Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openldap2 for openSUSE:Factory checked in at 2021-09-05 08:45:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openldap2 (Old) and /work/SRC/openSUSE:Factory/.openldap2.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2" Sun Sep 5 08:45:43 2021 rev:169 rq: version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2021-09-03 21:25:43.758149060 +0200 +++ /work/SRC/openSUSE:Factory/.openldap2.new.1899/openldap2.changes 2021-09-05 08:45:44.972186056 +0200 @@ -2,58 +1,0 @@ -Tue Aug 24 13:04:36 UTC 2021 - Philipp Wagner <m...@philipp-wagner.com> - -- Update to upstream version 2.5.7 - Fixed lloadd client state tracking (ITS#9624) - Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611) - Fixed slapd-ldif duplicate controls response (ITS#9497) - Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621) - Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958) - Fixed slapd-mdb idlexp maximum size handling (ITS#9637) - Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628) - Fixed slapd-sql to add support for ppolicy attributes (ITS#9629) - Fixed slapd-sql to close transactions after bind and search (ITS#9630) - Fixed slapo-accesslog to make reqMod optional (ITS#9569) - Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625) - Documentation - slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637) - slapo-accesslog(5) note that reqMod is optional (ITS#9569) - Add ldapvc(1) man page (ITS#9549) - Add guide section on load balancer (ITS#9443) - Updated guide to document multiprovider as replacement for mirrormode (ITS#9200) - Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200) - Updated guide to document removal of deprecated options from client tools (ITS#9200) - -------------------------------------------------------------------- -Fri Jul 30 13:30:05 UTC 2021 - Philipp Wagner <m...@philipp-wagner.com> - -- Major version update to 2.5.6 - See https://www.openldap.org/software/release/announce.html for a list of - changes. -- The threaded version of the OpenLDAP libraries, libldap_r, has been merged - with libldap with 2.5. Removed all related downstream changes, including the - openldap-r-only.dif patch. - Introduce a new compatibility symlink in the other direction: libldap_r - pointing to libldap. -- Removed the ppolicy-check-password module. It is unmaintained and does not - build any more. As part of that also remove the patch - patch 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch, which - is applied to this module. -- Removed patch 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch - Fixed upstream in 2.5 (ITS#8866) -- Updated patch 0005-pie-compile.dif - Removed the hunks on back-bdb and back-hdb, which are retired backends in 2.5. -- Removed patch 0007-Recover-on-DB-version-change.dif - The back-bdb backend was retired. -- Removed patch 0011-openldap-re24-its7796.patch - Fixed upstream in 2.5 (ITS#7796) -- Remove non-existant configure arguments: - --enable-rewrite, --enable-monitor, --enable-lmpasswd -- Add the --enable-dynacl configure option, which is required for --enable-aci -- Add the --with-argon2 configure option and remove it from the contrib - modules, since it is now official (ITS#9453). -- Pass mandir to smbk5pwd to ensure the man page ends up in /usr/share. -- Include the new overlays in libdir/openldap in the packages. -- Add the pkgconfig files to the devel package. -- Remove compat macro for _fillupdir, which was introduced in Nov 2017 and - should be widely available now. - -------------------------------------------------------------------- @@ -3315,0 +3258 @@ + Old: ---- openldap-2.5.7.tgz openldap-2.5.7.tgz.asc New: ---- 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch 0007-Recover-on-DB-version-change.dif 0011-openldap-re24-its7796.patch 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch openldap-2.4.59.tgz openldap-2.4.59.tgz.asc openldap-r-only.dif ppolicy-check-password-1.2.tar.gz ppolicy-check-password.5 ppolicy-check-password.Makefile ppolicy-check-password.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2.spec ++++++ --- /var/tmp/diff_new_pack.Zgm5Z6/_old 2021-09-05 08:45:45.888187094 +0200 +++ /var/tmp/diff_new_pack.Zgm5Z6/_new 2021-09-05 08:45:45.888187094 +0200 @@ -16,8 +16,16 @@ # +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif + %define run_test_suite 0 -%define version_main 2.5.7 +%define version_main 2.4.59 +%define name_ppolicy_check_module ppolicy-check-password +%define version_ppolicy_check_module 1.2 +%define ppolicy_docdir %{_docdir}/openldap-%{name_ppolicy_check_module}-%{version_ppolicy_check_module} %define slapdrundir %{_rundir}/slapd Name: openldap2 @@ -46,10 +54,19 @@ Source22: update-crc.sh Source23: slapd.conf Source24: slapd.conf.olctemplate +Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch Patch3: 0003-LDAPI-socket-location.dif Patch5: 0005-pie-compile.dif +Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch +Patch11: 0011-openldap-re24-its7796.patch +Patch15: openldap-r-only.dif Patch16: 0016-Clear-shared-key-only-in-close-function.patch +Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz +Source201: %{name_ppolicy_check_module}.Makefile +Source202: %{name_ppolicy_check_module}.conf +Source203: %{name_ppolicy_check_module}.5 +Patch200: 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel @@ -68,7 +85,7 @@ %{?systemd_requires} %endif Requires: /usr/bin/awk -Requires: libldap-2_5-0 = %{version_main} +Requires: libldap-2_4-2 = %{version_main} Recommends: cyrus-sasl Conflicts: openldap PreReq: %fillup_prereq @@ -146,6 +163,7 @@ denyop lastbind writes last bind timestamp to entry noopsrch handles no-op search control +pw-argon2 generates/validates Argon2 password hashes pw-sha2 generates/validates SHA-2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes smbk5pwd generates Samba3 password hashes (heimdal krb disabled) @@ -163,7 +181,7 @@ %package client Summary: OpenLDAP client utilities Group: Productivity/Networking/LDAP/Clients -Requires: libldap-2_5-0 = %{version_main} +Requires: libldap-2_4-2 = %{version_main} %description client OpenLDAP client utilities such as ldapadd, ldapsearch, ldapmodify. @@ -177,7 +195,7 @@ %endif # Conflicts: openldap-devel -Requires: libldap-2_5-0 = %{version_main} +Requires: libldap-2_4-2 = %{version_main} Recommends: cyrus-sasl-devel %description devel @@ -195,23 +213,55 @@ This package provides the static versions of the OpenLDAP libraries for development. -%package -n libldap-2_5-0 +%package -n libldap-2_4-2 Summary: OpenLDAP Client Libraries Group: Productivity/Networking/LDAP/Clients Recommends: libldap-data >= %{version_main} -%description -n libldap-2_5-0 +%description -n libldap-2_4-2 This package contains the OpenLDAP client libraries. +%package ppolicy-check-password +Version: %{version_ppolicy_check_module} +Release: 0 +Summary: Password quality check module for OpenLDAP +Group: Productivity/Networking/LDAP/Servers +URL: https://github.com/onyxpoint/ppolicy-check-password +BuildRequires: cracklib-devel +Requires: openldap2 = %version_main +Recommends: cracklib +Recommends: cracklib-dict-full + +%description ppolicy-check-password +An implementation of password quality check module, based on the original +work done by LDAP Toolbox Project (https://ltd-project.org), that works +together with OpenLDAP password policy overlay (ppolicy), to enforce +password strength policies. + %prep -# Unpack and patch OpenLDAP 2.5 +# Unpack ppolicy check module +%setup -b 200 -q -n %{name_ppolicy_check_module}-%{version_ppolicy_check_module} +%patch200 -p1 +cd .. +# Compress the manual page of ppolicy check module +gzip -k %{S:203} + +# Unpack and patch OpenLDAP 2.4 %setup -q -a 9 -n openldap-%{version_main} +%patch1 -p1 %patch3 -p1 %patch5 -p1 +%patch7 -p1 %patch8 -p1 +%patch11 -p1 +%patch15 -p1 %patch16 -p1 cp %{SOURCE5} . +# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ +mv ../%{name_ppolicy_check_module}-%{version_ppolicy_check_module} contrib/slapd-modules/%{name_ppolicy_check_module} +cp %{S:201} contrib/slapd-modules/%{name_ppolicy_check_module}/Makefile + %build %global _lto_cflags %{_lto_cflags} -ffat-lto-objects export CFLAGS="%{optflags} -Wno-format-extra-args -fno-strict-aliasing -DNDEBUG -DSLAP_CONFIG_DELETE -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DLDAP_USE_NON_BLOCKING_TLS" @@ -231,10 +281,13 @@ --with-cyrus-sasl \ --enable-crypt \ --enable-ipv6=yes \ - --enable-dynacl \ --enable-aci \ + --enable-bdb=mod \ + --enable-hdb=mod \ + --enable-rewrite \ --enable-ldap=mod \ --enable-meta=mod \ + --enable-monitor=mod \ --enable-perl=mod \ --enable-sock=mod \ --enable-sql=mod \ @@ -244,19 +297,21 @@ --enable-overlays=mod \ --enable-syncprov=mod \ --enable-ppolicy=mod \ + --enable-lmpasswd \ --with-yielding-select \ - --with-argon2 \ || cat config.log make depend make %{?_smp_mflags} # Build selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/argon2 passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" done # slapo-smbk5pwd only for Samba password hashes make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB="" +# Build ppolicy-check-password module +make -C contrib/slapd-modules/%{name_ppolicy_check_module} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" # Create ldap user %sysusers_generate_pre %{SOURCE19} ldap @@ -294,12 +349,12 @@ # Additional symbolic link to slapd executable in /usr/sbin/ ln -s %{_libdir}/slapd %{buildroot}%{_sbindir}/slapd # Install selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/argon2 passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install done # slapo-smbk5pwd