNAME:S/-/-server-/}
-REVISION-main= 2
-REVISION-server= 4
-SHARED_LIBS += lber 9.1 # .2.15
-SHARED_LIBS += ldap 9.1 # .2.15
-SHARED_LIBS += ldap_r 9.1 # .2.15
-SHARED_LIBS += lber-2.3 9.1 # .2.15
-SHARED_LIBS += ldap-2.3 9.1 # .2.15
-SHARED_LIBS += ldap_r-2.3 9.1 # .2.15
+SHARED_LIBS += lber 10.0 # .7.6
+SHARED_LIBS += ldap 10.0 # .7.6
+SHARED_LIBS += ldap_r 10.0 # .7.6
+SHARED_LIBS += lber-2.4 10.0 # .7.6
+SHARED_LIBS += ldap-2.4 10.0 # .7.6
+SHARED_LIBS += ldap_r-2.4 10.0 # .7.6
CATEGORIES= databases net
HOMEPAGE= http://www.openldap.org/
@@ -23,7 +21,7 @@ PERMIT_PACKAGE_CDROM= Yes
PERMIT_PACKAGE_FTP= Yes
PERMIT_DISTFILES_CDROM= Yes
PERMIT_DISTFILES_FTP= Yes
-WANTLIB= c crypto ssl asn1 com_err gssapi krb5
+WANTLIB= c crypto ssl asn1 com_err gssapi krb5 sasl2
MASTER_SITES= ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/ \
ftp://sunsite.cnlab-switch.ch/mirror/OpenLDAP/openldap-release/
\
@@ -35,12 +33,14 @@ MASTER_SITES= ftp://ftp.OpenLDAP.org/pub
EXTRACT_SUFX= .tgz
SEPARATE_BUILD= concurrent
-CONFIGURE_STYLE= gnu
+AUTOCONF_VERSION= 2.61
+CONFIGURE_STYLE= gnu autoconf
USE_GROFF = Yes
CONFIGURE_ARGS+= ${CONFIGURE_SHARED} \
--localstatedir="/var" \
- --enable-ipv6
+ --enable-ipv6 \
+ --with-tls=openssl
# slapd options
CONFIGURE_ARGS+= --enable-slapd \
@@ -52,9 +52,10 @@ CONFIGURE_ARGS+= --enable-slapd \
--enable-spasswd
# slapd modules
-CONFIGURE_ARGS+= --enable-dnssrv \
+CONFIGURE_ARGS+= --enable-bdb \
+ --enable-dnssrv \
+ --enable-hdb \
--enable-ldap \
- --enable-ldbm \
--enable-meta \
--enable-monitor \
--enable-null \
@@ -62,37 +63,23 @@ CONFIGURE_ARGS+= --enable-dnssrv \
--enable-perl \
--enable-shell
-# slurpd modules
-CONFIGURE_ARGS+= --enable-slurpd
MODGNU_CONFIG_GUESS_DIRS= ${WRKSRC} ${WRKSRC}/build
REGRESS_TARGET= test
-FLAVORS= bdb
-FLAVOR?=
-
MULTI_PACKAGES= -main -server
LIB_DEPENDS += ::security/cyrus-sasl2
WANTLIB += sasl2
CPPFLAGS += -I${LOCALBASE}/include/sasl
-.if ${FLAVOR:L:Mbdb}
-BROKEN = OpenLDAP 2.3 is incompatible with Berkeley DB 4.6
-CONFIGURE_ARGS += --enable-bdb --enable-hdb
-LIB_DEPENDS += :db->=4,<5:databases/db/v4
-WANTLIB += lib/db4/db.>=4
-CPPFLAGS += -I${LOCALBASE}/include/db4
-LDFLAGS += -L${LOCALBASE}/lib/db4
-LIBS += -ldb
-.else
-CONFIGURE_ARGS+= --disable-bdb --disable-hdb
-.endif
-
-CONFIGURE_ENV+= CPPFLAGS="${CPPFLAGS}" \
- LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" \
- LIBS="${LIBS}"
+LIB_DEPENDS-server= ${LIB_DEPENDS-main} \
+ icudata,icuuc::textproc/icu4c \
+ lib/db4/db.>=4:db->=4.6.21,<5:databases/db/v4
+
+CONFIGURE_ENV+= CPPFLAGS="-I${LOCALBASE}/include/sasl
-I${LOCALBASE}/include/db4 -I${LOCALBASE}/include" \
+ LDFLAGS="-L${LOCALBASE}/lib/db4 -L${LOCALBASE}/lib"
RUN_DEPENDS-server= :${FULLPKGNAME-main}:databases/openldap
WANTLIB-server= ${WANTLIB} perl util wrap m pthread
@@ -102,14 +89,6 @@ USE_LIBTOOL= Yes
pre-build:
@cd ${WRKBUILD}; ${MAKE_PROGRAM} depend
-pre-configure:
- @perl -pi -e 's,KRB5_LIBS=,KRB5_LIBS="-lgssapi -lkrb5 -lasn1 \
- -lcom_err",g' ${WRKSRC}/configure
-.if ${FLAVOR} != "bdb"
- @perl -pi -e 's,database bdb,database ldbm,' \
- ${WRKSRC}/servers/slapd/slapd.conf
-.endif
-
post-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/examples/openldap
${INSTALL_DATA} ${DESTDIR}${SYSCONFDIR}/openldap/*.conf \
@@ -119,7 +98,6 @@ post-install:
${PREFIX}/share/examples/openldap/schema
${INSTALL_DATA} ${WRKSRC}/servers/slapd/DB_CONFIG \
${PREFIX}/share/examples/openldap
- @rm -r ${DESTDIR}${SYSCONFDIR}/openldap
- @rm -r ${DESTDIR}/var/openldap-data ${DESTDIR}/var/openldap-slurp
+ @rm -rf ${DESTDIR}${SYSCONFDIR}/openldap
.include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /cvs/ports/databases/openldap/distinfo,v
retrieving revision 1.31
diff -u -p -r1.31 distinfo
--- distinfo 21 Jul 2008 06:07:10 -0000 1.31
+++ distinfo 10 Nov 2010 14:01:44 -0000
