net-nds/openldap: security and patch cleanup wrt bug #560424

8 files changed, 0 insertions, 517 deletions

diff --git a/net-nds/openldap/files/openldap-2.3.34-slapd-conf b/net-nds/openldap/files/openldap-2.3.34-slapd-conf
deleted file mode 100644
index ad767cfdeb7c..000000000000
--- a/net-nds/openldap/files/openldap-2.3.34-slapd-conf
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# See slapd.conf(5) for details on configuration options.
-# This file should NOT be world readable.
-#
-include		/etc/openldap/schema/core.schema
-
-# Define global ACLs to disable default read access.
-
-# Do not enable referrals until AFTER you have a working directory
-# service AND an understanding of referrals.
-#referral	ldap://root.openldap.org
-
-pidfile		/var/run/openldap/slapd.pid
-argsfile	/var/run/openldap/slapd.args
-
-# Load dynamic backend modules:
-###INSERTDYNAMICMODULESHERE###
-
-# Sample security restrictions
-#	Require integrity protection (prevent hijacking)
-#	Require 112-bit (3DES or better) encryption for updates
-#	Require 63-bit encryption for simple bind
-# security ssf=1 update_ssf=112 simple_bind=64
-
-# Sample access control policy:
-#	Root DSE: allow anyone to read it
-#	Subschema (sub)entry DSE: allow anyone to read it
-#	Other DSEs:
-#		Allow self write access
-#		Allow authenticated users read access
-#		Allow anonymous users to authenticate
-#	Directives needed to implement policy:
-# access to dn.base="" by * read
-# access to dn.base="cn=Subschema" by * read
-# access to *
-#	by self write
-#	by users read
-#	by anonymous auth
-#
-# if no access controls are present, the default policy
-# allows anyone and everyone to read anything but restricts
-# updates to rootdn.  (e.g., "access to * by * read")
-#
-# rootdn can always read and write EVERYTHING!
-
-#######################################################################
-# BDB database definitions
-#######################################################################
-
-database	hdb
-suffix		"dc=my-domain,dc=com"
-#         <kbyte> <min>
-checkpoint	32	30 
-rootdn		"cn=Manager,dc=my-domain,dc=com"
-# Cleartext passwords, especially for the rootdn, should
-# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
-# Use of strong authentication encouraged.
-rootpw		secret
-# The database directory MUST exist prior to running slapd AND 
-# should only be accessible by the slapd and slap tools.
-# Mode 700 recommended.
-directory	/var/lib/openldap-data
-# Indices to maintain
-index	objectClass	eq
diff --git a/net-nds/openldap/files/openldap-2.4.15-ppolicy.patch b/net-nds/openldap/files/openldap-2.4.15-ppolicy.patch
deleted file mode 100644
index 3195ee550f68..000000000000
--- a/net-nds/openldap/files/openldap-2.4.15-ppolicy.patch
+++ /dev/null
@@ -1,12 +0,0 @@
---- openldap-2.4.15/clients/tools/common.c.orig	2009-02-05 15:05:03.000000000 -0800
-+++ openldap-2.4.15/clients/tools/common.c	2009-03-21 01:45:14.000000000 -0700
-@@ -1315,8 +1315,8 @@
- 	int		nsctrls = 0;
- 
- #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
-+	LDAPControl c;
- 	if ( ppolicy ) {
--		LDAPControl c;
- 		c.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
- 		c.ldctl_value.bv_val = NULL;
- 		c.ldctl_value.bv_len = 0;
diff --git a/net-nds/openldap/files/openldap-2.4.33-gnutls.patch b/net-nds/openldap/files/openldap-2.4.33-gnutls.patch
deleted file mode 100644
index 2b07c85c04aa..000000000000
--- a/net-nds/openldap/files/openldap-2.4.33-gnutls.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 98de912932732f1441300eb64ca3070ff1469fcf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <petr.pisar@atlas.cz>
-Date: Sun, 30 Dec 2012 21:11:06 +0100
-Subject: [PATCH] GnuTLS 3.0 removed gnutls_certificate_get_x509_cas()
-
----
- libraries/libldap/tls_g.c | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
-
-diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
-index 40616f5..374514d 100644
---- a/libraries/libldap/tls_g.c
-+++ b/libraries/libldap/tls_g.c
-@@ -60,6 +60,12 @@
- #undef HAVE_GCRYPT_RAND
- #endif
- 
-+#if LIBGNUTLS_VERSION_NUMBER >= 0x030000
-+#define HAVE_GNUTLS_CERTIFICATE_GET_ISSUER 1
-+#else
-+#undef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
-+#endif
-+
- #ifndef HAVE_CIPHERSUITES
- /* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
-  * kludge them ourselves.
