Revert "net-nds/openldap: security and patch cleanup wrt bug #560424"

This reverts commit 24cf260188c1d266815d1e6329547b1d52de5a1b.

8 files changed, 517 insertions, 0 deletions

diff --git a/net-nds/openldap/files/openldap-2.3.34-slapd-conf b/net-nds/openldap/files/openldap-2.3.34-slapd-conf
new file mode 100644
index 000000000000..ad767cfdeb7c
--- /dev/null
+++ b/net-nds/openldap/files/openldap-2.3.34-slapd-conf
@@ -0,0 +1,64 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include		/etc/openldap/schema/core.schema
+
+# Define global ACLs to disable default read access.
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral	ldap://root.openldap.org
+
+pidfile		/var/run/openldap/slapd.pid
+argsfile	/var/run/openldap/slapd.args
+
+# Load dynamic backend modules:
+###INSERTDYNAMICMODULESHERE###
+
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#	Directives needed to implement policy:
+# access to dn.base="" by * read
+# access to dn.base="cn=Subschema" by * read
+# access to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+
+database	hdb
+suffix		"dc=my-domain,dc=com"
+#         <kbyte> <min>
+checkpoint	32	30 
+rootdn		"cn=Manager,dc=my-domain,dc=com"
+# Cleartext passwords, especially for the rootdn, should
+# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+rootpw		secret
+# The database directory MUST exist prior to running slapd AND 
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory	/var/lib/openldap-data
+# Indices to maintain
+index	objectClass	eq
diff --git a/net-nds/openldap/files/openldap-2.4.15-ppolicy.patch b/net-nds/openldap/files/openldap-2.4.15-ppolicy.patch
new file mode 100644
index 000000000000..3195ee550f68
--- /dev/null
+++ b/net-nds/openldap/files/openldap-2.4.15-ppolicy.patch
@@ -0,0 +1,12 @@
+--- openldap-2.4.15/clients/tools/common.c.orig	2009-02-05 15:05:03.000000000 -0800
++++ openldap-2.4.15/clients/tools/common.c	2009-03-21 01:45:14.000000000 -0700
+@@ -1315,8 +1315,8 @@
+ 	int		nsctrls = 0;
+ 
+ #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
++	LDAPControl c;
+ 	if ( ppolicy ) {
+-		LDAPControl c;
+ 		c.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
+ 		c.ldctl_value.bv_val = NULL;
+ 		c.ldctl_value.bv_len = 0;
diff --git a/net-nds/openldap/files/openldap-2.4.33-gnutls.patch b/net-nds/openldap/files/openldap-2.4.33-gnutls.patch
new file mode 100644
index 000000000000..2b07c85c04aa
--- /dev/null
+++ b/net-nds/openldap/files/openldap-2.4.33-gnutls.patch
@@ -0,0 +1,60 @@
+From 98de912932732f1441300eb64ca3070ff1469fcf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <petr.pisar@atlas.cz>
+Date: Sun, 30 Dec 2012 21:11:06 +0100
+Subject: [PATCH] GnuTLS 3.0 removed gnutls_certificate_get_x509_cas()
+
+---
+ libraries/libldap/tls_g.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index 40616f5..374514d 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -60,6 +60,12 @@
+ #undef HAVE_GCRYPT_RAND
+ #endif
+ 
++#if LIBGNUTLS_VERSION_NUMBER >= 0x030000
++#define HAVE_GNUTLS_CERTIFICATE_GET_ISSUER 1
++#else
++#undef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
++#endif
++
+ #ifndef HAVE_CIPHERSUITES
+ /* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
+  * kludge them ourselves.
+@@ -368,6 +374,22 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 		 * then we have to build the cert chain.