@@ -1,5 +1,5 @@
-MD5 (openldap-2.3.43.tgz) = GyUoEIbrFGuOEevTPeCG3A==
-RMD160 (openldap-2.3.43.tgz) = Pst4nl9NTJOTV+LnIg15PrBUAuc=
-SHA1 (openldap-2.3.43.tgz) = eWtds3rlJDuE97nBEhe77ETg2ow=
-SHA256 (openldap-2.3.43.tgz) = 19LeoFNiyKx+Ebt78dpM3rByJbqNwWl0v/n1Gp89N+E=
-SIZE (openldap-2.3.43.tgz) = 3803011
+MD5 (openldap-2.4.23.tgz) = kBULjA0BkuELMBV+aIRN3w==
+RMD160 (openldap-2.4.23.tgz) = 0iaOj7iUaA0dmSb+3Kc28ZXgoL4=
+SHA1 (openldap-2.4.23.tgz) = JgJ+cCAlbF9H4XeH8X7osxr0I3g=
+SHA256 (openldap-2.4.23.tgz) = Wl7ekdXoqzx/Y3YgqimjuW6zQxiosmyO7y0seJ/AVeM=
+SIZE (openldap-2.4.23.tgz) = 5182440
Index: patches/patch-aclocal_m4
===================================================================
RCS file: patches/patch-aclocal_m4
diff -N patches/patch-aclocal_m4
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-aclocal_m4 10 Nov 2010 14:01:44 -0000
@@ -0,0 +1,11 @@
+$OpenBSD$
+--- aclocal.m4.orig Mon Dec 7 14:37:50 2009
++++ aclocal.m4 Mon Dec 7 14:38:06 2009
+@@ -2071,7 +2071,6 @@ openbsd*)
+ *) need_version=no ;;
+ esac
+ library_names_spec='${libname}${release}${shared_ext}$versuffix
${libname}${shared_ext}$versuffix'
+- finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+ shlibpath_var=LD_LIBRARY_PATH
+ if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test
"$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+ case $host_os in
Index: patches/patch-build_openldap_m4
===================================================================
RCS file: patches/patch-build_openldap_m4
diff -N patches/patch-build_openldap_m4
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-build_openldap_m4 10 Nov 2010 14:01:44 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- build/openldap.m4.orig Mon Dec 7 14:39:00 2009
++++ build/openldap.m4 Mon Dec 7 14:39:15 2009
+@@ -251,7 +251,7 @@ AC_DEFUN([OL_ICU],
+ AC_CHECK_HEADERS( unicode/utypes.h )
+ if test $ac_cv_header_unicode_utypes_h = yes ; then
+ dnl OL_ICULIBS="-licui18n -licuuc -licudata"
+- OL_ICULIBS="-licuuc -licudata"
++ OL_ICULIBS="-licuuc -licudata -pthread"
+
+ AC_CACHE_CHECK([for ICU libraries], [ol_cv_lib_icu], [
+ ol_LIBS="$LIBS"
Index: patches/patch-build_top_mk
===================================================================
RCS file: /cvs/ports/databases/openldap/patches/patch-build_top_mk,v
retrieving revision 1.5
diff -u -p -r1.5 patch-build_top_mk
--- patches/patch-build_top_mk 14 Jan 2008 21:01:11 -0000 1.5
+++ patches/patch-build_top_mk 10 Nov 2010 14:01:44 -0000
@@ -1,7 +1,7 @@
$OpenBSD: patch-build_top_mk,v 1.5 2008/01/14 21:01:11 mbalmer Exp $
---- build/top.mk.orig Wed Jan 3 00:42:47 2007
-+++ build/top.mk Mon Jan 14 11:55:23 2008
-@@ -121,7 +121,7 @@ LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \
+--- build/top.mk.orig Mon Jul 6 21:22:52 2009
++++ build/top.mk Mon Nov 2 12:09:42 2009
+@@ -122,7 +122,7 @@ LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \
$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD)
LTINSTALL = $(LIBTOOL) --mode=install $(INSTALL)
Index: patches/patch-configure
===================================================================
RCS file: patches/patch-configure
diff -N patches/patch-configure
--- patches/patch-configure 14 Jan 2008 21:01:11 -0000 1.4
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,30 +0,0 @@
-$OpenBSD: patch-configure,v 1.4 2008/01/14 21:01:11 mbalmer Exp $
---- configure.orig Mon Oct 8 18:38:57 2007
-+++ configure Mon Jan 14 11:56:10 2008
-@@ -9502,7 +9502,6 @@ openbsd*)
- *) need_version=no ;;
- esac
- library_names_spec='${libname}${release}${shared_ext}$versuffix
${libname}${shared_ext}$versuffix'
-- finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
- shlibpath_var=LD_LIBRARY_PATH
- if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test
"$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
