Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openldap

openldap (2.4.50+dfsg-1ubuntu2) groovy; urgency=medium * d/apparmor-profile: Update apparmor profile to grant access to the saslauthd socket, so that SASL authentication works. (LP: #1557157) -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 12 Jun 2020 18:20:42 -0400 openldap (2.4.50+dfsg-1ubuntu1) groovy; urgency=medium * Merge with Debian unstable. Remaining changes: - Enable AppArmor support: + d/apparmor-profile: add AppArmor profile + d/rules: use dh_apparmor + d/control: Build-Depends on dh-apparmor + d/slapd.README.Debian: add note about AppArmor - Enable GSSAPI support (first added in 2.4.18-0ubuntu2): + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise): - Add --with-gssapi support - Make guess_service_principal() more robust when determining principal + d/configure.options: Configure with --with-gssapi + d/control: Added heimdal-dev as a build depend + d/rules: - Explicitly add -I/usr/include/heimdal to CFLAGS. - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS. + d/libldap-2.4-2.symbols: add symbols for GSSAPI support This should be dropped when the soname changes. - Enable ufw support: + d/control: suggest ufw. + d/rules: install ufw profile. + d/slapd.ufw.profile: add ufw profile. - Enable nss overlay: + d/rules: - add nssov to CONTRIB_MODULES - add sysconfdir to CONTRIB_MAKEVARS + d/slapd.install: - install nssov overlay + d/slapd.manpages: - install slapo-nssov(5) man page + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding Debian bug #919136, we also have to patch the nssov makefile accordingly and thus update this patch. - d/{rules,slapd.py}: Add apport hook. - d/slapd.scripts-common: + add slapcat_opts to local variables. + Fix backup directory naming for multiple reconfiguration. - d/{slapd.default,slapd.README.Debian}: use the new configuration style. - Add support for CLDAP (UDP) support, back then required by likewise-open (first enabled in 2.4.17-1ubuntu2): + d/rules: Enable -DLDAP_CONNECTIONLESS + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP) This should be dropped when the soname changes. - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because of test timing issue. * Dropped: - d/slapd.init.ldif: don't set olcRootDN since it's not defined in either the default DIT nor via an Authn mapping. [Not worth keeping a delta for, as having olcRootDN doesn't hurt] - Show distribution in version: - d/control: added lsb-release - d/patches/fix-ldap-distribution.patch: show distribution in version [Debian now shows the full package version] - SECURITY UPDATE: denial of service via nested search filters + debian/patches/CVE-2020-12243.patch: limit depth of nested filters in servers/slapd/filter.c. [Fixed upstream] * Added: - d/rules, debian/patches/set-maintainer-name: Extract maintainer address dynamically from debian/control. Thanks to Ryan Tandy <ryan@nardis.ca> (Closes: #960448, LP: #1875697) -- Andreas Hasenack <andreas@canonical.com> Mon, 01 Jun 2020 09:19:58 -0300

Modifications :
  1. Download patch debian/apparmor-profile

    --- 2.4.50+dfsg-1/debian/apparmor-profile 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/apparmor-profile 2020-06-12 22:20:42.000000000 +0000 @@ -0,0 +1,61 @@ +# vim:syntax=apparmor +# Last Modified: Fri Jun 6 13:51:00 2020 +# Author: Jamie Strandboge <jamie@ubuntu.com> + +#include <tunables/global> + +/usr/sbin/slapd { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/p11-kit> + + #include <abstractions/ssl_certs> + /etc/ssl/private/ r, + /etc/ssl/private/* r, + + /etc/sasldb2 r, + + capability dac_override, + capability net_bind_service, + capability setgid, + capability setuid, + + /etc/gai.conf r, + /etc/hosts.allow r, + /etc/hosts.deny r, + + # ldap files + /etc/ldap/** kr, + /etc/ldap/slapd.d/** rw, + + # kerberos/gssapi + /dev/tty rw, + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* kr, + /etc/krb5.keytab kr, + /etc/krb5/user/*/client.keytab kr, + owner /tmp/krb5cc_* rwk, + /var/tmp/ rw, + /var/tmp/** rw, + + # the databases and logs + /var/lib/ldap/ r, + /var/lib/ldap/** rwk, + + # lock file + /var/lib/ldap/alock kw, + + # pid files and sockets + /{,var/}run/slapd/* w, + /{,var/}run/slapd/ldapi rw, + /{,var/}run/nslcd/socket rw, + /{,var/}run/saslauthd/mux rw, + + /usr/lib/ldap/ r, + /usr/lib/ldap/* mr, + + /usr/sbin/slapd mr, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.slapd> +}
  2. Download patch debian/slapd.scripts-common