+ 		 */
+ 		if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
++#ifdef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
++			gnutls_x509_crt_t issuer;
++			unsigned int i;
++
++			for ( i = 1; i<VERIFY_DEPTH; i++ ) {
++				/* If no CA is known, we're done */
++				if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1],
++							&issuer, 0 ) )
++					break;
++				certs[i] = issuer;
++				max++;
++				/* If this CA is self-signed, we're done */
++				if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
++					break;
++			}
++#else
+ 			gnutls_x509_crt_t *cas;
+ 			unsigned int i, j, ncas;
+ 
+@@ -387,6 +409,7 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 				if ( j == ncas )
+ 					break;
+ 			}
++#endif /* !defined HAVE_GNUTLS_CERTIFICATE_GET_ISSUER */
+ 		}
+ 		rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
+ 		if ( rc ) return -1;
+-- 
+1.8.0.2
+
diff --git a/net-nds/openldap/files/openldap-2.4.40-mdb-unbundle.patch b/net-nds/openldap/files/openldap-2.4.40-mdb-unbundle.patch
new file mode 100644
index 000000000000..9265a01701ab
--- /dev/null
+++ b/net-nds/openldap/files/openldap-2.4.40-mdb-unbundle.patch
@@ -0,0 +1,136 @@
+--- ./build/top.mk.orig	2014-10-24 14:34:59.260827298 +0200
++++ ./build/top.mk	2014-10-24 14:35:25.281168893 +0200
+@@ -160,6 +160,7 @@
+ LTHREAD_LIBS = @LTHREAD_LIBS@
+ 
+ BDB_LIBS = @BDB_LIBS@
++MDB_LIBS = @MDB_LIBS@
+ SLAPD_NDB_LIBS = @SLAPD_NDB_LIBS@
+ 
+ LDAP_LIBLBER_LA = $(LDAP_LIBDIR)/liblber/liblber.la
+--- ./build/openldap.m4.orig	2014-10-24 10:52:02.837221734 +0200
++++ ./build/openldap.m4	2014-10-24 11:31:02.748087966 +0200
+@@ -563,6 +563,38 @@
+ 	], [ol_cv_bdb_compat=yes], [ol_cv_bdb_compat=no])])
+ ])
+ 
++dnl --------------------------------------------------------------------
++dnl Check for version compatility with back-mdb
++AC_DEFUN([OL_MDB_COMPAT],
++[AC_CACHE_CHECK([if LMDB version supported by MDB backends], [ol_cv_mdb_compat],[
++	AC_EGREP_CPP(__mdb_version_compat,[
++#include <lmdb.h>
++
++/* require 0.9.14 or later */
++#if MDB_VERSION_FULL >= 0x00000009000E
++	__mdb_version_compat
++#endif
++	], [ol_cv_mdb_compat=yes], [ol_cv_mdb_compat=no])])
++])
++
++dnl
++dnl --------------------------------------------------------------------
++dnl Find any MDB
++AC_DEFUN([OL_MDB],
++[ol_cv_mdb=no
++AC_CHECK_HEADERS(lmdb.h)
++if test $ac_cv_header_lmdb_h = yes; then
++	OL_MDB_COMPAT
++
++	if test $ol_cv_mdb_compat != yes ; then
++		AC_MSG_ERROR([LMDB version incompatible with MDB backends])
++	fi
++
++	ol_cv_lib_mdb=-llmdb
++	ol_cv_mdb=yes
++fi
++])
++
+ dnl
+ dnl ====================================================================