- case $host_os in
-@@ -35855,8 +35854,8 @@ cat >>conftest.$ac_ext <<_ACEOF
- # define DB_VERSION_MINOR 0
- #endif
-
--/* require 4.2-4.5 */
--#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 2) && (DB_VERSION_MINOR <
6)
-+/* require 4.2-4.6 */
-+#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 2) && (DB_VERSION_MINOR <
7)
- __db_version_compat
- #endif
-
-@@ -37236,6 +37235,7 @@ cat confdefs.h >>conftest.$ac_ext
- cat >>conftest.$ac_ext <<_ACEOF
- /* end confdefs.h. */
-
-+#include <sys/types.h>
- #include <tcpd.h>
- int allow_severity = 0;
- int deny_severity = 0;
Index: patches/patch-configure_in
===================================================================
RCS file: patches/patch-configure_in
diff -N patches/patch-configure_in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-configure_in 10 Nov 2010 14:01:44 -0000
@@ -0,0 +1,20 @@
+$OpenBSD$
+--- configure.in.orig Wed Sep 30 02:24:39 2009
++++ configure.in Mon May 3 18:32:18 2010
+@@ -582,7 +582,7 @@ SLAPD_SQL_LIBS=
+ SLAPD_SQL_INCLUDES=
+
+ KRB4_LIBS=
+-KRB5_LIBS=
++KRB5_LIBS="-lgssapi -lkrb5 -lasn1 -lcom_err"
+ SASL_LIBS=
+ TLS_LIBS=
+ MODULES_LIBS=
+@@ -1901,6 +1901,7 @@ if test $ol_enable_wrappers != no ; then
+ save_LIBS="$LIBS"
+ LIBS="$LIBS -lwrap"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
+ #include <tcpd.h>
+ int allow_severity = 0;
+ int deny_severity = 0;
Index: patches/patch-libraries_libldap_tls_c
===================================================================
RCS file: patches/patch-libraries_libldap_tls_c
diff -N patches/patch-libraries_libldap_tls_c
--- patches/patch-libraries_libldap_tls_c 4 Dec 2009 15:26:48 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,120 +0,0 @@
-$OpenBSD: patch-libraries_libldap_tls_c,v 1.1 2009/12/04 15:26:48 pea Exp $
---- libraries/libldap/tls.c.orig Tue Feb 12 00:24:12 2008
-+++ libraries/libldap/tls.c Thu Dec 3 12:03:47 2009
-@@ -981,7 +981,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const
- X509 *x;
- const char *name;
- char *ptr;
-- int ntype = IS_DNS;
-+ int ntype = IS_DNS, nlen;
- #ifdef LDAP_PF_INET6
- struct in6_addr addr;
- #else
-@@ -995,6 +995,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const
- } else {
- name = name_in;
- }
-+ nlen = strlen(name);
-
- x = tls_get_cert((SSL *)s);
- if (!x) {
-@@ -1028,15 +1029,14 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const
- ex = X509_get_ext(x, i);
- alt = X509V3_EXT_d2i(ex);
- if (alt) {
-- int n, len1 = 0, len2 = 0;
-+ int n, len2 = 0;
- char *domain = NULL;
- GENERAL_NAME *gn;
-
- if (ntype == IS_DNS) {
-- len1 = strlen(name);
- domain = strchr(name, '.');
- if (domain) {
-- len2 = len1 - (domain-name);
-+ len2 = nlen - (domain-name);
- }
- }
- n = sk_GENERAL_NAME_num(alt);
-@@ -1054,7 +1054,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const
- if (sl == 0) continue;
-
- /* Is this an exact match? */
-- if ((len1 == sl) && !strncasecmp(name,
sn, len1)) {
-+ if ((nlen == sl) && !strncasecmp(name,
sn, nlen)) {
- break;
- }
-
-@@ -1094,13 +1094,28 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const
-
- if (ret != LDAP_SUCCESS) {
- X509_NAME *xn;
-- char buf[2048];
-- buf[0] = '\0';
-+ X509_NAME_ENTRY *ne;
-+ ASN1_OBJECT *obj;
-+ ASN1_STRING *cn = NULL;
-+ int navas;
-
-+ /* find the last CN */
-+ obj = OBJ_nid2obj( NID_commonName );
-+ if ( !obj ) goto no_cn; /* should never happen */
-+
- xn = X509_get_subject_name(x);
-- if( X509_NAME_get_text_by_NID( xn, NID_commonName,
-- buf, sizeof(buf)) == -1)
-+ navas = X509_NAME_entry_count( xn );
-+ for ( i=navas-1; i>=0; i-- ) {
-+ ne = X509_NAME_get_entry( xn, i );
-+ if ( !OBJ_cmp( ne->object, obj )) {
-+ cn = X509_NAME_ENTRY_get_data( ne );
-+ break;
-+ }
-+ }
-+
-+ if( !cn )
- {
-+no_cn:
- Debug( LDAP_DEBUG_ANY,
- "TLS: unable to get common name from peer