-@@ -368,6 +374,22 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
- 		 * then we have to build the cert chain.
- 		 */
- 		if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
-+#ifdef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
-+			gnutls_x509_crt_t issuer;
-+			unsigned int i;
-+
-+			for ( i = 1; i<VERIFY_DEPTH; i++ ) {
-+				/* If no CA is known, we're done */
-+				if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1],
-+							&issuer, 0 ) )
-+					break;
-+				certs[i] = issuer;
-+				max++;
-+				/* If this CA is self-signed, we're done */
-+				if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
-+					break;
-+			}
-+#else
- 			gnutls_x509_crt_t *cas;
- 			unsigned int i, j, ncas;
- 
-@@ -387,6 +409,7 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
- 				if ( j == ncas )
- 					break;
- 			}
-+#endif /* !defined HAVE_GNUTLS_CERTIFICATE_GET_ISSUER */
- 		}
- 		rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
- 		if ( rc ) return -1;
--- 
-1.8.0.2
-
diff --git a/net-nds/openldap/files/openldap-2.4.40-mdb-unbundle.patch b/net-nds/openldap/files/openldap-2.4.40-mdb-unbundle.patch
deleted file mode 100644
index 9265a01701ab..000000000000
--- a/net-nds/openldap/files/openldap-2.4.40-mdb-unbundle.patch
+++ /dev/null
@@ -1,136 +0,0 @@
---- ./build/top.mk.orig	2014-10-24 14:34:59.260827298 +0200
-+++ ./build/top.mk	2014-10-24 14:35:25.281168893 +0200
-@@ -160,6 +160,7 @@
- LTHREAD_LIBS = @LTHREAD_LIBS@
- 
- BDB_LIBS = @BDB_LIBS@
-+MDB_LIBS = @MDB_LIBS@
- SLAPD_NDB_LIBS = @SLAPD_NDB_LIBS@
- 
- LDAP_LIBLBER_LA = $(LDAP_LIBDIR)/liblber/liblber.la
---- ./build/openldap.m4.orig	2014-10-24 10:52:02.837221734 +0200
-+++ ./build/openldap.m4	2014-10-24 11:31:02.748087966 +0200
-@@ -563,6 +563,38 @@
- 	], [ol_cv_bdb_compat=yes], [ol_cv_bdb_compat=no])])
- ])
- 
-+dnl --------------------------------------------------------------------
-+dnl Check for version compatility with back-mdb
-+AC_DEFUN([OL_MDB_COMPAT],
-+[AC_CACHE_CHECK([if LMDB version supported by MDB backends], [ol_cv_mdb_compat],[
-+	AC_EGREP_CPP(__mdb_version_compat,[
-+#include <lmdb.h>
-+
-+/* require 0.9.14 or later */
-+#if MDB_VERSION_FULL >= 0x00000009000E
-+	__mdb_version_compat
-+#endif
-+	], [ol_cv_mdb_compat=yes], [ol_cv_mdb_compat=no])])
-+])
-+
-+dnl
-+dnl --------------------------------------------------------------------
-+dnl Find any MDB
-+AC_DEFUN([OL_MDB],
-+[ol_cv_mdb=no
-+AC_CHECK_HEADERS(lmdb.h)
-+if test $ac_cv_header_lmdb_h = yes; then
-+	OL_MDB_COMPAT
-+
-+	if test $ol_cv_mdb_compat != yes ; then
-+		AC_MSG_ERROR([LMDB version incompatible with MDB backends])
-+	fi
-+
-+	ol_cv_lib_mdb=-llmdb
-+	ol_cv_mdb=yes
-+fi
-+])
-+
- dnl
- dnl ====================================================================
- dnl Check POSIX Thread version 
---- ./servers/slapd/back-mdb/Makefile.in.orig	2014-10-24 10:31:30.860931076 +0200
-+++ ./servers/slapd/back-mdb/Makefile.in	2014-10-24 14:33:33.803705424 +0200
-@@ -25,11 +25,10 @@
- 	extended.lo operational.lo \
- 	attr.lo index.lo key.lo filterindex.lo \
- 	dn2entry.lo dn2id.lo id2entry.lo idl.lo \
--	nextid.lo monitor.lo mdb.lo midl.lo
-+	nextid.lo monitor.lo
- 
- LDAP_INCDIR= ../../../include       
- LDAP_LIBDIR= ../../../libraries
--MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/liblmdb
- 
- BUILD_OPT = "--enable-mdb"
- BUILD_MOD = @BUILD_MDB@
-@@ -44,7 +43,7 @@
- 
- LIBBASE = back_mdb
- 
--XINCPATH = -I.. -I$(srcdir)/.. -I$(MDB_SUBDIR)
-+XINCPATH = -I.. -I$(srcdir)/..