+ dnl Check POSIX Thread version 
+--- ./servers/slapd/back-mdb/Makefile.in.orig	2014-10-24 10:31:30.860931076 +0200
++++ ./servers/slapd/back-mdb/Makefile.in	2014-10-24 14:33:33.803705424 +0200
+@@ -25,11 +25,10 @@
+ 	extended.lo operational.lo \
+ 	attr.lo index.lo key.lo filterindex.lo \
+ 	dn2entry.lo dn2id.lo id2entry.lo idl.lo \
+-	nextid.lo monitor.lo mdb.lo midl.lo
++	nextid.lo monitor.lo
+ 
+ LDAP_INCDIR= ../../../include       
+ LDAP_LIBDIR= ../../../libraries
+-MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/liblmdb
+ 
+ BUILD_OPT = "--enable-mdb"
+ BUILD_MOD = @BUILD_MDB@
+@@ -44,7 +43,7 @@
+ 
+ LIBBASE = back_mdb
+ 
+-XINCPATH = -I.. -I$(srcdir)/.. -I$(MDB_SUBDIR)
++XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+ 
+ all-local-lib:	../.backend
+@@ -52,11 +51,5 @@
+ ../.backend: lib$(LIBBASE).a
+ 	@touch $@
+ 
+-mdb.lo:	$(MDB_SUBDIR)/mdb.c
+-	$(LTCOMPILE_MOD) $(MDB_SUBDIR)/mdb.c
+-
+-midl.lo:	$(MDB_SUBDIR)/midl.c
+-	$(LTCOMPILE_MOD) $(MDB_SUBDIR)/midl.c
+-
+ veryclean-local-lib: FORCE
+ 	$(RM) $(XXHEADERS) $(XXSRCS) .links
+--- ./configure.in.orig	2014-10-24 10:46:53.289139847 +0200
++++ ./configure.in	2014-10-24 10:51:34.372846374 +0200
+@@ -519,6 +519,7 @@
+ dnl Initialize vars
+ LDAP_LIBS=
+ BDB_LIBS=
++MDB_LIBS=
+ SLAPD_NDB_LIBS=
+ SLAPD_NDB_INCS=
+ LTHREAD_LIBS=
+@@ -1905,6 +1906,30 @@
+ fi
+ 
+ dnl ----------------------------------------------------------------
++ol_link_mdb=no 
++
++if test $ol_enable_mdb != no; then
++	OL_MDB
++
++	if test $ol_cv_mdb = no ; then
++		AC_MSG_ERROR(MDB: LMDB not available)
++	fi
++
++	AC_DEFINE(HAVE_MDB,1,
++		[define this if LMDB is available])
++
++	dnl $ol_cv_lib_mdb should be yes or -llmdb
++	dnl (it could be no, but that would be an error
++	if test $ol_cv_lib_mdb != yes ; then
++		MDB_LIBS="$MDB_LIBS $ol_cv_lib_mdb"
++	fi
++
++	SLAPD_LIBS="$SLAPD_LIBS \$(MDB_LIBS)"
++
++	ol_link_mdb=yes 
++fi
++
++dnl ----------------------------------------------------------------
+ 
+ if test $ol_enable_dynamic = yes && test $enable_shared = yes ; then
+ 	BUILD_LIBS_DYNAMIC=shared
+@@ -3133,6 +3158,7 @@
+ AC_SUBST(LDAP_LIBS)
+ AC_SUBST(SLAPD_LIBS)
+ AC_SUBST(BDB_LIBS)
++AC_SUBST(MDB_LIBS)
+ AC_SUBST(SLAPD_NDB_LIBS)
+ AC_SUBST(SLAPD_NDB_INCS)
+ AC_SUBST(LTHREAD_LIBS)
diff --git a/net-nds/openldap/files/openldap-2.4.40-slapd-conf b/net-nds/openldap/files/openldap-2.4.40-slapd-conf
new file mode 100644
index 000000000000..8ecc732b9672
--- /dev/null
+++ b/net-nds/openldap/files/openldap-2.4.40-slapd-conf
@@ -0,0 +1,64 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include		/etc/openldap/schema/core.schema
+
+# Define global ACLs to disable default read access.