certificate.\n",
- 0, 0, 0 );
-@@ -1111,21 +1126,20 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const
- ld->ld_error = LDAP_STRDUP(
- _("TLS: unable to get CN from peer
certificate"));
-
-- } else if (strcasecmp(name, buf) == 0 ) {
-+ } else if ( cn->length == nlen &&
-+ strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
- ret = LDAP_SUCCESS;
-
-- } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {
-+ } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
- char *domain = strchr(name, '.');
- if( domain ) {
-- size_t dlen = 0;
-- size_t sl;
-+ size_t dlen;
-
-- sl = strlen(name);
-- dlen = sl - (domain-name);
-- sl = strlen(buf);
-+ dlen = nlen - (domain-name);
-
- /* Is this a wildcard match? */
-- if ((dlen == sl-1) && !strncasecmp(domain,
&buf[1], dlen)) {
-+ if ((dlen == cn->length-1) &&
-+ !strncasecmp(domain, (char *)
&cn->data[1], dlen)) {
- ret = LDAP_SUCCESS;
- }
- }
-@@ -1133,8 +1147,8 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const
-
- if( ret == LDAP_LOCAL_ERROR ) {
- Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not
match "
-- "common name in certificate (%s).\n",
-- name, buf, 0 );
-+ "common name in certificate (%.*s).\n",
-+ name, cn->length, cn->data );
- ret = LDAP_CONNECT_ERROR;
- if ( ld->ld_error ) {
- LDAP_FREE( ld->ld_error );
Index: patches/patch-servers_slapd_Makefile_in
===================================================================
RCS file: patches/patch-servers_slapd_Makefile_in
diff -N patches/patch-servers_slapd_Makefile_in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-servers_slapd_Makefile_in 10 Nov 2010 14:01:44 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- servers/slapd/Makefile.in.orig Tue Oct 19 13:18:41 2010
++++ servers/slapd/Makefile.in Tue Oct 19 13:19:40 2010
+@@ -432,8 +432,6 @@ install-db-config: FORCE
+ @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
+ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
+ $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
+- $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+ $(DESTDIR)$(sysconfdir)/DB_CONFIG.example
+
+ install-tools: FORCE
Index: patches/patch-servers_slapd_dn_c
===================================================================
RCS file: /cvs/ports/databases/openldap/patches/patch-servers_slapd_dn_c,v
retrieving revision 1.1
diff -u -p -r1.1 patch-servers_slapd_dn_c
--- patches/patch-servers_slapd_dn_c 6 Aug 2010 02:52:05 -0000 1.1
+++ patches/patch-servers_slapd_dn_c 10 Nov 2010 14:01:44 -0000
@@ -6,31 +6,16 @@ Resolves CVE-2010-0211 and CVE-2010-0212
from upstream
---- servers/slapd/dn.c.orig Mon Feb 11 18:24:16 2008
-+++ servers/slapd/dn.c Tue Aug 3 10:24:27 2010
-@@ -352,12 +352,9 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ct
- ava->la_attr = ad->ad_cname;
-
- if( ava->la_flags & LDAP_AVA_BINARY ) {
-- if( ava->la_value.bv_len == 0 ) {
-- /* BER encoding is empty */
-- return LDAP_INVALID_SYNTAX;
-- }
-+ /* AVA is binary encoded, not supported */
-+ return LDAP_INVALID_SYNTAX;
-
-- /* AVA is binary encoded, don't muck with it */
- } else if( flags & SLAP_LDAPDN_PRETTY ) {
- transf = ad->ad_type->sat_syntax->ssyn_pretty;
- if( !transf ) {
-@@ -424,6 +421,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ct
- ber_memfree_x( ava->la_value.bv_val, ctx );
- ava->la_value = bv;
- ava->la_flags |= LDAP_AVA_FREE_VALUE;
-+ }
+--- servers/slapd/dn.c.orig Thu Jun 10 19:48:06 2010
++++ servers/slapd/dn.c Tue Sep 7 15:11:59 2010
+@@ -380,6 +380,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ct
+ if (!ava->la_value.bv_len) {
+ return LDAP_INVALID_SYNTAX;
+ }
+ /* reject empty values */
+ if (!ava->la_value.bv_len) {
+ return LDAP_INVALID_SYNTAX;
- }
++ }
}
rc = LDAP_SUCCESS;
+
Index: patches/patch-servers_slapd_modrdn_c
