Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openldap

openldap (2.4.48+dfsg-1ubuntu3) focal; urgency=medium * No-change rebuild against libnettle7 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2019 22:13:44 +0000 openldap (2.4.48+dfsg-1ubuntu2) focal; urgency=medium * No-change rebuild for the perl update. -- Matthias Klose <doko@ubuntu.com> Fri, 18 Oct 2019 19:37:23 +0000 openldap (2.4.48+dfsg-1ubuntu1) eoan; urgency=medium * Merge with Debian unstable. Remaining changes: - Enable AppArmor support: - d/apparmor-profile: add AppArmor profile - d/rules: use dh_apparmor - d/control: Build-Depends on dh-apparmor - d/slapd.README.Debian: add note about AppArmor - Enable GSSAPI support: - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise): - Add --with-gssapi support - Make guess_service_principal() more robust when determining principal - d/configure.options: Configure with --with-gssapi - d/control: Added heimdal-dev as a build depend - d/rules: - Explicitly add -I/usr/include/heimdal to CFLAGS. - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS. - Enable ufw support: - d/control: suggest ufw. - d/rules: install ufw profile. - d/slapd.ufw.profile: add ufw profile. - Enable nss overlay: - d/rules: - add nssov to CONTRIB_MODULES - add sysconfdir to CONTRIB_MAKEVARS - d/slapd.install: - install nssov overlay - d/slapd.manpages: - install slapo-nssov(5) man page - d/{rules,slapd.py}: Add apport hook. - d/slapd.init.ldif: don't set olcRootDN since it's not defined in either the default DIT nor via an Authn mapping. - d/slapd.scripts-common: - add slapcat_opts to local variables. - Fix backup directory naming for multiple reconfiguration. - d/{slapd.default,slapd.README.Debian}: use the new configuration style. - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support in the openldap library, as required by Likewise-Open - Show distribution in version: - d/control: added lsb-release - d/patches/fix-ldap-distribution.patch: show distribution in version - d/libldap-2.4-2.symbols: Add symbols not present in Debian. - CLDAP (UDP) was added in 2.4.17-1ubuntu2 - GSSAPI support was enabled in 2.4.18-0ubuntu2 - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding Debian bug #919136, we also have to patch the nssov makefile accordingly and thus update this patch. * Dropped: - Fix sysv-generator unit file by customizing parameters (LP #1821343) + d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow correct systemctl status for slapd daemon. + d/slapd.install: place override file in correct location. [Included in 2.4.48+dfsg-1] - SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases + debian/patches/CVE-2019-13057-1.patch: add restriction to servers/slapd/saslauthz.c. + debian/patches/CVE-2019-13057-2.patch: add tests to tests/data/idassert.out, tests/data/slapd-idassert.conf, tests/data/test-idassert1.ldif, tests/scripts/test028-idassert. + debian/patches/CVE-2019-13057-3.patch: fix typo in tests/scripts/test028-idassert. + debian/patches/CVE-2019-13057-4.patch: fix typo in tests/scripts/test028-idassert. + CVE-2019-13057 [Fixed upstream] - SECURITY UPDATE: SASL SSF not initialized per connection + debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in connection_init in servers/slapd/connection.c. + CVE-2019-13565 [Fixed upstream] -- Andreas Hasenack <andreas@canonical.com> Wed, 31 Jul 2019 18:01:14 -0300

Modifications :
  1. Download patch debian/patches/fix-ldap-distribution.patch

    --- 2.4.48+dfsg-1/debian/patches/fix-ldap-distribution.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/patches/fix-ldap-distribution.patch 2019-07-31 21:01:14.000000000 +0000 @@ -0,0 +1,24 @@ +--- a/build/mkversion ++++ b/build/mkversion +@@ -52,6 +52,12 @@ + APPLICATION=$1 + WHOWHERE="Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>" + ++if test -x /usr/bin/lsb_release; then ++ OPENLDAP_DISTRIBUTION=" ($(lsb_release -si))" ++else ++ OPENLDAP_DISTRIBUTION="" ++fi ++ + cat << __EOF__ + /* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * +@@ -72,7 +78,7 @@ + "COPYING RESTRICTIONS APPLY\n"; + + $static $const char $SYMBOL[] = +-"@(#) \$$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \$\n" ++"@(#) \$$PACKAGE: $APPLICATION $VERSION$OPENLDAP_DISTRIBUTION (" __DATE__ " " __TIME__ ") \$\n" + "\t$WHOWHERE\n"; + + __EOF__
  2. Download patch debian/apparmor-profile