    --- 2.4.50+dfsg-1/debian/slapd.scripts-common 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/slapd.scripts-common 2020-05-13 12:38:21.000000000 +0000 @@ -175,8 +175,7 @@ dump_config() { # {{{ dump_databases() { # {{{ # If the user wants us to dump the databases they are dumped to the # configured directory. - - local db suffix file dir failed + local db suffix file dir failed slapcat_opts database_dumping_enabled || return 0 @@ -365,6 +364,12 @@ compute_backup_path() { # {{{ id="$OLD_VERSION" [ -n "$id" ] || id=`date +%Y%m%d-%H%M%S` target="/var/backups/$basedn-$id.ldapdb" + # Configuration via dpkg-reconfigure. + # The backup directory already exists when reconfigured + # twice or more: append a timestamp. + if [ -e "${target}" ] && ([ "$MODE" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]); then + target="$target-`date +%Y%m%d-%H%M%S`" + fi if [ -e "$target" ] && [ -z "$ok_exists" ]; then echo >&2 echo >&2 " Backup path $target exists. Giving up..."
  3. Download patch debian/rules

    --- 2.4.50+dfsg-1/debian/rules 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/rules 2020-06-12 22:20:42.000000000 +0000 @@ -7,13 +7,17 @@ include /usr/share/dpkg/pkg-info.mk # want the checks for DFSG-freeness. #DFSG_NONFREE = 1 -export DEB_CFLAGS_MAINT_APPEND := -Wall -Wno-format-extra-args -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE +export DEB_CFLAGS_MAINT_APPEND := -Wall -Wno-format-extra-args -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLDAP_CONNECTIONLESS -I/usr/include/heimdal +export DEB_LDFLAGS_MAINT_APPEND := -L/usr/lib/$(DEB_HOST_MULTIARCH)/heimdal export DEB_BUILD_MAINT_OPTIONS := hardening=+pie,+bindnow # Configure calls AM_INIT_AUTOMAKE, but Automake fails as there is no Makefile.am. # Tell dh-autoreconf to skip automake. export AUTOMAKE = true +# Expose maintainer address to build/mkversion (see debian/patches/set-maintainer-name) +export DEB_MAINTAINER := $(shell sed -ne 's/^Maintainer:\s\+//p' debian/control) + # Expose DEB_VERSION to build/version.sh (see debian/patches/debian-version) export DEB_VERSION @@ -28,7 +32,7 @@ ifneq ($(filter pkg.openldap.noslapd,$(D CONFIG += --disable-slapd endif -CONTRIB_MODULES = autogroup lastbind passwd passwd/argon2 passwd/pbkdf2 passwd/sha2 smbk5pwd +CONTRIB_MODULES = autogroup lastbind nssov passwd passwd/argon2 passwd/pbkdf2 passwd/sha2 smbk5pwd # Ensure CC is set correctly for cross builds, unless it has already # been set explicitly. @@ -48,7 +52,8 @@ CONTRIB_MAKEVARS := \ LDAP_BUILD='$(builddir)' \ prefix=/usr \ ldap_subdir=/ldap \ - moduledir='$$(libdir)$$(ldap_subdir)' + moduledir='$$(libdir)$$(ldap_subdir)' \ + sysconfdir='/etc$$(ldap_subdir)' # These variables are used only by get-orig-source, which will normally only # be run by maintainers. @@ -162,6 +167,22 @@ endif find $(installdir)/usr/share/man -name \*.8 \ | xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#' +ifeq ($(filter stage1,$(DEB_BUILD_PROFILES)),) +override_dh_install-arch: + dh_install + + # install AppArmor profile + install -D -m 644 $(CURDIR)/debian/apparmor-profile $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd + + # install Apport hook + install -D -m 644 $(CURDIR)/debian/slapd.py $(CURDIR)/debian/slapd/usr/share/apport/package-hooks/slapd.py + + # install ufw profile + install -D -m 644 $(CURDIR)/debian/slapd.ufw.profile $(CURDIR)/debian/slapd/etc/ufw/applications.d/slapd + + dh_apparmor -pslapd --profile-name=usr.sbin.slapd +endif + override_dh_installinit: dh_installinit -- "defaults 19 80" @@ -222,6 +243,8 @@ ifeq ($(filter pkg.openldap.noslapd,$(DE done; \ fi + rm -f contrib/slapd-modules/nssov/nss-pam-ldapd/config.sub contrib/slapd-modules/nssov/nss-pam-ldapd/config.guess + # Clean the contrib directory for mod in $(CONTRIB_MODULES); do \ dh_auto_clean -Dcontrib/slapd-modules/$$mod -Bcontrib/slapd-modules/$$mod || exit $?; \
  4. Download patch debian/patches/contrib-makefiles