===================================================================
RCS file: patches/patch-servers_slapd_modrdn_c
diff -N patches/patch-servers_slapd_modrdn_c
--- patches/patch-servers_slapd_modrdn_c 6 Aug 2010 02:52:05 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,31 +0,0 @@
-$OpenBSD: patch-servers_slapd_modrdn_c,v 1.1 2010/08/06 02:52:05 william Exp $
-
-SECURITY FIX
-
-Resolves CVE-2010-0211 and CVE-2010-0212 (ITS#6570)
-from upstream
-
-
---- servers/slapd/modrdn.c.orig Mon Feb 11 18:24:16 2008
-+++ servers/slapd/modrdn.c Tue Aug 3 10:26:21 2010
-@@ -481,12 +481,19 @@ slap_modrdn2mods(
- mod_tmp->sml_values[1].bv_val = NULL;
- if( desc->ad_type->sat_equality->smr_normalize) {
- mod_tmp->sml_nvalues = &mod_tmp->sml_values[2];
-- (void)
(*desc->ad_type->sat_equality->smr_normalize)(
-+ rs->sr_err =
desc->ad_type->sat_equality->smr_normalize(
-
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
- desc->ad_type->sat_syntax,
- desc->ad_type->sat_equality,
- &mod_tmp->sml_values[0],
- &mod_tmp->sml_nvalues[0],
op->o_tmpmemctx );
-+ if (rs->sr_err != LDAP_SUCCESS) {
-+ ch_free(mod_tmp->sml_nvalues);
-+ ch_free(mod_tmp->sml_values[0].bv_val);
-+ ch_free(mod_tmp->sml_values);
-+ ch_free(mod_tmp);
-+ goto done;
-+ }
- mod_tmp->sml_nvalues[1].bv_val = NULL;
- } else {
- mod_tmp->sml_nvalues = NULL;
Index: patches/patch-servers_slapd_schema_init_c
===================================================================
RCS file: patches/patch-servers_slapd_schema_init_c
diff -N patches/patch-servers_slapd_schema_init_c
--- patches/patch-servers_slapd_schema_init_c 6 Aug 2010 02:52:05 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,54 +0,0 @@
-$OpenBSD: patch-servers_slapd_schema_init_c,v 1.1 2010/08/06 02:52:05 william
Exp $
-
-SECURITY FIX
-
-Resolves CVE-2010-0211 and CVE-2010-0212 (ITS#6570)
-from upstream
-
-Also cure a crash in IA5StringNormalize() by sync'ing it with the same
-function from 2.4.23
-
-
---- servers/slapd/schema_init.c.orig Mon Feb 11 18:24:17 2008
-+++ servers/slapd/schema_init.c Tue Aug 3 15:35:45 2010
-@@ -1439,8 +1439,9 @@ UTF8StringNormalize(
- ? LDAP_UTF8_APPROX : 0;
-
- val = UTF8bvnormalize( val, &tmp, flags, ctx );
-+ /* out of memory or syntax error, the former is unlikely */
- if( val == NULL ) {
-- return LDAP_OTHER;
-+ return LDAP_INVALID_SYNTAX;
- }
-
- /* collapse spaces (in place) */
-@@ -2101,14 +2102,18 @@ IA5StringNormalize(
- char *p, *q;
- int casefold = !SLAP_MR_ASSOCIATED(mr,
slap_schema.si_mr_caseExactIA5Match);
-
-- assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ));
-+ assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ) != 0);
-
- p = val->bv_val;
-
- /* Ignore initial whitespace */
- while ( ASCII_SPACE( *p ) ) p++;
-
-- normalized->bv_val = ber_strdup_x( p, ctx );
-+ normalized->bv_len = val->bv_len - ( p - val->bv_val );
-+ normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
-+ AC_MEMCPY( normalized->bv_val, p, normalized->bv_len );
-+ normalized->bv_val[normalized->bv_len] = '\0';
-+
- p = q = normalized->bv_val;
-
- while ( *p ) {
-@@ -2137,7 +2142,7 @@ IA5StringNormalize(
- * position. One is enough because the above loop collapsed
- * all whitespace to a single space.
- */
-- if ( ASCII_SPACE( q[-1] ) ) --q;
-+ if ( q > normalized->bv_val && ASCII_SPACE( q[-1] ) ) --q;
-
- /* null terminate */
- *q = '\0';
Index: pkg/DESCR-server
===================================================================
RCS file: /cvs/ports/databases/openldap/pkg/DESCR-server,v
retrieving revision 1.3
diff -u -p -r1.3 DESCR-server
--- pkg/DESCR-server 7 Nov 2005 15:59:08 -0000 1.3
+++ pkg/DESCR-server 10 Nov 2010 14:01:44 -0000
@@ -9,6 +9,3 @@ is distributed under a Perl-style "Artis
This is the server portion of OpenLDAP, it provides the server as well as
various administrative binaries.