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral	ldap://root.openldap.org
+
+pidfile		/run/openldap/slapd.pid
+argsfile	/run/openldap/slapd.args
+
+# Load dynamic backend modules:
+###INSERTDYNAMICMODULESHERE###
+
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#	Directives needed to implement policy:
+# access to dn.base="" by * read
+# access to dn.base="cn=Subschema" by * read
+# access to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+
+database	hdb
+suffix		"dc=my-domain,dc=com"
+#         <kbyte> <min>
+checkpoint	32	30 
+rootdn		"cn=Manager,dc=my-domain,dc=com"
+# Cleartext passwords, especially for the rootdn, should
+# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+rootpw		secret
+# The database directory MUST exist prior to running slapd AND 
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory	/var/lib/openldap-data
+# Indices to maintain
+index	objectClass	eq
diff --git a/net-nds/openldap/files/slapd-initd-2.4.40 b/net-nds/openldap/files/slapd-initd-2.4.40
new file mode 100644
index 000000000000..473e9fd0e725
--- /dev/null
+++ b/net-nds/openldap/files/slapd-initd-2.4.40
@@ -0,0 +1,51 @@
+#!/sbin/openrc-run
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="checkconfig"
+
+[ -z "$INSTANCE" ] && INSTANCE="openldap${SVCNAME#slapd}"
+PIDDIR=/run/openldap
+PIDFILE=$PIDDIR/$SVCNAME.pid
+
+depend() {
+	need net
+	before dbus hald avahi-daemon
+	provide ldap
+}
+
+start() {
+	checkpath -q -d ${PIDDIR} -o ldap:ldap 
+	if ! checkconfig -Q ; then
+		eerror "There is a problem with your slapd.conf!"
+		return 1
+	fi
+	ebegin "Starting ldap-server"
+	[ -n "$KRB5_KTNAME" ] && export KRB5_KTNAME
+	eval start-stop-daemon --start --pidfile ${PIDFILE} --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping ldap-server"
+	start-stop-daemon --stop --signal 2 --quiet --pidfile ${PIDFILE}
+	eend $?
+}
+
+checkconfig() {
+	# checks requested by bug #502948
+	for d in `awk '/^directory/{print $2}'`; do
+		if [ ! -d $d ]; then
+			eerror "Directory $d in config does not exist!"
+			return 1
+		fi
+		/usr/bin/find $d ! -name DB_CONFIG ! -user ldap -o ! -group ldap |grep -sq .
+		if [ $? -ne 0 ]; then
+			ewarn "You have files in $d not owned by the ldap user, you must ensure they are accessible to the slapd instance!"
+		fi
+		[ ! -e $d/DB_CONFIG ] && ewarn "$d/DB_CONFIG does not exist, slapd performance may be sub-optimal" 
+	done
+	# now test the config fully
+	/usr/sbin/slaptest -u "$@" ${OPTS_CONF}
+}
diff --git a/net-nds/openldap/files/slapd-initd-2.4.40-r1 b/net-nds/openldap/files/slapd-initd-2.4.40-r1
new file mode 100644
index 000000000000..3547e0751816
--- /dev/null
+++ b/net-nds/openldap/files/slapd-initd-2.4.40-r1
@@ -0,0 +1,65 @@
+#!/sbin/openrc-run
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="checkconfig"
+
+[ -z "$INSTANCE" ] && INSTANCE="openldap${SVCNAME#slapd}"
+PIDDIR=/run/openldap
+PIDFILE=$PIDDIR/$SVCNAME.pid
+
+depend() {
+	need net
+	before dbus hald avahi-daemon
+	provide ldap
+}
+
+start() {
+	checkpath -q -d ${PIDDIR} -o ldap:ldap 
+	if ! checkconfig -Q ; then
+		eerror "There is a problem with your slapd.conf!"
+		return 1
+	fi
+	ebegin "Starting ldap-server"
+	[ -n "$KRB5_KTNAME" ] && export KRB5_KTNAME
+	eval start-stop-daemon --start --pidfile ${PIDFILE} --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping ldap-server"
+	start-stop-daemon --stop --signal 2 --quiet --pidfile ${PIDFILE}
+	eend $?