- XDEFS = $(MODULES_CPPFLAGS)
- 
- all-local-lib:	../.backend
-@@ -52,11 +51,5 @@
- ../.backend: lib$(LIBBASE).a
- 	@touch $@
- 
--mdb.lo:	$(MDB_SUBDIR)/mdb.c
--	$(LTCOMPILE_MOD) $(MDB_SUBDIR)/mdb.c
--
--midl.lo:	$(MDB_SUBDIR)/midl.c
--	$(LTCOMPILE_MOD) $(MDB_SUBDIR)/midl.c
--
- veryclean-local-lib: FORCE
- 	$(RM) $(XXHEADERS) $(XXSRCS) .links
---- ./configure.in.orig	2014-10-24 10:46:53.289139847 +0200
-+++ ./configure.in	2014-10-24 10:51:34.372846374 +0200
-@@ -519,6 +519,7 @@
- dnl Initialize vars
- LDAP_LIBS=
- BDB_LIBS=
-+MDB_LIBS=
- SLAPD_NDB_LIBS=
- SLAPD_NDB_INCS=
- LTHREAD_LIBS=
-@@ -1905,6 +1906,30 @@
- fi
- 
- dnl ----------------------------------------------------------------
-+ol_link_mdb=no 
-+
-+if test $ol_enable_mdb != no; then
-+	OL_MDB
-+
-+	if test $ol_cv_mdb = no ; then
-+		AC_MSG_ERROR(MDB: LMDB not available)
-+	fi
-+
-+	AC_DEFINE(HAVE_MDB,1,
-+		[define this if LMDB is available])
-+
-+	dnl $ol_cv_lib_mdb should be yes or -llmdb
-+	dnl (it could be no, but that would be an error
-+	if test $ol_cv_lib_mdb != yes ; then
-+		MDB_LIBS="$MDB_LIBS $ol_cv_lib_mdb"
-+	fi
-+
-+	SLAPD_LIBS="$SLAPD_LIBS \$(MDB_LIBS)"
-+
-+	ol_link_mdb=yes 
-+fi
-+
-+dnl ----------------------------------------------------------------
- 
- if test $ol_enable_dynamic = yes && test $enable_shared = yes ; then
- 	BUILD_LIBS_DYNAMIC=shared
-@@ -3133,6 +3158,7 @@
- AC_SUBST(LDAP_LIBS)
- AC_SUBST(SLAPD_LIBS)
- AC_SUBST(BDB_LIBS)
-+AC_SUBST(MDB_LIBS)
- AC_SUBST(SLAPD_NDB_LIBS)
- AC_SUBST(SLAPD_NDB_INCS)
- AC_SUBST(LTHREAD_LIBS)
diff --git a/net-nds/openldap/files/openldap-2.4.40-slapd-conf b/net-nds/openldap/files/openldap-2.4.40-slapd-conf
deleted file mode 100644
index 8ecc732b9672..000000000000
--- a/net-nds/openldap/files/openldap-2.4.40-slapd-conf
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# See slapd.conf(5) for details on configuration options.
-# This file should NOT be world readable.
-#
-include		/etc/openldap/schema/core.schema
-
-# Define global ACLs to disable default read access.
-
-# Do not enable referrals until AFTER you have a working directory
-# service AND an understanding of referrals.