only for Samba password hashes -make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install install -m 755 %{SOURCE13} %{buildroot}/usr/lib/openldap/start install -m 644 %{SOURCE14} %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{_sysconfdir}/openldap/slapd.d @@ -307,7 +362,7 @@ install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sasl2/slapd.conf install -m 755 -d %{buildroot}/var/lib/ldap chmod a+x %{buildroot}%{_libdir}/liblber.so* -chmod a+x %{buildroot}%{_libdir}/libldap.so* +chmod a+x %{buildroot}%{_libdir}/libldap_r.so* install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif mkdir -p %{buildroot}%{_tmpfilesdir}/ install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/ @@ -318,6 +373,18 @@ install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc +# Install ppolicy check module +make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install +install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf +# Install ppolicy check module's doc files +pushd contrib/slapd-modules/%{name_ppolicy_check_module} +mkdir -p "%{buildroot}%ppolicy_docdir" +install -m 0644 README "%{buildroot}%ppolicy_docdir" +install -m 0644 LICENSE "%{buildroot}%ppolicy_docdir" +popd +# Install ppolicy check module's manual page +install -m 0644 %{S:203}.gz %{buildroot}%{_mandir}/man5/ + mkdir -p %{buildroot}%{_fillupdir} install -m 644 %{SOURCE16} %{buildroot}%{_fillupdir}/sysconfig.openldap install -m 644 *.ldif %{buildroot}%{_sysconfdir}/openldap/schema @@ -334,6 +401,7 @@ install -d %{buildroot}%{DOCDIR}/adminguide \ %{buildroot}%{DOCDIR}/images \ %{buildroot}%{DOCDIR}/drafts +install -m 644 %{buildroot}/etc/openldap/DB_CONFIG.example %{buildroot}%{DOCDIR}/ install -m 644 doc/guide/admin/* %{buildroot}%{DOCDIR}/adminguide install -m 644 doc/guide/images/*.gif %{buildroot}%{DOCDIR}/images install -m 644 doc/drafts/* %{buildroot}%{DOCDIR}/drafts @@ -345,8 +413,10 @@ %{buildroot}%{DOCDIR} install -m 644 servers/slapd/slapd.ldif \ %{buildroot}%{DOCDIR}/slapd.ldif.default +rm -f %{buildroot}/etc/openldap/DB_CONFIG.example rm -f %{buildroot}/etc/openldap/schema/README rm -f %{buildroot}/etc/openldap/slapd.ldif* +rm -f %{buildroot}%{slapdrundir}/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd @@ -359,12 +429,14 @@ rm -f %{buildroot}/usr/share/man/man5/slapd-shell.5 rm -f %{buildroot}/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct -# Keep .la files for modules in the openldap subdirectory, which are consumed -# in this form. -rm -f %{buildroot}%{_libdir}/*.la +rm -f %{buildroot}%{_libdir}/lib*.la -# Provide a libldap_r for backwards-compatibility with OpenLDAP < 2.5. -ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so" +# Make ldap_r the only copy in the system [rh#1370065]. +# libldap.so is only for `gcc/ld -lldap`. Make no libldap-2.4.so.2. +rm -f "%{buildroot}%{_libdir}"/libldap-2.4.so* +ln -fs libldap_r.so "%{buildroot}%{_libdir}/libldap.so" +gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ + -Wl,-soname -Wl,libldap-2.4.so.2 -L "%{buildroot}%{_libdir}" -lldap_r %pre -f ldap.pre %service_add_pre slapd.service @@ -374,9 +446,9 @@ %tmpfiles_create %{name}.conf %service_add_post slapd.service -%post -n libldap-2_5-0 -p /sbin/ldconfig +%post -n libldap-2_4-2 -p /sbin/ldconfig -%postun -n libldap-2_5-0 -p /sbin/ldconfig +%postun -n libldap-2_4-2 -p /sbin/ldconfig %preun %service_del_preun slapd.service @@ -402,24 +474,24 @@ %{_fillupdir}/sysconfig.openldap %{_sbindir}/slap* %{_sbindir}/rcslapd +%{_libdir}/openldap/back_bdb* +%{_libdir}/openldap/back_hdb* %{_libdir}/openldap/back_ldap* %{_libdir}/openldap/back_mdb* +%{_libdir}/openldap/back_monitor* %{_libdir}/openldap/back_relay* %{_libdir}/openldap/accesslog* %{_libdir}/openldap/auditlog* -%{_libdir}/openldap/autoca* %{_libdir}/openldap/collect* %{_libdir}/openldap/constraint* %{_libdir}/openldap/dds* %{_libdir}/openldap/deref* %{_libdir}/openldap/dyngroup* %{_libdir}/openldap/dynlist* -%{_libdir}/openldap/homedir* %{_libdir}/openldap/memberof* -%{_libdir}/openldap/otp* %{_libdir}/openldap/pcache* -%{_libdir}/openldap/ppolicy* -%{_libdir}/openldap/remoteauth* +%{_libdir}/openldap/ppolicy-2.4.* +%{_libdir}/openldap/ppolicy.* %{_libdir}/openldap/refint* %{_libdir}/openldap/retcode* %{_libdir}/openldap/rwm* @@ -439,20 +511,16 @@ %dir %attr(0750, ldap, ldap) %{_sharedstatedir}/ldap %ghost %attr(0750, ldap, ldap) %{slapdrundir} %doc %{_mandir}/man8/sl* -%doc %{_mandir}/man8/lloadd.* -%doc %{_mandir}/man5/lloadd.conf.* %doc %{_mandir}/man5/slapd.* -%doc %{_mandir}/man5/slapd-asyncmeta.* +%doc %{_mandir}/man5/slapd-bdb.* %doc %{_mandir}/man5/slapd-config.* +%doc %{_mandir}/man5/slapd-hdb.* %doc %{_mandir}/man5/slapd-ldap.* %doc %{_mandir}/man5/slapd-ldif.* %doc %{_mandir}/man5/slapd-mdb.* %doc %{_mandir}/man5/slapd-monitor.