    --- 2.4.50+dfsg-1/debian/patches/contrib-makefiles 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/patches/contrib-makefiles 2020-05-25 06:39:14.000000000 +0000 @@ -183,3 +183,24 @@ -rpath $(moduledir) -module -o $@ $? $(LIBS) clean: +--- a/contrib/slapd-modules/nssov/Makefile ++++ b/contrib/slapd-modules/nssov/Makefile +@@ -52,15 +52,15 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + tio.lo: nss-pam-ldapd/tio.c +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $? ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $? + + $(OBJS): nssov.h + + nssov.la: $(OBJS) $(XOBJS) +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info 0:0:0 \ + -rpath $(moduledir) -module -o $@ $(OBJS) $(XOBJS) $(LIBS) + + install: nssov.la
  5. Download patch debian/slapd.README.Debian

    --- 2.4.50+dfsg-1/debian/slapd.README.Debian 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/slapd.README.Debian 2020-05-13 12:38:21.000000000 +0000 @@ -204,8 +204,8 @@ Running slapd under a Different UID/GID - Tell linux slapd can access configuration files -- usually: - chgrp <group> /etc/ldap/slapd.conf - chmod 0640 /etc/ldap/slapd.conf + chgrp -R <group> /etc/ldap/slapd.d + chmod -R g+rX /etc/ldap/slapd.d - Tell linux slapd can access /var/run/slapd and write a PID file: @@ -339,3 +339,14 @@ Unsafe access control rule installed by slapd.access(5) man page. -- Ryan Tandy <ryan@nardis.ca>, Mon, 20 Oct 2014 11:45:20 -0700 + +Apparmor Profile +---------------- + + If your system uses AppArmor, please note that the shipped enforcing profile + works with the default installation, and changes in your configuration may + require changes to the installed apparmor profile. Please see + https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this + software. + + -- Jamie Strandboge <jamie@ubuntu.com>, Mon, 4 Feb 2008 21:18:21 -0500
  6. Download patch debian/slapd.default

    --- 2.4.50+dfsg-1/debian/slapd.default 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/slapd.default 2020-05-13 12:38:21.000000000 +0000 @@ -12,7 +12,7 @@ SLAPD_USER="openldap" SLAPD_GROUP="openldap" # Path to the pid file of the slapd server. If not set the init.d script -# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by # default) SLAPD_PIDFILE=
  7. Download patch debian/patches/fix_test_timing.patch