    --- 2.4.48+dfsg-1/debian/apparmor-profile 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/apparmor-profile 2019-07-31 21:01:14.000000000 +0000 @@ -0,0 +1,60 @@ +# vim:syntax=apparmor +# Last Modified: Fri Jan 4 15:18:13 2008 +# Author: Jamie Strandboge <jamie@ubuntu.com> + +#include <tunables/global> + +/usr/sbin/slapd { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/p11-kit> + + #include <abstractions/ssl_certs> + /etc/ssl/private/ r, + /etc/ssl/private/* r, + + /etc/sasldb2 r, + + capability dac_override, + capability net_bind_service, + capability setgid, + capability setuid, + + /etc/gai.conf r, + /etc/hosts.allow r, + /etc/hosts.deny r, + + # ldap files + /etc/ldap/** kr, + /etc/ldap/slapd.d/** rw, + + # kerberos/gssapi + /dev/tty rw, + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* kr, + /etc/krb5.keytab kr, + /etc/krb5/user/*/client.keytab kr, + owner /tmp/krb5cc_* rwk, + /var/tmp/ rw, + /var/tmp/** rw, + + # the databases and logs + /var/lib/ldap/ r, + /var/lib/ldap/** rwk, + + # lock file + /var/lib/ldap/alock kw, + + # pid files and sockets + /{,var/}run/slapd/* w, + /{,var/}run/slapd/ldapi rw, + /{,var/}run/nslcd/socket rw, + + /usr/lib/ldap/ r, + /usr/lib/ldap/* mr, + + /usr/sbin/slapd mr, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.slapd> +}
  3. Download patch debian/slapd.scripts-common

    --- 2.4.48+dfsg-1/debian/slapd.scripts-common 2019-07-25 00:14:43.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/slapd.scripts-common 2019-07-31 21:01:14.000000000 +0000 @@ -175,8 +175,7 @@ dump_config() { # {{{ dump_databases() { # {{{ # If the user wants us to dump the databases they are dumped to the # configured directory. - - local db suffix file dir failed + local db suffix file dir failed slapcat_opts database_dumping_enabled || return 0 @@ -365,6 +364,12 @@ compute_backup_path() { # {{{ id="$OLD_VERSION" [ -n "$id" ] || id=`date +%Y%m%d-%H%M%S` target="/var/backups/$basedn-$id.ldapdb" + # Configuration via dpkg-reconfigure. + # The backup directory already exists when reconfigured + # twice or more: append a timestamp. + if [ -e "${target}" ] && ([ "$MODE" = reconfigure ] || [ "$DEBCONF_RECONFIGURE" ]); then + target="$target-`date +%Y%m%d-%H%M%S`" + fi if [ -e "$target" ] && [ -z "$ok_exists" ]; then echo >&2 echo >&2 " Backup path $target exists. Giving up..."
  4. Download patch debian/rules