-#referral	ldap://root.openldap.org
-
-pidfile		/run/openldap/slapd.pid
-argsfile	/run/openldap/slapd.args
-
-# Load dynamic backend modules:
-###INSERTDYNAMICMODULESHERE###
-
-# Sample security restrictions
-#	Require integrity protection (prevent hijacking)
-#	Require 112-bit (3DES or better) encryption for updates
-#	Require 63-bit encryption for simple bind
-# security ssf=1 update_ssf=112 simple_bind=64
-
-# Sample access control policy:
-#	Root DSE: allow anyone to read it
-#	Subschema (sub)entry DSE: allow anyone to read it
-#	Other DSEs:
-#		Allow self write access
-#		Allow authenticated users read access
-#		Allow anonymous users to authenticate
-#	Directives needed to implement policy:
-# access to dn.base="" by * read
-# access to dn.base="cn=Subschema" by * read
-# access to *
-#	by self write
-#	by users read
-#	by anonymous auth
-#
-# if no access controls are present, the default policy
-# allows anyone and everyone to read anything but restricts
-# updates to rootdn.  (e.g., "access to * by * read")
-#
-# rootdn can always read and write EVERYTHING!
-
-#######################################################################
-# BDB database definitions
-#######################################################################
-
-database	hdb
-suffix		"dc=my-domain,dc=com"
-#         <kbyte> <min>
-checkpoint	32	30 
-rootdn		"cn=Manager,dc=my-domain,dc=com"
-# Cleartext passwords, especially for the rootdn, should
-# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
-# Use of strong authentication encouraged.
-rootpw		secret
-# The database directory MUST exist prior to running slapd AND 
-# should only be accessible by the slapd and slap tools.
-# Mode 700 recommended.
-directory	/var/lib/openldap-data
-# Indices to maintain
-index	objectClass	eq
diff --git a/net-nds/openldap/files/slapd-initd-2.4.40 b/net-nds/openldap/files/slapd-initd-2.4.40
deleted file mode 100644
index 473e9fd0e725..000000000000
--- a/net-nds/openldap/files/slapd-initd-2.4.40
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-extra_commands="checkconfig"
-
-[ -z "$INSTANCE" ] && INSTANCE="openldap${SVCNAME#slapd}"
-PIDDIR=/run/openldap
-PIDFILE=$PIDDIR/$SVCNAME.pid
-
-depend() {
-	need net
-	before dbus hald avahi-daemon
-	provide ldap
-}
-
-start() {
-	checkpath -q -d ${PIDDIR} -o ldap:ldap 
-	if ! checkconfig -Q ; then
-		eerror "There is a problem with your slapd.conf!"
-		return 1
-	fi
-	ebegin "Starting ldap-server"
-	[ -n "$KRB5_KTNAME" ] && export KRB5_KTNAME
-	eval start-stop-daemon --start --pidfile ${PIDFILE} --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping ldap-server"
-	start-stop-daemon --stop --signal 2 --quiet --pidfile ${PIDFILE}
-	eend $?
-}
-
-checkconfig() {
-	# checks requested by bug #502948
-	for d in `awk '/^directory/{print $2}'`; do
-		if [ ! -d $d ]; then
-			eerror "Directory $d in config does not exist!"
-			return 1
-		fi
-		/usr/bin/find $d ! -name DB_CONFIG ! -user ldap -o ! -group ldap |grep -sq .
-		if [ $? -ne 0 ]; then
-			ewarn "You have files in $d not owned by the ldap user, you must ensure they are accessible to the slapd instance!"
-		fi
-		[ ! -e $d/DB_CONFIG ] && ewarn "$d/DB_CONFIG does not exist, slapd performance may be sub-optimal" 
-	done
-	# now test the config fully
-	/usr/sbin/slaptest -u "$@" ${OPTS_CONF}
-}
diff --git a/net-nds/openldap/files/slapd-initd-2.4.40-r1 b/net-nds/openldap/files/slapd-initd-2.4.40-r1
deleted file mode 100644
index 3547e0751816..000000000000
--- a/net-nds/openldap/files/slapd-initd-2.4.40-r1
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-extra_commands="checkconfig"
-
-[ -z "$INSTANCE" ] && INSTANCE="openldap${SVCNAME#slapd}"
-PIDDIR=/run/openldap
-PIDFILE=$PIDDIR/$SVCNAME.pid
-
-depend() {
-	need net
-	before dbus hald avahi-daemon
-	provide ldap
-}
-
-start() {
-	checkpath -q -d ${PIDDIR} -o ldap:ldap 
-	if ! checkconfig -Q ; then
-		eerror "There is a problem with your slapd.conf!"