    --- 2.4.50+dfsg-1/debian/patches/fix_test_timing.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/patches/fix_test_timing.patch 2020-05-13 12:38:21.000000000 +0000 @@ -0,0 +1,27 @@ +Description: fix test timing on slow builders such as riscv64 +Author: Marc Deslauriers <marc.deslauriers@canonical.com> + +--- a/tests/data/ppolicy.ldif ++++ b/tests/data/ppolicy.ldif +@@ -25,7 +25,7 @@ pwdLockoutDuration: 15 + pwdInHistory: 6 + pwdCheckQuality: 2 + pwdExpireWarning: 10 +-pwdMaxAge: 30 ++pwdMaxAge: 40 + pwdMinLength: 5 + pwdGraceAuthnLimit: 3 + pwdAllowUserChange: TRUE +--- a/tests/scripts/test022-ppolicy ++++ b/tests/scripts/test022-ppolicy +@@ -100,8 +100,8 @@ if test $RC != 0 ; then + fi + + echo "Testing password expiration" +-echo "Waiting 20 seconds for password to expire..." +-sleep 20 ++echo "Waiting 40 seconds for password to expire..." ++sleep 40 + + $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base > $SEARCHOUT 2>&1
  8. Download patch debian/configure.options

    --- 2.4.50+dfsg-1/debian/configure.options 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/configure.options 2020-05-25 06:39:14.000000000 +0000 @@ -175,6 +175,7 @@ # --with-fetch with fetch(3) URL support [auto] # --with-threads with threads [auto] --with-threads +--with-gssapi # --with-tls with TLS/SSL support auto|openssl|gnutls|moznss [auto] --with-tls=gnutls # --with-yielding-select with implicitly yielding select [auto]
  9. Download patch debian/control

    --- 2.4.50+dfsg-1/debian/control 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/control 2020-05-25 06:39:14.000000000 +0000 @@ -1,14 +1,16 @@ Source: openldap Section: net Priority: optional -Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org> Uploaders: Steve Langasek <vorlon@debian.org>, Torsten Landschoff <torsten@debian.org>, Ryan Tandy <ryan@nardis.ca> Build-Depends: debhelper (>= 10), + dh-apparmor, dpkg-dev (>= 1.17.14), groff-base, - heimdal-multidev (>= 7.4.0.dfsg.1-1~) <!pkg.openldap.noslapd>, + heimdal-dev (>= 7.4.0.dfsg.1-1~) <!pkg.openldap.noslapd>, libargon2-dev <!pkg.openldap.noslapd>, libdb5.3-dev <!pkg.openldap.noslapd>, libgnutls28-dev, @@ -35,7 +37,7 @@ Depends: ${shlibs:Depends}, libldap-2.4- coreutils (>= 4.5.1-1), psmisc, perl:any (>> 5.8.0) | libmime-base64-perl, adduser, lsb-base (>= 3.2-13), ${perl:Depends}, ${misc:Depends} Recommends: libsasl2-modules -Suggests: ldap-utils, +Suggests: ldap-utils, ufw, libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal Conflicts: umich-ldapd, ldap-server, libltdl3 (= 1.5.4-1) Replaces: libldap2, ldap-utils (<< 2.2.23-3)
  10. Download patch debian/slapd.install

    --- 2.4.50+dfsg-1/debian/slapd.install 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/slapd.install 2020-05-25 06:39:14.000000000 +0000 @@ -54,5 +54,7 @@ usr/lib/ldap/autogroup.so* usr/lib/ldap/autogroup.la usr/lib/ldap/lastbind.so* usr/lib/ldap/lastbind.la +usr/lib/ldap/nssov.so* +usr/lib/ldap/nssov.la usr/lib/ldap/pw-sha2.so* usr/lib/ldap/pw-sha2.la
  11. Download patch debian/slapd.manpages

    --- 2.4.50+dfsg-1/debian/slapd.manpages 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/slapd.manpages 2020-05-25 06:39:14.000000000 +0000 @@ -43,3 +43,4 @@ debian/tmp/usr/share/man/man5/slapo-vals # contrib modules installed in main package debian/tmp/usr/share/man/man5/slapo-lastbind.5 +contrib/slapd-modules/nssov/slapo-nssov.5
  12. Download patch debian/patches/series