* -%doc %{_mandir}/man5/slapd-pw-* %doc %{_mandir}/man5/slapd-relay.* -%doc %{_mandir}/man5/slapd-wt.* %doc %{_mandir}/man5/slapo-* -%doc %{_mandir}/man5/slappw-argon2.* %dir %{DOCDIR} %doc %{DOCDIR}/ANNOUNCEMENT %doc %{DOCDIR}/COPYRIGHT @@ -460,6 +528,7 @@ %doc %{DOCDIR}/README* %doc %{DOCDIR}/CHANGES %doc %{DOCDIR}/slapd.ldif.default +%doc %{DOCDIR}/DB_CONFIG.example %files back-perl %defattr(-,root,root) @@ -505,12 +574,14 @@ %{_libdir}/openldap/autogroup.* %{_libdir}/openldap/lastbind.* %{_libdir}/openldap/noopsrch.* +%{_libdir}/openldap/pw-argon2.* %{_libdir}/openldap/pw-sha2.* %{_libdir}/openldap/pw-pbkdf2.* %{_libdir}/openldap/denyop.* %{_libdir}/openldap/cloak.* %{_libdir}/openldap/smbk5pwd.* %{_libdir}/openldap/trace.* +%doc %{_mandir}/man5/slapd-pw-argon2.* %files client %defattr(-,root,root) @@ -527,13 +598,12 @@ /usr/bin/ldapsearch /usr/bin/ldappasswd /usr/bin/ldapurl -/usr/bin/ldapvc /usr/bin/ldapwhoami -%files -n libldap-2_5-0 +%files -n libldap-2_4-2 %defattr(-,root,root) -%{_libdir}/liblber*2.5.so.* -%{_libdir}/libldap*2.5.so.* +%{_libdir}/liblber*2.4.so.* +%{_libdir}/libldap*2.4.so.* %files devel %defattr(-,root,root) @@ -544,11 +614,17 @@ %{_includedir}/*.h %{_libdir}/liblber.so %{_libdir}/libldap*.so -%{_libdir}/pkgconfig/*.pc %files devel-static %defattr(-,root,root) %_libdir/liblber.a %_libdir/libldap*.a +%files ppolicy-check-password +%defattr(-,root,root) +%doc %{ppolicy_docdir}/ +%config(noreplace) /etc/openldap/check_password.conf +%{_libdir}/openldap/ppolicy-check-password.* +%{_mandir}/man5/ppolicy-check-password.* + %changelog ++++++ 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch ++++++ >From 348588561c694784a8106871b0d5fe578007ea4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Str=C3=B6der?= <mich...@stroeder.com> Date: Fri, 26 Oct 2018 16:40:23 +0200 Subject: [PATCH] ITS#8866 slapo-unique to return filter used in diagnostic message --- servers/slapd/overlays/unique.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c index ed62d03b8..a7723cf5d 100644 --- a/servers/slapd/overlays/unique.c +++ b/servers/slapd/overlays/unique.c @@ -965,6 +965,8 @@ unique_search( slap_callback cb = { NULL, NULL, NULL, NULL }; /* XXX */ unique_counter uq = { NULL, 0 }; int rc; + char *errmsg; + int errmsgsize; Debug(LDAP_DEBUG_TRACE, "==> unique_search %s\n", key->bv_val, 0, 0); @@ -998,24 +1000,29 @@ unique_search( nop->o_bd = on->on_info->oi_origdb; rc = nop->o_bd->be_search(nop, &nrs); filter_free_x(nop, nop->ors_filter, 1); - op->o_tmpfree( key->bv_val, op->o_tmpmemctx ); if(rc != LDAP_SUCCESS && rc != LDAP_NO_SUCH_OBJECT) { op->o_bd->bd_info = (BackendInfo *) on->on_info; send_ldap_error(op, rs, rc, "unique_search failed"); - return(rs->sr_err); - } - - Debug(LDAP_DEBUG_TRACE, "=> unique_search found %d records\n", uq.count, 0, 0); + rc = rs->sr_err; + } else if(uq.count) { + Debug(LDAP_DEBUG_TRACE, "=> unique_search found %d records\n", uq.count, 0, 0); - if(uq.count) { + errmsgsize = sizeof("non-unique attributes found with ") + key->bv_len; + errmsg = op->o_tmpalloc(errmsgsize, op->o_tmpmemctx); + snprintf( errmsg, errmsgsize, "non-unique attributes found with %s", key->bv_val ); op->o_bd->bd_info = (BackendInfo *) on->on_info; - send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, - "some attributes not unique"); - return(rs->sr_err); + send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, errmsg); + op->o_tmpfree(errmsg, op->o_tmpmemctx); + rc = rs->sr_err; + } else { + Debug(LDAP_DEBUG_TRACE, "=> unique_search found no records\n", 0, 0, 0); + rc = SLAP_CB_CONTINUE; } - return(SLAP_CB_CONTINUE); + op->o_tmpfree( key->bv_val, op->o_tmpmemctx ); + + return(rc); } static int -- 2.19.1 ++++++ 0005-pie-compile.dif ++++++ --- /var/tmp/diff_new_pack.Zgm5Z6/_old 2021-09-05 08:45:45.936187148 +0200 +++ /var/tmp/diff_new_pack.Zgm5Z6/_new 2021-09-05 08:45:45.940187153 +0200 @@ -5,28 +5,28 @@ diff --git a/build/top.mk b/build/top.mk -index 38ce146d7..d7fee4ec2 100644 +index 633c9a4..c67289d 100644 --- a/build/top.mk +++ b/build/top.mk -@@ -111,7 +111,7 @@ OL_VERSIONED_SYMBOLS = @OL_VERSIONED_SYMBOLS@ +@@ -107,7 +107,7 @@ LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS) LTSTATIC = @LTSTATIC@ - + LTLINK = $(LIBTOOL) --mode=link \ - $(CC) $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS) + $(CC) -pie $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS) - + LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=compile \ $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c -@@ -120,7 +120,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ - $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(SYMBOL_VERSION_FLAGS) - +@@ -116,7 +116,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ + $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) + LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ - $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c + $(CC) $(LT_CFLAGS) $(PIE_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c - + LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) -@@ -214,7 +214,7 @@ LLOADD_LIBS = @BALANCER_LIBS@ $(LEVENT_LIBS) +@@ -206,7 +206,7 @@ SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LI # Our Defaults CC = $(AC_CC) DEFS = $(LDAP_INCPATH) $(XINCPATH) $(XDEFS) $(AC_DEFS) $(DEFINES) @@ -34,68 +34,98 @@ +CFLAGS = -fPIE $(AC_CFLAGS) $(DEFS) LDFLAGS = $(LDAP_LIBPATH) $(AC_LDFLAGS) $(XLDFLAGS) LIBS = $(XLIBS) $(XXLIBS) $(AC_LIBS) $(XXXLIBS) - + +diff --git a/servers/slapd/back-bdb/Makefile.in b/servers/slapd/back-bdb/Makefile.in +index da7da0c..dcb6d92 100644 +--- a/servers/slapd/back-bdb/Makefile.in ++++ b/servers/slapd/back-bdb/Makefile.in +@@ -33,6 +33,8 @@ LDAP_LIBDIR= ../../../libraries + BUILD_OPT = "--enable-bdb" + BUILD_MOD = @BUILD_BDB@ + ++PIE_CFLAGS="-fPIE" ++ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(@BUILD_BDB@_DEFS) + MOD_LIBS = $(BDB_LIBS) +diff --git a/servers/slapd/back-hdb/Makefile.in b/servers/slapd/back-hdb/Makefile.in +index 5af828f..6f43f7b 100644 +--- a/servers/slapd/back-hdb/Makefile.in ++++ b/servers/slapd/back-hdb/Makefile.in +@@ -37,6 +37,8 @@ LDAP_LIBDIR= ../../../libraries + BUILD_OPT = "--enable-hdb" + BUILD_MOD = @BUILD_HDB@ + ++PIE_CFLAGS="-fPIE" ++ + mod_DEFS = -DSLAPD_IMPORT + MOD_DEFS = $(@BUILD_HDB@_DEFS) + MOD_LIBS = $(BDB_LIBS) diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in -index 71400ca1b..6427165c6 100644 +index 392d92e..3a0663d 100644 --- a/servers/slapd/back-ldap/Makefile.in +++ b/servers/slapd/back-ldap/Makefile.in @@ -26,6 +26,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-ldap" BUILD_MOD = @BUILD_LDAP@ - + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_LDAP@_DEFS) - + diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in -index 225c8dd19..2f07c067b 100644 +index 5e4abc1..1e8c454 100644 --- a/servers/slapd/back-ldif/Makefile.in +++ b/servers/slapd/back-ldif/Makefile.in @@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-ldif" BUILD_MOD = yes - + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(yes_DEFS) - + diff --git a/servers/slapd/back-mdb/Makefile.in b/servers/slapd/back-mdb/Makefile.in -index 6d64824da..9bbf8747d 100644 +index 9b01d2a..e37520a 100644 --- a/servers/slapd/back-mdb/Makefile.in +++ b/servers/slapd/back-mdb/Makefile.in -@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/liblmdb +@@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/libmdb BUILD_OPT = "--enable-mdb" BUILD_MOD = @BUILD_MDB@ - + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_MDB@_DEFS) MOD_LIBS = $(MDB_LIBS) diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in -index 200a1c65c..6b2afffb9 100644 +index 9aecdbc..11c962c 100644 --- a/servers/slapd/back-monitor/Makefile.in +++ b/servers/slapd/back-monitor/Makefile.in @@ -30,6 +30,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-monitor" - BUILD_MOD = yes - + BUILD_MOD = @BUILD_MONITOR@ + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT - MOD_DEFS = $(yes_DEFS) - + MOD_DEFS = $(@BUILD_MONITOR@_DEFS) + diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in -index 71d74a171..60b44afd8 100644 +index 90ea4b3..ff2f429 100644 --- a/servers/slapd/back-relay/Makefile.in +++ b/servers/slapd/back-relay/Makefile.in @@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-relay" BUILD_MOD = @BUILD_RELAY@ - + +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_RELAY@_DEFS) + +-- +1.7.10.4 + ++++++ 0007-Recover-on-DB-version-change.dif ++++++ >From 895fa6d9b49344e1a92f7df3ed65458519e22f98 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp <rha...@suse.de> Date: Tue, 5 Oct 2010 14:20:22 +0200 Subject: Recover on DB version change If the libdb Version changed try to recover the database. Note: This will only succeed if only the format of transaction logs changed. diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c index ac5a6d5..fea5cb4 100644 --- a/servers/slapd/back-bdb/init.c +++ b/servers/slapd/back-bdb/init.c @@ -330,6 +330,13 @@ shm_retry: rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome, flags | do_recover, bdb->bi_dbenv_mode ); + if ( rc == DB_VERSION_MISMATCH ) { + Debug( LDAP_DEBUG_ANY, + LDAP_XSTRING(bdb_db_open) ": bdb version change detected " + "trying to recover\n", 0, 0, 0 ); + rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome, + flags | DB_RECOVER, bdb->bi_dbenv_mode ); + } if ( rc ) { /* Regular open failed, probably a missing shm environment. * Start over, do a recovery. -- 1.7.10.4 ++++++ 0008-In-monitor-backend-do-not-return-Connection0-entries.patch ++++++ --- /var/tmp/diff_new_pack.Zgm5Z6/_old 2021-09-05 08:45:45.956187171 +0200 +++ /var/tmp/diff_new_pack.Zgm5Z6/_new 2021-09-05 