-		return 1
-	fi
-	ebegin "Starting ldap-server"
-	[ -n "$KRB5_KTNAME" ] && export KRB5_KTNAME
-	eval start-stop-daemon --start --pidfile ${PIDFILE} --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping ldap-server"
-	start-stop-daemon --stop --signal 2 --quiet --pidfile ${PIDFILE}
-	eend $?
-}
-
-checkconfig() {
-	# checks requested by bug #502948
-	# Step 1: extract the last valid config file or config dir
-	set -- $OPTS
-	while [ -n "$*" ]; do
-		opt=$1 ; shift
-		if [ "$opt" = "-f" -o "$opt" = "-F" ] ; then
-			CONF=$1
-			shift
-		fi
-	done
-	set --
-	# Fallback
-	CONF=${CONF-/etc/openldap/slapd.conf}
-	[ -d $CONF ] && CONF=${CONF}/*
-	DBDIRS=`eval awk '"/^(directory|olcDbDirectory:)/{print \$2}"' $CONF`
-	for d in $DBDIRS; do
-		if [ ! -d $d ]; then
-			eerror "Directory $d in config does not exist!"
-			return 1
-		fi
-		/usr/bin/find $d ! -name DB_CONFIG ! -user ldap -o ! -group ldap |grep -sq .
-		if [ $? -ne 0 ]; then
-			ewarn "You have files in $d not owned by the ldap user, you must ensure they are accessible to the slapd instance!"
-		fi
-		[ ! -e $d/DB_CONFIG ] && ewarn "$d/DB_CONFIG does not exist, slapd performance may be sub-optimal" 
-	done
-	# now test the config fully
-	/usr/sbin/slaptest -u "$@" ${OPTS_CONF}
-}
diff --git a/net-nds/openldap/files/slapd-initd-2.4.40-r2 b/net-nds/openldap/files/slapd-initd-2.4.40-r2
deleted file mode 100644
index 9ce071ac9780..000000000000
--- a/net-nds/openldap/files/slapd-initd-2.4.40-r2
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-extra_commands="checkconfig"
-
-[ -z "$INSTANCE" ] && INSTANCE="openldap${SVCNAME#slapd}"
-PIDDIR=/run/openldap
-PIDFILE=$PIDDIR/$SVCNAME.pid
-
-depend() {
-	need net
-	before dbus hald avahi-daemon
-	provide ldap
-}
-
-start() {
-	checkpath -q -d ${PIDDIR} -o ldap:ldap 
-	if ! checkconfig -Q ; then
-		eerror "There is a problem with your slapd.conf!"
-		return 1
-	fi
-	ebegin "Starting ldap-server"
-	[ -n "$KRB5_KTNAME" ] && export KRB5_KTNAME
-	eval start-stop-daemon --start --pidfile ${PIDFILE} --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping ldap-server"
-	start-stop-daemon --stop --signal 2 --quiet --pidfile ${PIDFILE}
-	eend $?
-}
-
-checkconfig() {
-	# checks requested by bug #502948
-	# Step 1: extract the last valid config file or config dir
-	set -- $OPTS
-	while [ -n "$*" ]; do
-		opt=$1 ; shift
-		if [ "$opt" = "-f" -o "$opt" = "-F" ] ; then
-			CONF=$1
-			shift
-		fi
-	done
-	set --
-	# Fallback
-	CONF=${CONF-/etc/openldap/slapd.conf}
-	[ -d $CONF ] && CONF=${CONF}/*
-	DBDIRS=`eval awk '"/^(directory|olcDbDirectory:)/{print \\$2}"' $CONF`
-	for d in $DBDIRS; do
-		if [ ! -d $d ]; then
-			eerror "Directory $d in config does not exist!"
-			return 1
-		fi
-		/usr/bin/find $d ! -name DB_CONFIG ! -user ldap -o ! -group ldap |grep -sq .
-		if [ $? -ne 0 ]; then
-			ewarn "You have files in $d not owned by the ldap user, you must ensure they are accessible to the slapd instance!"
-		fi
-		[ ! -e $d/DB_CONFIG ] && ewarn "$d/DB_CONFIG does not exist, slapd performance may be sub-optimal" 
-	done
-	# now test the config fully
-	/usr/sbin/slaptest -u "$@" ${OPTS_CONF}
-}