-
-Flavors:
- bdb enable the bdb and hdb backends
Index: pkg/MESSAGE-server
===================================================================
RCS file: /cvs/ports/databases/openldap/pkg/MESSAGE-server,v
retrieving revision 1.1
diff -u -p -r1.1 MESSAGE-server
--- pkg/MESSAGE-server 13 Feb 2008 09:45:54 -0000 1.1
+++ pkg/MESSAGE-server 10 Nov 2010 14:01:44 -0000
@@ -3,11 +3,3 @@ the following line to /etc/rc.conf.local
slapd_flags="-u _openldap"
-and to /etc/rc.local (be sure to start it _before_ any daemon that may
-need it):
-
-if [ "$slapd_flags" != "NO" -a -x ${PREFIX}/libexec/slapd ]; then
- install -d -o _openldap /var/run/openldap
- ${PREFIX}/libexec/slapd $slapd_flags
- echo -n ' slapd'
-fi
Index: pkg/PFRAG.shared-main
===================================================================
RCS file: /cvs/ports/databases/openldap/pkg/PFRAG.shared-main,v
retrieving revision 1.1
diff -u -p -r1.1 PFRAG.shared-main
--- pkg/PFRAG.shared-main 25 Nov 2006 16:50:24 -0000 1.1
+++ pkg/PFRAG.shared-main 10 Nov 2010 14:01:44 -0000
@@ -1,7 +1,7 @@
@comment $OpenBSD: PFRAG.shared-main,v 1.1 2006/11/25 16:50:24 espie Exp $
-...@lib lib/liblber-2.3.so.${LIBlber-2.3_VERSION}
+...@lib lib/liblber-2.4.so.${LIBlber-2.4_VERSION}
@lib lib/liblber.so.${LIBlber_VERSION}
-...@lib lib/libldap-2.3.so.${LIBldap-2.3_VERSION}
+...@lib lib/libldap-2.4.so.${LIBldap-2.4_VERSION}
@lib lib/libldap.so.${LIBldap_VERSION}
-...@lib lib/libldap_r-2.3.so.${LIBldap_r-2.3_VERSION}
+...@lib lib/libldap_r-2.4.so.${LIBldap_r-2.4_VERSION}
@lib lib/libldap_r.so.${LIBldap_r_VERSION}
Index: pkg/PLIST-main
===================================================================
RCS file: /cvs/ports/databases/openldap/pkg/PLIST-main,v
retrieving revision 1.3
diff -u -p -r1.3 PLIST-main
--- pkg/PLIST-main 15 Jul 2008 18:25:53 -0000 1.3
+++ pkg/PLIST-main 10 Nov 2010 14:01:44 -0000
@@ -3,10 +3,12 @@
bin/ldapadd
@bin bin/ldapcompare
@bin bin/ldapdelete
+...@bin bin/ldapexop
@bin bin/ldapmodify
@bin bin/ldapmodrdn
@bin bin/ldappasswd
@bin bin/ldapsearch
+...@bin bin/ldapurl
@bin bin/ldapwhoami
include/lber.h
include/lber_types.h
@@ -25,10 +27,12 @@ lib/libldap_r.la
@man man/man1/ldapadd.1
@man man/man1/ldapcompare.1
@man man/man1/ldapdelete.1
+...@man man/man1/ldapexop.1
@man man/man1/ldapmodify.1
@man man/man1/ldapmodrdn.1
@man man/man1/ldappasswd.1
@man man/man1/ldapsearch.1
+...@man man/man1/ldapurl.1
@man man/man1/ldapwhoami.1
@man man/man3/ber_alloc_t.3
@man man/man3/ber_bvarray_add.3
@@ -68,6 +72,7 @@ lib/libldap_r.la
@man man/man3/lber-decode.3
@man man/man3/lber-encode.3
@man man/man3/lber-memory.3
+...@man man/man3/lber-sockbuf.3
@man man/man3/lber-types.3
@man man/man3/ld_errno.3
@man man/man3/ldap.3
@@ -86,6 +91,13 @@ lib/libldap_r.la
@man man/man3/ldap_compare_ext.3
@man man/man3/ldap_compare_ext_s.3
@man man/man3/ldap_compare_s.3
+...@man man/man3/ldap_control_create.3
+...@man man/man3/ldap_control_dup.3
+...@man man/man3/ldap_control_find.3
+...@man man/man3/ldap_control_free.3
+...@man man/man3/ldap_controls.3
+...@man man/man3/ldap_controls_dup.3
+...@man man/man3/ldap_controls_free.3
@man man/man3/ldap_count_entries.3
@man man/man3/ldap_count_messages.3
@man man/man3/ldap_count_references.3
@@ -105,19 +117,30 @@ lib/libldap_r.la
@man man/man3/ldap_error.3
@man man/man3/ldap_explode_dn.3
@man man/man3/ldap_explode_rdn.3
+...@man man/man3/ldap_extended_operation.3
+...@man man/man3/ldap_extended_operation_s.3
@man man/man3/ldap_first_attribute.3
@man man/man3/ldap_first_entry.3
@man man/man3/ldap_first_message.3
@man man/man3/ldap_first_reference.3
@man man/man3/ldap_free_urldesc.3