08:45:45.956187171 +0200 @@ -9,10 +9,10 @@ 1 file changed, 5 insertions(+) diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c -index 4d327f243..c4d3c6237 100644 +index c1995b0..2d27738 100644 --- a/servers/slapd/back-monitor/conn.c +++ b/servers/slapd/back-monitor/conn.c -@@ -456,6 +456,11 @@ monitor_subsys_conn_create( +@@ -454,6 +454,11 @@ monitor_subsys_conn_create( c != NULL; c = connection_next( c, &connindex ) ) { @@ -22,5 +22,8 @@ + } + monitor_entry_t *mp; + + if ( conn_create( mi, c, &e, ms ) != SLAP_CB_CONTINUE +-- +2.1.4 - /* ignore outbound for now, nothing to show */ ++++++ 0011-openldap-re24-its7796.patch ++++++ diff --git a/servers/slapd/back-bdb/filterindex.c b/servers/slapd/back-bdb/filterindex.c index 71e3ea4..bafef72 100644 --- a/servers/slapd/back-bdb/filterindex.c +++ b/servers/slapd/back-bdb/filterindex.c @@ -741,7 +741,7 @@ equality_candidates( &db, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= bdb_equality_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -858,7 +858,7 @@ approx_candidates( &db, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= bdb_approx_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -978,7 +978,7 @@ substring_candidates( &db, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= bdb_substring_candidates: (%s) not indexed\n", sub->sa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -1095,7 +1095,7 @@ inequality_candidates( &db, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= bdb_inequality_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; diff --git a/servers/slapd/back-mdb/filterindex.c b/servers/slapd/back-mdb/filterindex.c index 58c1cc8..20c58b7 100644 --- a/servers/slapd/back-mdb/filterindex.c +++ b/servers/slapd/back-mdb/filterindex.c @@ -709,7 +709,7 @@ equality_candidates( &dbi, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= mdb_equality_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -825,7 +825,7 @@ approx_candidates( &dbi, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= mdb_approx_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -944,7 +944,7 @@ substring_candidates( &dbi, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= mdb_substring_candidates: (%s) not indexed\n", sub->sa_desc->ad_cname.bv_val, 0, 0 ); return 0; @@ -1060,7 +1060,7 @@ inequality_candidates( &dbi, &mask, &prefix ); if ( rc == LDAP_INAPPROPRIATE_MATCHING ) { - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "<= mdb_inequality_candidates: (%s) not indexed\n", ava->aa_desc->ad_cname.bv_val, 0, 0 ); return 0; ++++++ 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch ++++++ >From b026c9236e6b11c158e69572a28eb0efb174234b Mon Sep 17 00:00:00 2001 From: HouzuoGuo <guohou...@gmail.com> Date: Wed, 17 Feb 2016 16:10:05 +0100 Subject: [PATCH] Fix incorrect calculation of consecutive number of characters in a class, when the input is shorter than 6 chars or consecutive chars appear at the beginning of input diff --git a/check_password.c b/check_password.c index 0d9f901..acf8eda 100644 --- a/check_password.c +++ b/check_password.c @@ -355,18 +355,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) int min_quality = DEFAULT_QUALITY; int use_cracklib = DEFAULT_CRACKLIB; - /** bail out early as cracklib will reject passwords shorter - * than 6 characters - */ - nLen = strlen (pPasswd); - if ( nLen < 6) { - mem_len = realloc_error_message(&szErrStr, mem_len, - strlen(PASSWORD_TOO_SHORT_SZ) + - strlen(pEntry->e_name.bv_val) + 1); - sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); - goto fail; - } if (read_config_file() == -1) { syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); @@ -392,46 +381,38 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) */ if ( max_consecutive_per_class != 0 ) { - int consec_chars = 1; - char type[10] = "unkown"; - char prev_type[10] = "unknown"; + char prev_type = '\0'; + char this_type = ' '; + i = 0; + int consec_chars = 0; for ( i = 0; i < nLen; i++ ) { - if ( islower(pPasswd[i]) ) { - strncpy(type,"lower",10); + this_type = 'l'; } else if ( isupper(pPasswd[i]) ) { - strncpy(type,"upper",10); + this_type = 'u'; } else if ( isdigit(pPasswd[i]) ) { - strncpy(type,"digit",10); + this_type = 'd'; } else if ( ispunct(pPasswd[i]) ) { - strncpy(type,"punct",10); + this_type = 'p'; } else { - strncpy(type,"unknown",10); - } - - if ( consec_chars > max_consecutive_per_class ) { - mem_len = realloc_error_message(&szErrStr, mem_len, - strlen(CONSEC_FAIL_SZ) + - strlen(pEntry->e_name.bv_val)); - sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val); - goto fail; + this_type = ' '; } - - if ( strncmp(type,prev_type,10) == 0 ) { - consec_chars++; + if (this_type == prev_type) { + ++consec_chars; + } else if (i > 0) { + consec_chars = 0; } - else { - if (strncmp("unknown",prev_type,8) != 0) { - consec_chars = 