    --- 2.4.50+dfsg-1/debian/patches/series 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/patches/series 2020-05-25 06:39:14.000000000 +0000 @@ -8,6 +8,7 @@ index-files-created-as-root sasl-default-path libldap-symbol-versions getaddrinfo-is-threadsafe +gssapi.diff do-not-second-guess-sonames contrib-makefiles smbk5pwd-makefile-manpage @@ -20,3 +21,4 @@ no-bdb-ABI-second-guessing ITS6035-olcauthzregex-needs-restart.patch set-maintainer-name ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch +fix_test_timing.patch
  13. Download patch debian/patches/gssapi.diff

    --- 2.4.50+dfsg-1/debian/patches/gssapi.diff 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/patches/gssapi.diff 2020-05-25 06:39:14.000000000 +0000 @@ -0,0 +1,140 @@ +--- a/configure.in ++++ b/configure.in +@@ -244,6 +244,8 @@ + auto, [auto yes no] ) + OL_ARG_WITH(fetch,[ --with-fetch with fetch(3) URL support], + auto, [auto yes no] ) ++OL_ARG_WITH(gssapi,[ --with-gssapi with GSSAPI support], ++ auto, [auto yes no] ) + OL_ARG_WITH(threads,[ --with-threads with threads], + auto, [auto nt posix mach pth lwp yes no manual] ) + OL_ARG_WITH(tls,[ --with-tls with TLS/SSL support auto|openssl|gnutls|moznss], +@@ -591,6 +593,7 @@ + KRB4_LIBS= + KRB5_LIBS= + SASL_LIBS= ++GSSAPI_LIBS= + TLS_LIBS= + MODULES_LIBS= + SLAPI_LIBS= +@@ -1153,6 +1156,63 @@ + fi + + dnl ---------------------------------------------------------------- ++dnl GSSAPI ++ol_link_gssapi=no ++ ++case $ol_with_gssapi in yes | auto) ++ ++ ol_header_gssapi=no ++ AC_CHECK_HEADERS(gssapi/gssapi.h) ++ if test $ac_cv_header_gssapi_gssapi_h = yes ; then ++ ol_header_gssapi=yes ++ else ++ AC_CHECK_HEADERS(gssapi.h) ++ if test $ac_cv_header_gssapi_h = yes ; then ++ ol_header_gssapi=yes ++ fi ++ ++ dnl## not every gssapi has gss_oid_to_str() ++ dnl## as it's not defined in the GSSAPI V2 API ++ dnl## anymore ++ saveLIBS="$LIBS" ++ LIBS="$LIBS $GSSAPI_LIBS" ++ AC_CHECK_FUNCS(gss_oid_to_str) ++ LIBS="$saveLIBS" ++ fi ++ ++ if test $ol_header_gssapi = yes ; then ++ dnl## we check for gss_wrap ++ dnl## as it's new to the GSSAPI V2 API ++ AC_CHECK_LIB(gssapi, gss_wrap, ++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi"], ++ [ol_link_gssapi=no]) ++ if test $ol_link_gssapi != yes ; then ++ AC_CHECK_LIB(gssapi_krb5, gss_wrap, ++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi_krb5"], ++ [ol_link_gssapi=no]) ++ fi ++ if test $ol_link_gssapi != yes ; then ++ AC_CHECK_LIB(gss, gss_wrap, ++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgss"], ++ [ol_link_gssapi=no]) ++ fi ++ fi ++ ++ ;; ++esac ++ ++WITH_GSSAPI=no ++if test $ol_link_gssapi = yes; then ++ AC_DEFINE(HAVE_GSSAPI, 1, [define if you have GSSAPI]) ++ WITH_GSSAPI=yes ++elif test $ol_with_gssapi = auto ; then ++ AC_MSG_WARN([Could not locate GSSAPI package]) ++ AC_MSG_WARN([GSSAPI authentication not supported!]) ++elif test $ol_with_gssapi = yes ; then ++ AC_MSG_ERROR([GSSAPI detection failed]) ++fi ++ ++dnl ---------------------------------------------------------------- + dnl TLS/SSL + + if test $ol_with_tls = yes ; then +@@ -1928,6 +1988,13 @@ + fi + AC_SUBST(VERSION_OPTION) + ++VERSION_OPTION="" ++OL_SYMBOL_VERSIONING ++if test $ol_cv_ld_version_script_option = yes ; then ++ VERSION_OPTION="-Wl,--version-script=" ++fi ++AC_SUBST(VERSION_OPTION) ++ + dnl ---------------------------------------------------------------- + if test $ol_enable_wrappers != no ; then + AC_CHECK_HEADERS(tcpd.h,[ +@@ -3159,6 +3226,7 @@ + AC_SUBST(KRB4_LIBS) + AC_SUBST(KRB5_LIBS) + AC_SUBST(SASL_LIBS) ++AC_SUBST(GSSAPI_LIBS) + AC_SUBST(TLS_LIBS) + AC_SUBST(MODULES_LIBS) + AC_SUBST(SLAPI_LIBS) +--- a/include/portable.hin ++++ b/include/portable.hin +@@ -253,6 +253,18 @@ + /* Define to 1 if you have the <grp.h> header file. */ + #undef HAVE_GRP_H + ++/* define if you have GSSAPI */ ++#undef HAVE_GSSAPI ++ ++/* Define to 1 if you have the <gssapi/gssapi.h> header file. */ ++#undef HAVE_GSSAPI_GSSAPI_H ++ ++/* Define to 1 if you have the <gssapi.h> header file. */ ++#undef HAVE_GSSAPI_H ++ ++/* Define to 1 if you have the `gss_oid_to_str' function. */ ++#undef HAVE_GSS_OID_TO_STR ++ + /* Define to 1 if you have the `hstrerror' function. */ + #undef HAVE_HSTRERROR + +--- a/build/top.mk ++++ b/build/top.mk +@@ -190,9 +190,10 @@ + KRB5_LIBS = @KRB5_LIBS@ + KRB_LIBS = @KRB4_LIBS@ @KRB5_LIBS@ + SASL_LIBS = @SASL_LIBS@ ++GSSAPI_LIBS = @GSSAPI_LIBS@ + TLS_LIBS = @TLS_LIBS@ + AUTH_LIBS = @AUTH_LIBS@ +-SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(TLS_LIBS) $(AUTH_LIBS) ++SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(GSSAPI_LIBS) $(TLS_LIBS) $(AUTH_LIBS) + + MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@ + MODULES_LDFLAGS = @SLAPD_MODULES_LDFLAGS@
  14. Download patch debian/libldap-2.4-2.symbols