@man man/man3/ldap_get_dn.3
+...@man man/man3/ldap_get_option.3
@man man/man3/ldap_get_values.3
@man man/man3/ldap_get_values_len.3
@man man/man3/ldap_init.3
+...@man man/man3/ldap_initialize.3
+...@man man/man3/ldap_install_tls.3
@man man/man3/ldap_is_ldap_url.3
@man man/man3/ldap_matchingrule2name.3
@man man/man3/ldap_matchingrule2str.3
@man man/man3/ldap_matchingrule_free.3
+...@man man/man3/ldap_memalloc.3
+...@man man/man3/ldap_memcalloc.3
+...@man man/man3/ldap_memfree.3
+...@man man/man3/ldap_memory.3
+...@man man/man3/ldap_memrealloc.3
+...@man man/man3/ldap_memvfree.3
@man man/man3/ldap_modify.3
@man man/man3/ldap_modify_ext.3
@man man/man3/ldap_modify_ext_s.3
@@ -142,7 +165,11 @@ lib/libldap_r.la
@man man/man3/ldap_parse_reference.3
@man man/man3/ldap_parse_result.3
@man man/man3/ldap_parse_sasl_bind_result.3
+...@man man/man3/ldap_parse_sort_control.3
+...@man man/man3/ldap_parse_vlv_control.3
@man man/man3/ldap_perror.3
+...@man man/man3/ldap_rename.3
+...@man man/man3/ldap_rename_s.3
@man man/man3/ldap_result.3
@man man/man3/ldap_result2error.3
@man man/man3/ldap_sasl_bind.3
@@ -154,20 +181,28 @@ lib/libldap_r.la
@man man/man3/ldap_search_ext_s.3
@man man/man3/ldap_search_s.3
@man man/man3/ldap_search_st.3
+...@man man/man3/ldap_set_option.3
+...@man man/man3/ldap_set_rebind_proc.3
@man man/man3/ldap_simple_bind.3
@man man/man3/ldap_simple_bind_s.3
@man man/man3/ldap_sort.3
@man man/man3/ldap_sort_entries.3
@man man/man3/ldap_sort_strcasecmp.3
@man man/man3/ldap_sort_values.3
+...@man man/man3/ldap_start_tls.3
+...@man man/man3/ldap_start_tls_s.3
@man man/man3/ldap_str2attributetype.3
@man man/man3/ldap_str2dn.3
@man man/man3/ldap_str2matchingrule.3
@man man/man3/ldap_str2objectclass.3
@man man/man3/ldap_str2syntax.3
+...@man man/man3/ldap_strdup.3
+...@man man/man3/ldap_sync.3
@man man/man3/ldap_syntax2name.3
@man man/man3/ldap_syntax2str.3
@man man/man3/ldap_syntax_free.3
+...@man man/man3/ldap_tls.3
+...@man man/man3/ldap_tls_inplace.3
@man man/man3/ldap_unbind.3
@man man/man3/ldap_unbind_ext.3
@man man/man3/ldap_unbind_ext_s.3
@@ -178,20 +213,7 @@ lib/libldap_r.la
@man man/man3/ldap_value_free_len.3
@man man/man5/ldap.conf.5
@man man/man5/ldif.5
-...@man man/man5/slapo-accesslog.5
-...@man man/man5/slapo-auditlog.5
-...@man man/man5/slapo-chain.5
-...@man man/man5/slapo-dynlist.5
-...@man man/man5/slapo-lastmod.5
-...@man man/man5/slapo-pcache.5
-...@man man/man5/slapo-ppolicy.5
-...@man man/man5/slapo-refint.5
-...@man man/man5/slapo-retcode.5
-...@man man/man5/slapo-rwm.5
-...@man man/man5/slapo-syncprov.5
-...@man man/man5/slapo-translucent.5
-...@man man/man5/slapo-unique.5
-...@man man/man5/slapo-valsort.5
+...@man man/man5/slapo-pbind.5
share/examples/openldap/
@sample ${SYSCONFDIR}/openldap/
share/examples/openldap/ldap.conf
Index: pkg/PLIST-server
===================================================================
RCS file: /cvs/ports/databases/openldap/pkg/PLIST-server,v
retrieving revision 1.18
diff -u -p -r1.18 PLIST-server
--- pkg/PLIST-server 21 Aug 2009 13:21:19 -0000 1.18
+++ pkg/PLIST-server 10 Nov 2010 14:01:44 -0000
@@ -1,10 +1,12 @@
@comment $OpenBSD: PLIST-server,v 1.18 2009/08/21 13:21:19 ajacoutot Exp $
@conflict openldap-client->=2.3.11,<=2.3.11p3
+...@pkgpath databases/openldap,-server,bdb
+...@ask-update openldap-server-<2.4 Make sure your existing database is backed
up
@newgroup _openldap:544
@newuser _openldap:544:_openldap:daemon:OpenLDAP
Account:/nonexistent:/sbin/nologin
@bin libexec/slapd
-...@bin libexec/slurpd
@man man/man5/slapd-bdb.5
+...@man man/man5/slapd-config.5