    --- 2.4.48+dfsg-1/debian/rules 2019-07-25 00:14:43.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/rules 2019-07-31 21:01:14.000000000 +0000 @@ -7,7 +7,8 @@ include /usr/share/dpkg/pkg-info.mk # want the checks for DFSG-freeness. #DFSG_NONFREE = 1 -export DEB_CFLAGS_MAINT_APPEND := -Wall -Wno-format-extra-args -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE +export DEB_CFLAGS_MAINT_APPEND := -Wall -Wno-format-extra-args -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLDAP_CONNECTIONLESS -I/usr/include/heimdal +export DEB_LDFLAGS_MAINT_APPEND := -L/usr/lib/$(DEB_HOST_MULTIARCH)/heimdal export DEB_BUILD_MAINT_OPTIONS := hardening=+pie,+bindnow # Workaround for bad glibc behavior when resolving localhost @@ -21,7 +22,7 @@ ifneq ($(filter stage1,$(DEB_BUILD_PROFI CONFIG += --disable-slapd endif -CONTRIB_MODULES = autogroup lastbind passwd passwd/pbkdf2 passwd/sha2 smbk5pwd +CONTRIB_MODULES = autogroup lastbind nssov passwd passwd/pbkdf2 passwd/sha2 smbk5pwd # Ensure CC is set correctly for cross builds, unless it has already # been set explicitly. @@ -41,7 +42,8 @@ CONTRIB_MAKEVARS := \ LDAP_BUILD='$(builddir)' \ prefix=/usr \ ldap_subdir=/ldap \ - moduledir='$$(libdir)$$(ldap_subdir)' + moduledir='$$(libdir)$$(ldap_subdir)' \ + sysconfdir='/etc$$(ldap_subdir)' # These variables are used only by get-orig-source, which will normally only # be run by maintainers. @@ -155,6 +157,22 @@ endif find $(installdir)/usr/share/man -name \*.8 \ | xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#' +ifeq ($(filter stage1,$(DEB_BUILD_PROFILES)),) +override_dh_install-arch: + dh_install + + # install AppArmor profile + install -D -m 644 $(CURDIR)/debian/apparmor-profile $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd + + # install Apport hook + install -D -m 644 $(CURDIR)/debian/slapd.py $(CURDIR)/debian/slapd/usr/share/apport/package-hooks/slapd.py + + # install ufw profile + install -D -m 644 $(CURDIR)/debian/slapd.ufw.profile $(CURDIR)/debian/slapd/etc/ufw/applications.d/slapd + + dh_apparmor -pslapd --profile-name=usr.sbin.slapd +endif + override_dh_installinit: dh_installinit -- "defaults 19 80" @@ -217,6 +235,8 @@ ifeq ($(filter stage1,$(DEB_BUILD_PROFIL done; \ fi + rm -f contrib/slapd-modules/nssov/nss-pam-ldapd/config.sub contrib/slapd-modules/nssov/nss-pam-ldapd/config.guess + # Clean the contrib directory for mod in $(CONTRIB_MODULES); do \ dh_auto_clean -Dcontrib/slapd-modules/$$mod -Bcontrib/slapd-modules/$$mod || exit $?; \
  5. Download patch debian/patches/contrib-makefiles

    --- 2.4.48+dfsg-1/debian/patches/contrib-makefiles 2019-07-24 00:45:44.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/patches/contrib-makefiles 2019-07-31 21:01:14.000000000 +0000 @@ -157,3 +157,24 @@ -rpath $(moduledir) -module -o $@ $? $(LIBS) clean: +--- a/contrib/slapd-modules/nssov/Makefile ++++ b/contrib/slapd-modules/nssov/Makefile +@@ -52,15 +52,15 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + tio.lo: nss-pam-ldapd/tio.c +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $? ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $? + + $(OBJS): nssov.h + + nssov.la: $(OBJS) $(XOBJS) +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info 0:0:0 \ + -rpath $(moduledir) -module -o $@ $(OBJS) $(XOBJS) $(LIBS) + + install: nssov.la
  6. Download patch debian/slapd.README.Debian

    --- 2.4.48+dfsg-1/debian/slapd.README.Debian 2019-07-24 00:45:44.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/slapd.README.Debian 2019-07-31 21:01:14.000000000 +0000 @@ -144,8 +144,8 @@ Running slapd under a Different UID/GID - Tell linux slapd can access configuration files -- usually: - chgrp <group> /etc/ldap/slapd.conf - chmod 0640 /etc/ldap/slapd.conf + chgrp -R <group> /etc/ldap/slapd.d + chmod -R g+rX /etc/ldap/slapd.d - Tell linux slapd can access /var/run/slapd and write a PID file: @@ -279,3 +279,14 @@ Unsafe access control rule installed by slapd.access(5) man page. -- Ryan Tandy <ryan@nardis.ca>, Mon, 20 Oct 2014 11:45:20 -0700 + +Apparmor Profile +---------------- + + If your system uses AppArmor, please note that the shipped enforcing profile + works with the default installation, and changes in your configuration may + require changes to the installed apparmor profile. Please see + https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this + software. + + -- Jamie Strandboge <jamie@ubuntu.com>, Mon, 4 Feb 2008 21:18:21 -0500
  7. Download patch debian/slapd.default