1; - } - else { - consec_chars++; - } - strncpy(prev_type,type,10); + prev_type = this_type; + if ( consec_chars >= max_consecutive_per_class ) { + mem_len = realloc_error_message(&szErrStr, mem_len, + strlen(CONSEC_FAIL_SZ) + + strlen(pEntry->e_name.bv_val)); + sprintf (szErrStr, CONSEC_FAIL_SZ, pEntry->e_name.bv_val); + goto fail; } } } diff --git a/check_password_test.c b/check_password_test.c index 626d719..d33bd80 100644 --- a/check_password_test.c +++ b/check_password_test.c @@ -90,7 +90,6 @@ void setconf( } int main(void) { - // Empty Config, equiv to: // 5,3,1,0,0,0,0 setconf(-1,-1,-1,-1,-1,-1,-1); @@ -109,5 +108,16 @@ int main(void) { testpass("Test 2.1", "Simp1e", 1); testpass("Test 2.2", "SimPle", 1); testpass("Test 2.1", "Simp1e!", 0); + + setconf(1,0,0,0,0,0,0); + testpass("a", "Ab1,", 0); + testpass("a", "AAb1,", 1); + testpass("a", "Abb1,", 1); + + setconf(3,0,0,0,0,0,0); + testpass("a", "AAAbbb111,,,", 0); + testpass("a", "AAAAbbb111,,,,", 1); + testpass("a", "AAAbbbb111,,,", 1); + return 0; } -- 2.7.1 ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.Zgm5Z6/_old 2021-09-05 08:45:46.024187248 +0200 +++ /var/tmp/diff_new_pack.Zgm5Z6/_new 2021-09-05 08:45:46.024187248 +0200 @@ -1,6 +1,6 @@ -libldap-2_5-0 +libldap-2_4-2 provides "openldap2-client-<targettype> = <version>" obsoletes "openldap2-client-<targettype> <= <version>" openldap2-devel requires -openldap2-<targettype> - requires "libldap-2_5-0-<targettype> = <version>" + requires "libldap-2_4-2-<targettype> = <version>" ++++++ openldap-2.5.7.tgz -> openldap-2.4.59.tgz ++++++ /work/SRC/openSUSE:Factory/openldap2/openldap-2.5.7.tgz /work/SRC/openSUSE:Factory/.openldap2.new.1899/openldap-2.4.59.tgz differ: char 5, line 1 ++++++ openldap-r-only.dif ++++++ From: Jan Engelhardt <jeng...@inai.de> Date: 2017-07-04 13:53:32.386698982 +0200 Build all own programs exclusively with libldap_r and not libldap. References: http://bugzilla.redhat.com/1370065 References: http://bugzilla.opensuse.org/996551 --- build/top.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: openldap-2.4.45/build/top.mk =================================================================== --- openldap-2.4.45.orig/build/top.mk +++ openldap-2.4.45/build/top.mk @@ -171,7 +171,7 @@ LDAP_LIBLUNICODE_A = $(LDAP_LIBDIR)/libl LDAP_LIBLUTIL_A = $(LDAP_LIBDIR)/liblutil/liblutil.a LDAP_L = $(LDAP_LIBLUTIL_A) \ - $(LDAP_LIBLDAP_LA) $(LDAP_LIBLBER_LA) + $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) SLAPD_L = $(LDAP_LIBLUNICODE_A) $(LDAP_LIBREWRITE_A) \ $(LDAP_LIBLUTIL_A) $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) ++++++ ppolicy-check-password.5 ++++++ .\"/* .\" * All rights reserved .\" * Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. .\" * Authors: Howard Guo <h...@suse.com> .\" * .\" * This program is free software; you can redistribute it and/or .\" * modify it under the terms of the GNU General Public License .\" * as published by the Free Software Foundation; either version 2 .\" * of the License, or (at your option) any later version. .\" * .\" * This program is distributed in the hope that it will be useful, .\" * but WITHOUT ANY WARRANTY; without even the implied warranty of .\" * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" * GNU General Public License for more details. .\" */ .\" .TH PPOLICY-CHECK-PASSWORD 5 "2016/02/18" "OpenLDAP password quality check" .SH NAME ppolicy\-check\-password \- Password quality checker for OpenLDAP ppolicy overlay .SH SYNOPSIS pwdCheckModule ppolicy-check-password.so .SH DESCRIPTION ppolicy\-check\-password is an implementation of password quality check module, it can be plugged into OpenLDAP .BR slapo\-ppolicy (5) overlay to enforce organisational password strength policies for password-change operations. .SH PREREQUISITES In order to use the module, you should enable and configure .BR slapo\-ppolicy (5) overlay on the OpenLDAP server. You may use the following example to enable ppolicy overlay: .HP 4 Enable ppolicy overlay To enable ppolicy overlay on the server using static configuration file .BR slapd.conf (5) , first enable ppolicy schema by adding line: .br include /etc/openldap/schema/ppolicy.schema and then append the following lines to the database definition in which password policy should be enforced: .br overlay ppolicy .br ppolicy_default "cn=PolicyContainer,dc=my-domain,dc=com" Save slapd.conf and (re)start OpenLDAP server. If you use cn=config (online configuration) instead of static configuration file, add the schema /etc/openldap/schema/ppolicy.ldif to cn=schema,cn=config, then enable ppolicy overlay in olcDatabase. .LP .HP 4 Create ppolicy container entry The ppolicy container entry stores attributes that describe the password policy in detail, create the entry with .BR ldapadd (1) : .br dn: cn=PolicyContainer,dc=my-domain,dc=com .br cn: PolicyContainer .br objectClass: pwdPolicy .br objectClass: person .br objectClass: top .br pwdAllowUserChange: TRUE .br pwdAttribute: userPassword .br pwdCheckQuality: 2 .br pwdExpireWarning: 600 .br pwdFailureCountInterval: .br pwdGraceAuthNLimit: 5 .br pwdInHistory: 5 .br pwdLockout: TRUE .br pwdLockoutDuration: 0 .br pwdMaxAge: 0 .br pwdMaxFailure: .br pwdMinAge: 0 .br pwdMinLength: 5 .br pwdMustChange: FALSE .br pwdSafeModify: FALSE .br sn: dummy value .br The password policy becomes effective immediately, there is no need to restart OpenLDAP server. .LP .HP 4 Enable ppolicy-check-password.so module Modify the ppolicy container entry with .BR ldapmodify (1) : .br dn: cn=PolicyContainer,dc=my-domain,dc=com .br changeType: modify .br add: objectClass .br objectClass: pwdPolicyChecker .br \- .br add: pwdCheckModule .br pwdCheckModule: ppolicy-check-password.so The password check module becomes effective immediately, there is no need to restart OpenLDAP server. .LP .SH CONFIGURATION The password check module reads configuration parameters from .B /etc/openldap/check_password.conf Edits made to the configuration file become effective immediately, there is no need to restart OpenLDAP server. List of parameters: .TP .BI use_cracklib \ 1|0 CrackLib is a library for checking that a password is not easily crackable, making sure that the password is not based on simple patterns or dictionary words. If the parameter is set to 1, cracklib will be involved and new passwords must pass cracklib quality check in addition to all other policies such as min_points .TP .BI min_points \ <integer> The parameter holds an integer value in between 0 and 4. The value denotes "quality points" that a password must acquire in order to pass the check. Usage of each character class awards one quality point. If the parameeter is set to 0, the check is disabled. The character classes are: upper case letters, lower case letters, numeric digits, punctuations. .TP .BI min_upper \ <integer> The minimal number of upper case characters a password must contain. If the parameter is set to 0, the check is disabled. .TP .BI min_lower \ <integer> The minimal number of lower case characters a password must contain. If the parameter is set to 0, the check is disabled. .TP .BI min_digit \ <integer> The minimal number of numeric digit characters a password must contain. If the parameter is set to 0, the check is disabled. .TP .BI min_punct \ <integer> The minimal number of punctuation characters a password must contain. If the parameter is set to 0, the check is disabled. .TP .BI max_consecutive_per_class \ <integer> The maximum number of characters from each character class that may appear consecutively. If the parameter is set to 0, the check is disabled. .SH USAGE After the module is enabled, the OpenLDAP server will invoke the password checker module on every user password change, the new user password must pass all quality checks before it is accepted. If the new password does not pass quality checks, the detailed reason will be logged on the OpenLDAP server, and the client will receive a Constraint Violation and a generic error message "Password fails quality checking policy" \- the lack of details is by design. If the password change is carried out by RootDN, password checker module will not enforce the quality checks, and any password is acceptable. .SH FILES .TP /etc/openldap/check_password.conf Define the password strength policy. .SH SEE ALSO .BR slapd.conf (5), .BR slapd\-config (5), .BR slapd (8), .BR slapo\-ppolicy (5) .SH ACKNOWLEDGEMENTS .P The module was originally authored by LTB-project (ltb\-project.org), and further maintained by Onyx Point (onyxpoint.com). ++++++ ppolicy-check-password.Makefile ++++++ LDAP_SRC = ../../.. LDAP_BUILD = $(LDAP_SRC) LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool CC = gcc OPT = -g -O2 -Wall -fpic -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"/usr/share/cracklib/pw_dict\"" -DCONFIG_FILE="\"/etc/openldap/check_password.conf\"" -lcrack INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = ppolicy-check-password.la LTVER = 0:0:0 prefix=/usr/local exec_prefix=$(prefix) ldap_subdir=/openldap libdir=$(exec_prefix)/lib64 libexecdir=$(exec_prefix)/libexec moduledir=$(libdir)$(ldap_subdir) .SUFFIXES: .c .o .lo .c.lo: $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< all: $(PROGRAMS) ppolicy-check-password.la: check_password.lo $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ -rpath $(moduledir) -module -o $@ $? $(LIBS) clean: rm -rf *.o *.lo *.la .libs install: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done ++++++ ppolicy-check-password.conf ++++++ use_cracklib 1 min_points 3 min_upper 0 min_lower 0 min_digit 0 min_punct 0 max_consecutive_per_class 5