@man man/man5/slapd-dnssrv.5
@man man/man5/slapd-hdb.5
@man man/man5/slapd-ldap.5
@@ -12,17 +14,38 @@
@man man/man5/slapd-ldif.5
@man man/man5/slapd-meta.5
@man man/man5/slapd-monitor.5
+...@man man/man5/slapd-ndb.5
@man man/man5/slapd-null.5
@man man/man5/slapd-passwd.5
@man man/man5/slapd-perl.5
@man man/man5/slapd-relay.5
@man man/man5/slapd-shell.5
+...@man man/man5/slapd-sock.5
@man man/man5/slapd-sql.5
-...@man man/man5/slapd-tcl.5
@man man/man5/slapd.access.5
+...@man man/man5/slapd.backends.5
@man man/man5/slapd.conf.5
+...@man man/man5/slapd.overlays.5
@man man/man5/slapd.plugin.5
-...@man man/man5/slapd.replog.5
+...@man man/man5/slapo-accesslog.5
+...@man man/man5/slapo-auditlog.5
+...@man man/man5/slapo-chain.5
+...@man man/man5/slapo-collect.5
+...@man man/man5/slapo-constraint.5
+...@man man/man5/slapo-dds.5
+...@man man/man5/slapo-dyngroup.5
+...@man man/man5/slapo-dynlist.5
+...@man man/man5/slapo-memberof.5
+...@man man/man5/slapo-pcache.5
+...@man man/man5/slapo-ppolicy.5
+...@man man/man5/slapo-refint.5
+...@man man/man5/slapo-retcode.5
+...@man man/man5/slapo-rwm.5
+...@man man/man5/slapo-sssvlv.5
+...@man man/man5/slapo-syncprov.5
+...@man man/man5/slapo-translucent.5
+...@man man/man5/slapo-unique.5
+...@man man/man5/slapo-valsort.5
@man man/man8/slapacl.8
@man man/man8/slapadd.8
@man man/man8/slapauth.8
@@ -31,8 +54,8 @@
@man man/man8/slapdn.8
@man man/man8/slapindex.8
@man man/man8/slappasswd.8
+...@man man/man8/slapschema.8
@man man/man8/slaptest.8
-...@man man/man8/slurpd.8
sbin/slapacl
sbin/slapadd
sbin/slapauth
@@ -40,15 +63,27 @@ sbin/slapcat
sbin/slapdn
sbin/slapindex
sbin/slappasswd
+sbin/slapschema
sbin/slaptest
+...@mode 700
+...@owner _openldap
+...@sample /var/openldap-data/
+...@group _openldap
+share/examples/openldap/DB_CONFIG
+...@sample /var/openldap-data/DB_CONFIG
+...@mode
+...@owner
+...@group
share/examples/openldap/schema/
@sample ${SYSCONFDIR}/openldap/schema/
+share/examples/openldap/schema/collective.schema
share/examples/openldap/schema/corba.schema
@sample ${SYSCONFDIR}/openldap/schema/corba.schema
share/examples/openldap/schema/core.schema
@sample ${SYSCONFDIR}/openldap/schema/core.schema
share/examples/openldap/schema/cosine.schema
@sample ${SYSCONFDIR}/openldap/schema/cosine.schema
+share/examples/openldap/schema/duaconf.schema
share/examples/openldap/schema/dyngroup.schema
@sample ${SYSCONFDIR}/openldap/schema/dyngroup.schema
share/examples/openldap/schema/inetorgperson.schema
@@ -61,6 +96,7 @@ share/examples/openldap/schema/nis.schem
@sample ${SYSCONFDIR}/openldap/schema/nis.schema
share/examples/openldap/schema/openldap.schema
@sample ${SYSCONFDIR}/openldap/schema/openldap.schema
+share/examples/openldap/schema/pmi.schema
share/examples/openldap/schema/ppolicy.schema
@sample ${SYSCONFDIR}/openldap/schema/ppolicy.schema
@mode 0640
@@ -69,10 +105,4 @@ share/examples/openldap/slapd.conf
@sample ${SYSCONFDIR}/openldap/slapd.conf
@mode
@group
-...@mode 700
-...@owner _openldap
-...@group _openldap
-...@sample /var/openldap-data/
-...@sample /var/openldap-slurp/
-share/examples/openldap/DB_CONFIG
-...@sample /var/openldap-data/DB_CONFIG
+...@rcscript ${RCDIR}/slapd
Index: pkg/slapd.rc
===================================================================
RCS file: pkg/slapd.rc
diff -N pkg/slapd.rc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ pkg/slapd.rc 10 Nov 2010 14:01:44 -0000
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# $OpenBSD$
+
+. /etc/rc.d/rc.subr
+
+daemon="${TRUEPREFIX}/libexec/slapd"
+
+rc_reload() {
+ rc_err "$0: reload is not supported"
+}
+
+rc_cmd $1