    --- 2.4.48+dfsg-1/debian/slapd.default 2019-07-24 00:45:44.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/slapd.default 2019-07-31 21:01:14.000000000 +0000 @@ -12,7 +12,7 @@ SLAPD_USER="openldap" SLAPD_GROUP="openldap" # Path to the pid file of the slapd server. If not set the init.d script -# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by # default) SLAPD_PIDFILE=
  8. Download patch debian/configure.options

    --- 2.4.48+dfsg-1/debian/configure.options 2019-07-24 00:45:43.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/configure.options 2019-07-31 21:01:14.000000000 +0000 @@ -175,6 +175,7 @@ # --with-fetch with fetch(3) URL support [auto] # --with-threads with threads [auto] --with-threads +--with-gssapi # --with-tls with TLS/SSL support auto|openssl|gnutls|moznss [auto] --with-tls=gnutls # --with-yielding-select with implicitly yielding select [auto]
  9. Download patch debian/control

    --- 2.4.48+dfsg-1/debian/control 2019-07-25 00:14:43.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/control 2019-07-31 21:01:14.000000000 +0000 @@ -1,20 +1,23 @@ Source: openldap Section: net Priority: optional -Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org> Uploaders: Steve Langasek <vorlon@debian.org>, Torsten Landschoff <torsten@debian.org>, Ryan Tandy <ryan@nardis.ca> Build-Depends: debhelper (>= 10), + dh-apparmor, dpkg-dev (>= 1.17.14), groff-base, - heimdal-multidev (>= 7.4.0.dfsg.1-1~) <!stage1>, + heimdal-dev (>= 7.4.0.dfsg.1-1~) <!stage1>, libdb5.3-dev <!stage1>, libgnutls28-dev, libltdl-dev <!stage1>, libperl-dev (>= 5.8.0) <!stage1>, libsasl2-dev, libwrap0-dev <!stage1>, + lsb-release, nettle-dev <!stage1>, perl:any, po-debconf, @@ -34,7 +37,7 @@ Depends: ${shlibs:Depends}, libldap-2.4- coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser, lsb-base (>= 3.2-13), ${misc:Depends} Recommends: libsasl2-modules -Suggests: ldap-utils, +Suggests: ldap-utils, ufw, libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal Conflicts: umich-ldapd, ldap-server, libltdl3 (= 1.5.4-1) Replaces: libldap2, ldap-utils (<< 2.2.23-3)
  10. Download patch debian/slapd.install

    --- 2.4.48+dfsg-1/debian/slapd.install 2019-07-25 00:14:43.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/slapd.install 2019-07-31 21:01:14.000000000 +0000 @@ -56,5 +56,7 @@ usr/lib/ldap/autogroup.so* usr/lib/ldap/autogroup.la usr/lib/ldap/lastbind.so* usr/lib/ldap/lastbind.la +usr/lib/ldap/nssov.so* +usr/lib/ldap/nssov.la usr/lib/ldap/pw-sha2.so* usr/lib/ldap/pw-sha2.la
  11. Download patch debian/slapd.manpages

    --- 2.4.48+dfsg-1/debian/slapd.manpages 2019-07-24 00:45:44.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/slapd.manpages 2019-07-31 21:01:14.000000000 +0000 @@ -43,3 +43,4 @@ debian/tmp/usr/share/man/man5/slapo-vals # contrib modules installed in main package debian/tmp/usr/share/man/man5/slapo-lastbind.5 +contrib/slapd-modules/nssov/slapo-nssov.5
  12. Download patch debian/patches/series

    --- 2.4.48+dfsg-1/debian/patches/series 2019-07-24 00:45:44.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/patches/series 2019-07-31 21:01:14.000000000 +0000 @@ -7,6 +7,7 @@ index-files-created-as-root sasl-default-path libldap-symbol-versions getaddrinfo-is-threadsafe +gssapi.diff do-not-second-guess-sonames contrib-makefiles smbk5pwd-makefile-manpage @@ -20,3 +21,4 @@ no-bdb-ABI-second-guessing ITS6035-olcauthzregex-needs-restart.patch set-maintainer-name no-gnutls_global_set_mutex +fix-ldap-distribution.patch
  13. Download patch debian/patches/gssapi.diff