    --- 2.4.50+dfsg-1/debian/libldap-2.4-2.symbols 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/libldap-2.4-2.symbols 2020-05-25 06:39:14.000000000 +0000 @@ -118,6 +118,7 @@ liblber-2.4.so.2 libldap-2.4-2 #MINVER# ber_sockbuf_io_fd@OPENLDAP_2.4_2 2.4.7 ber_sockbuf_io_readahead@OPENLDAP_2.4_2 2.4.7 ber_sockbuf_io_tcp@OPENLDAP_2.4_2 2.4.7 + ber_sockbuf_io_udp@OPENLDAP_2.4_2 2.4.17-1ubuntu2 ber_sockbuf_remove_io@OPENLDAP_2.4_2 2.4.7 ber_sos_dump@OPENLDAP_2.4_2 2.4.7 ber_start@OPENLDAP_2.4_2 2.4.7 @@ -280,6 +281,11 @@ libldap_r-2.4.so.2 libldap-2.4-2 #MINVER ldap_int_flush_request@OPENLDAP_2.4_2 2.4.7 ldap_int_global_options@OPENLDAP_2.4_2 2.4.7 ldap_int_gmtime_mutex@OPENLDAP_2.4_2 2.4.23 + ldap_int_gssapi_close@OPENLDAP_2.4_2 2.4.18-0ubuntu2 + ldap_int_gssapi_config@OPENLDAP_2.4_2 2.4.18-0ubuntu2 + ldap_int_gssapi_get_option@OPENLDAP_2.4_2 2.4.18-0ubuntu2 + ldap_int_gssapi_mutex@OPENLDAP_2.4_2 2.4.18-0ubuntu2 + ldap_int_gssapi_set_option@OPENLDAP_2.4_2 2.4.18-0ubuntu2 ldap_int_hostname@OPENLDAP_2.4_2 2.4.7 ldap_int_hostname_mutex@OPENLDAP_2.4_2 2.4.39 ldap_int_inet4or6@OPENLDAP_2.4_2 2.4.7 @@ -312,6 +318,7 @@ libldap_r-2.4.so.2 libldap-2.4-2 #MINVER ldap_int_tls_start@OPENLDAP_2.4_2 2.4.7 ldap_int_utils_init@OPENLDAP_2.4_2 2.4.7 ldap_is_ldap_url@OPENLDAP_2.4_2 2.4.7 + ldap_is_ldapc_url@OPENLDAP_2.4_2 2.4.17-1ubuntu2 ldap_is_ldapi_url@OPENLDAP_2.4_2 2.4.7 ldap_is_ldaps_url@OPENLDAP_2.4_2 2.4.7 ldap_is_read_ready@OPENLDAP_2.4_2 2.4.7
  15. Download patch debian/slapd.ufw.profile