+}
+
+checkconfig() {
+	# checks requested by bug #502948
+	# Step 1: extract the last valid config file or config dir
+	set -- $OPTS
+	while [ -n "$*" ]; do
+		opt=$1 ; shift
+		if [ "$opt" = "-f" -o "$opt" = "-F" ] ; then
+			CONF=$1
+			shift
+		fi
+	done
+	set --
+	# Fallback
+	CONF=${CONF-/etc/openldap/slapd.conf}
+	[ -d $CONF ] && CONF=${CONF}/*
+	DBDIRS=`eval awk '"/^(directory|olcDbDirectory:)/{print \$2}"' $CONF`
+	for d in $DBDIRS; do
+		if [ ! -d $d ]; then
+			eerror "Directory $d in config does not exist!"
+			return 1
+		fi
+		/usr/bin/find $d ! -name DB_CONFIG ! -user ldap -o ! -group ldap |grep -sq .
+		if [ $? -ne 0 ]; then
+			ewarn "You have files in $d not owned by the ldap user, you must ensure they are accessible to the slapd instance!"
+		fi
+		[ ! -e $d/DB_CONFIG ] && ewarn "$d/DB_CONFIG does not exist, slapd performance may be sub-optimal" 
+	done
+	# now test the config fully
+	/usr/sbin/slaptest -u "$@" ${OPTS_CONF}
+}
diff --git a/net-nds/openldap/files/slapd-initd-2.4.40-r2 b/net-nds/openldap/files/slapd-initd-2.4.40-r2
new file mode 100644
index 000000000000..9ce071ac9780
--- /dev/null
+++ b/net-nds/openldap/files/slapd-initd-2.4.40-r2
@@ -0,0 +1,65 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="checkconfig"
+
+[ -z "$INSTANCE" ] && INSTANCE="openldap${SVCNAME#slapd}"
+PIDDIR=/run/openldap
+PIDFILE=$PIDDIR/$SVCNAME.pid
+
+depend() {
+	need net
+	before dbus hald avahi-daemon
+	provide ldap
+}
+
+start() {
+	checkpath -q -d ${PIDDIR} -o ldap:ldap 
+	if ! checkconfig -Q ; then
+		eerror "There is a problem with your slapd.conf!"
+		return 1
+	fi
+	ebegin "Starting ldap-server"
+	[ -n "$KRB5_KTNAME" ] && export KRB5_KTNAME
+	eval start-stop-daemon --start --pidfile ${PIDFILE} --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping ldap-server"
+	start-stop-daemon --stop --signal 2 --quiet --pidfile ${PIDFILE}
+	eend $?
+}
+
+checkconfig() {
+	# checks requested by bug #502948
+	# Step 1: extract the last valid config file or config dir
+	set -- $OPTS
+	while [ -n "$*" ]; do
+		opt=$1 ; shift
+		if [ "$opt" = "-f" -o "$opt" = "-F" ] ; then
+			CONF=$1
+			shift
+		fi
+	done
+	set --
+	# Fallback
+	CONF=${CONF-/etc/openldap/slapd.conf}
+	[ -d $CONF ] && CONF=${CONF}/*
+	DBDIRS=`eval awk '"/^(directory|olcDbDirectory:)/{print \\$2}"' $CONF`
+	for d in $DBDIRS; do
+		if [ ! -d $d ]; then
+			eerror "Directory $d in config does not exist!"
+			return 1
+		fi
+		/usr/bin/find $d ! -name DB_CONFIG ! -user ldap -o ! -group ldap |grep -sq .
+		if [ $? -ne 0 ]; then
+			ewarn "You have files in $d not owned by the ldap user, you must ensure they are accessible to the slapd instance!"
+		fi
+		[ ! -e $d/DB_CONFIG ] && ewarn "$d/DB_CONFIG does not exist, slapd performance may be sub-optimal" 
+	done
+	# now test the config fully
+	/usr/sbin/slaptest -u "$@" ${OPTS_CONF}
+}