    --- 2.4.48+dfsg-1/debian/patches/gssapi.diff 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/patches/gssapi.diff 2019-07-31 21:01:14.000000000 +0000 @@ -0,0 +1,167 @@ +Index: openldap-2.4.23/configure.in +=================================================================== +--- openldap-2.4.23.orig/configure.in 2010-07-28 11:20:57.054712043 -0400 ++++ openldap-2.4.23/configure.in 2010-07-28 11:21:15.542403952 -0400 +@@ -242,6 +242,8 @@ + auto, [auto yes no] ) + OL_ARG_WITH(fetch,[ --with-fetch with fetch(3) URL support], + auto, [auto yes no] ) ++OL_ARG_WITH(gssapi,[ --with-gssapi with GSSAPI support], ++ auto, [auto yes no] ) + OL_ARG_WITH(threads,[ --with-threads with threads], + auto, [auto nt posix mach pth lwp yes no manual] ) + OL_ARG_WITH(tls,[ --with-tls with TLS/SSL support auto|openssl|gnutls|moznss], +@@ -584,6 +586,7 @@ + KRB4_LIBS= + KRB5_LIBS= + SASL_LIBS= ++GSSAPI_LIBS= + TLS_LIBS= + MODULES_LIBS= + SLAPI_LIBS= +@@ -1148,6 +1151,63 @@ + fi + + dnl ---------------------------------------------------------------- ++dnl GSSAPI ++ol_link_gssapi=no ++ ++case $ol_with_gssapi in yes | auto) ++ ++ ol_header_gssapi=no ++ AC_CHECK_HEADERS(gssapi/gssapi.h) ++ if test $ac_cv_header_gssapi_gssapi_h = yes ; then ++ ol_header_gssapi=yes ++ else ++ AC_CHECK_HEADERS(gssapi.h) ++ if test $ac_cv_header_gssapi_h = yes ; then ++ ol_header_gssapi=yes ++ fi ++ ++ dnl## not every gssapi has gss_oid_to_str() ++ dnl## as it's not defined in the GSSAPI V2 API ++ dnl## anymore ++ saveLIBS="$LIBS" ++ LIBS="$LIBS $GSSAPI_LIBS" ++ AC_CHECK_FUNCS(gss_oid_to_str) ++ LIBS="$saveLIBS" ++ fi ++ ++ if test $ol_header_gssapi = yes ; then ++ dnl## we check for gss_wrap ++ dnl## as it's new to the GSSAPI V2 API ++ AC_CHECK_LIB(gssapi, gss_wrap, ++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi"], ++ [ol_link_gssapi=no]) ++ if test $ol_link_gssapi != yes ; then ++ AC_CHECK_LIB(gssapi_krb5, gss_wrap, ++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi_krb5"], ++ [ol_link_gssapi=no]) ++ fi ++ if test $ol_link_gssapi != yes ; then ++ AC_CHECK_LIB(gss, gss_wrap, ++ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgss"], ++ [ol_link_gssapi=no]) ++ fi ++ fi ++ ++ ;; ++esac ++ ++WITH_GSSAPI=no ++if test $ol_link_gssapi = yes; then ++ AC_DEFINE(HAVE_GSSAPI, 1, [define if you have GSSAPI]) ++ WITH_GSSAPI=yes ++elif test $ol_with_gssapi = auto ; then ++ AC_MSG_WARN([Could not locate GSSAPI package]) ++ AC_MSG_WARN([GSSAPI authentication not supported!]) ++elif test $ol_with_gssapi = yes ; then ++ AC_MSG_ERROR([GSSAPI detection failed]) ++fi ++ ++dnl ---------------------------------------------------------------- + dnl TLS/SSL + + if test $ol_with_tls = yes ; then +@@ -1902,6 +1962,13 @@ + fi + AC_SUBST(VERSION_OPTION) + ++VERSION_OPTION="" ++OL_SYMBOL_VERSIONING ++if test $ol_cv_ld_version_script_option = yes ; then ++ VERSION_OPTION="-Wl,--version-script=" ++fi ++AC_SUBST(VERSION_OPTION) ++ + dnl ---------------------------------------------------------------- + if test $ol_enable_wrappers != no ; then + AC_CHECK_HEADERS(tcpd.h,[ +@@ -3112,6 +3179,7 @@ + AC_SUBST(KRB4_LIBS) + AC_SUBST(KRB5_LIBS) + AC_SUBST(SASL_LIBS) ++AC_SUBST(GSSAPI_LIBS) + AC_SUBST(TLS_LIBS) + AC_SUBST(MODULES_LIBS) + AC_SUBST(SLAPI_LIBS) +Index: openldap-2.4.23/include/ldap.h +=================================================================== +--- openldap-2.4.23.orig/include/ldap.h 2010-07-28 11:20:37.000000000 -0400 ++++ openldap-2.4.23/include/ldap.h 2010-07-28 11:21:15.542403952 -0400 +@@ -1216,6 +1216,16 @@ + struct berval **servercredp, + int freeit )); + ++/* ++ * in gssapi.c: ++ */ ++LDAP_F( int ) ++ldap_gssapi_bind_s LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ LDAP_CONST char *creds)); ++ ++ + #if LDAP_DEPRECATED + /* + * in bind.c: +Index: openldap-2.4.23/include/portable.hin +=================================================================== +--- openldap-2.4.23.orig/include/portable.hin 2010-04-19 15:22:30.000000000 -0400 ++++ openldap-2.4.23/include/portable.hin 2010-07-28 11:21:15.542403952 -0400 +@@ -253,6 +253,18 @@ + /* Define to 1 if you have the <grp.h> header file. */ + #undef HAVE_GRP_H + ++/* define if you have GSSAPI */ ++#undef HAVE_GSSAPI ++ ++/* Define to 1 if you have the <gssapi/gssapi.h> header file. */ ++#undef HAVE_GSSAPI_GSSAPI_H ++ ++/* Define to 1 if you have the <gssapi.h> header file. */ ++#undef HAVE_GSSAPI_H ++ ++/* Define to 1 if you have the `gss_oid_to_str' function. */ ++#undef HAVE_GSS_OID_TO_STR ++ + /* Define to 1 if you have the `hstrerror' function. */ + #undef HAVE_HSTRERROR + +Index: openldap-2.4.23/build/top.mk +=================================================================== +--- openldap-2.4.23.orig/build/top.mk 2010-07-28 11:20:57.000000000 -0400 ++++ openldap-2.4.23/build/top.mk 2010-07-28 11:21:15.542403952 -0400 +@@ -190,9 +190,10 @@ + KRB5_LIBS = @KRB5_LIBS@ + KRB_LIBS = @KRB4_LIBS@ @KRB5_LIBS@ + SASL_LIBS = @SASL_LIBS@ ++GSSAPI_LIBS = @GSSAPI_LIBS@ + TLS_LIBS = @TLS_LIBS@ + AUTH_LIBS = @AUTH_LIBS@ +-SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(TLS_LIBS) $(AUTH_LIBS) ++SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(GSSAPI_LIBS) $(TLS_LIBS) $(AUTH_LIBS) + ICU_LIBS = @ICU_LIBS@ + + MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@
  14. Download patch debian/libldap-2.4-2.symbols