    --- 2.4.50+dfsg-1/debian/slapd.ufw.profile 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/slapd.ufw.profile 2020-05-13 12:38:21.000000000 +0000 @@ -0,0 +1,9 @@ +[OpenLDAP LDAP] +title=OpenLDAP with TLS +description=OpenLDAP is a free, fast, lightweight LDAP server +ports=389/tcp + +[OpenLDAP LDAPS] +title=OpenLDAP over SSL +description=OpenLDAP is a free, fast, lightweight LDAP server +ports=636/tcp
  16. Download patch debian/patches/set-maintainer-name

    --- 2.4.50+dfsg-1/debian/patches/set-maintainer-name 2020-04-28 17:18:12.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/patches/set-maintainer-name 2020-06-12 22:20:42.000000000 +0000 @@ -10,7 +10,7 @@ -else - WHOWHERE="$USER@$(uname -n):$(pwd)" -fi -+WHOWHERE="Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>" ++WHOWHERE="${DEB_MAINTAINER:-openldap}" cat << __EOF__ /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  17. Download patch debian/slapd.py

    --- 2.4.50+dfsg-1/debian/slapd.py 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.50+dfsg-1ubuntu2/debian/slapd.py 2020-05-13 12:38:21.000000000 +0000 @@ -0,0 +1,51 @@ +#!/usr/bin/python + +'''apport hook for slapd + +(c) 2010 Adam Sommer. +Author: Adam Sommer <asommer@ubuntu.com> + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import os + +# Scrub olcRootPW attribute and credentials strings if necessary. +def scrub_pass_strings(config): + olcrootpw_regex = re.compile('olcRootPW:.*') + olcrootpw_string = olcrootpw_regex.search(config) + if olcrootpw_string: + config = config.replace(olcrootpw_string.group(0), 'olcRootPW: @@APPORTREPLACED@@') + + credentials_regex = re.compile('credentials=.* ') + credentials_string = credentials_regex.search(config) + if credentials_string: + config = config.replace(credentials_string.group(0), 'credentials=@@APPORTREPLACED@@ ') + + return config + +def add_info(report, ui): + response = ui.yesno("The contents of your /etc/ldap/slapd.d directory " + "may help developers diagnose your bug more " + "quickly. However, it may contain sensitive " + "information. Do you want to include it in your " + "bug report?") + + if response == None: # user cancelled + raise StopIteration + + elif response == True: + # Get the cn=config tree. + cn_config = root_command_output(['/usr/bin/ldapsearch', '-Q', '-LLL', '-Y EXTERNAL', '-H ldapi:///', '-b cn=config']) + report['CNConfig'] = scrub_pass_strings(cn_config) + + # Get slapd messages from /var/log/syslog + slapd_re = re.compile('slapd', re.IGNORECASE) + report['SysLog'] = recent_syslog(slapd_re) + + attach_mac_events(report, '/usr/sbin/slapd')
  1. openldap