    --- 2.4.48+dfsg-1/debian/libldap-2.4-2.symbols 2019-07-24 00:45:44.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/libldap-2.4-2.symbols 2019-07-31 21:01:14.000000000 +0000 @@ -118,6 +118,7 @@ liblber-2.4.so.2 libldap-2.4-2 #MINVER# ber_sockbuf_io_fd@OPENLDAP_2.4_2 2.4.7 ber_sockbuf_io_readahead@OPENLDAP_2.4_2 2.4.7 ber_sockbuf_io_tcp@OPENLDAP_2.4_2 2.4.7 + ber_sockbuf_io_udp@OPENLDAP_2.4_2 2.4.17-1ubuntu2 ber_sockbuf_remove_io@OPENLDAP_2.4_2 2.4.7 ber_sos_dump@OPENLDAP_2.4_2 2.4.7 ber_start@OPENLDAP_2.4_2 2.4.7 @@ -280,6 +281,11 @@ libldap_r-2.4.so.2 libldap-2.4-2 #MINVER ldap_int_flush_request@OPENLDAP_2.4_2 2.4.7 ldap_int_global_options@OPENLDAP_2.4_2 2.4.7 ldap_int_gmtime_mutex@OPENLDAP_2.4_2 2.4.23 + ldap_int_gssapi_close@OPENLDAP_2.4_2 2.4.18-0ubuntu2 + ldap_int_gssapi_config@OPENLDAP_2.4_2 2.4.18-0ubuntu2 + ldap_int_gssapi_get_option@OPENLDAP_2.4_2 2.4.18-0ubuntu2 + ldap_int_gssapi_mutex@OPENLDAP_2.4_2 2.4.18-0ubuntu2 + ldap_int_gssapi_set_option@OPENLDAP_2.4_2 2.4.18-0ubuntu2 ldap_int_hostname@OPENLDAP_2.4_2 2.4.7 ldap_int_hostname_mutex@OPENLDAP_2.4_2 2.4.39 ldap_int_inet4or6@OPENLDAP_2.4_2 2.4.7 @@ -312,6 +318,7 @@ libldap_r-2.4.so.2 libldap-2.4-2 #MINVER ldap_int_tls_start@OPENLDAP_2.4_2 2.4.7 ldap_int_utils_init@OPENLDAP_2.4_2 2.4.7 ldap_is_ldap_url@OPENLDAP_2.4_2 2.4.7 + ldap_is_ldapc_url@OPENLDAP_2.4_2 2.4.17-1ubuntu2 ldap_is_ldapi_url@OPENLDAP_2.4_2 2.4.7 ldap_is_ldaps_url@OPENLDAP_2.4_2 2.4.7 ldap_is_read_ready@OPENLDAP_2.4_2 2.4.7
  15. Download patch debian/slapd.ufw.profile

    --- 2.4.48+dfsg-1/debian/slapd.ufw.profile 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/slapd.ufw.profile 2019-07-31 21:01:14.000000000 +0000 @@ -0,0 +1,9 @@ +[OpenLDAP LDAP] +title=OpenLDAP with TLS +description=OpenLDAP is a free, fast, lightweight LDAP server +ports=389/tcp + +[OpenLDAP LDAPS] +title=OpenLDAP over SSL +description=OpenLDAP is a free, fast, lightweight LDAP server +ports=636/tcp
  16. Download patch debian/slapd.init.ldif

    --- 2.4.48+dfsg-1/debian/slapd.init.ldif 2019-07-24 00:45:44.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/slapd.init.ldif 2019-07-31 21:01:14.000000000 +0000 @@ -32,7 +32,6 @@ objectClass: olcDatabaseConfig olcDatabase: config # Allow unlimited access to local connection from the local root user olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break -olcRootDN: cn=admin,cn=config # Load schemas dn: cn=schema,cn=config
  17. Download patch debian/slapd.py

    --- 2.4.48+dfsg-1/debian/slapd.py 1970-01-01 00:00:00.000000000 +0000 +++ 2.4.48+dfsg-1ubuntu3/debian/slapd.py 2019-07-31 21:01:14.000000000 +0000 @@ -0,0 +1,51 @@ +#!/usr/bin/python + +'''apport hook for slapd + +(c) 2010 Adam Sommer. +Author: Adam Sommer <asommer@ubuntu.com> + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import os + +# Scrub olcRootPW attribute and credentials strings if necessary. +def scrub_pass_strings(config): + olcrootpw_regex = re.compile('olcRootPW:.*') + olcrootpw_string = olcrootpw_regex.search(config) + if olcrootpw_string: + config = config.replace(olcrootpw_string.group(0), 'olcRootPW: @@APPORTREPLACED@@') + + credentials_regex = re.compile('credentials=.* ') + credentials_string = credentials_regex.search(config) + if credentials_string: + config = config.replace(credentials_string.group(0), 'credentials=@@APPORTREPLACED@@ ') + + return config + +def add_info(report, ui): + response = ui.yesno("The contents of your /etc/ldap/slapd.d directory " + "may help developers diagnose your bug more " + "quickly. However, it may contain sensitive " + "information. Do you want to include it in your " + "bug report?") + + if response == None: # user cancelled + raise StopIteration + + elif response == True: + # Get the cn=config tree. + cn_config = root_command_output(['/usr/bin/ldapsearch', '-Q', '-LLL', '-Y EXTERNAL', '-H ldapi:///', '-b cn=config']) + report['CNConfig'] = scrub_pass_strings(cn_config) + + # Get slapd messages from /var/log/syslog + slapd_re = re.compile('slapd', re.IGNORECASE) + report['SysLog'] = recent_syslog(slapd_re) + + attach_mac_events(report, '/usr/sbin/slapd')
  1. openldap