[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Mon Apr 18 15:11:17 UTC 2016
VERSION.sh | 2
debian/changelog | 8
debian/patches/series | 1
debian/patches/support-non-nss-libldap.diff | 1811 +
dev/null |binary
dirsrvtests/data/README | 11
dirsrvtests/data/basic/dse.ldif.broken | 95
dirsrvtests/data/ticket47953/ticket47953.ldif | 27
dirsrvtests/data/ticket48212/example1k_posix.ldif |17017 ----------
dirsrvtests/suites/acct_usability_plugin/acct_usability_test.py | 93
dirsrvtests/suites/acctpolicy_plugin/acctpolicy_test.py | 93
dirsrvtests/suites/acl/acl_test.py | 1059
dirsrvtests/suites/attr_encryption/attr_encrypt_test.py | 93
dirsrvtests/suites/attr_uniqueness_plugin/attr_uniqueness_test.py | 248
dirsrvtests/suites/automember_plugin/automember_test.py | 93
dirsrvtests/suites/basic/basic_test.py | 775
dirsrvtests/suites/betxns/betxn_test.py | 258
dirsrvtests/suites/chaining_plugin/chaining_test.py | 93
dirsrvtests/suites/clu/clu_test.py | 115
dirsrvtests/suites/clu/db2ldif_test.py | 92
dirsrvtests/suites/collation_plugin/collatation_test.py | 93
dirsrvtests/suites/config/config_test.py | 198
dirsrvtests/suites/cos_plugin/cos_test.py | 93
dirsrvtests/suites/deref_plugin/deref_test.py | 93
dirsrvtests/suites/disk_monitoring/disk_monitor_test.py | 93
dirsrvtests/suites/distrib_plugin/distrib_test.py | 93
dirsrvtests/suites/dna_plugin/dna_test.py | 93
dirsrvtests/suites/ds_logs/ds_logs_test.py | 93
dirsrvtests/suites/dynamic-plugins/plugin_tests.py | 2406 -
dirsrvtests/suites/dynamic-plugins/stress_tests.py | 146
dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py | 493
dirsrvtests/suites/filter/filter_test.py | 152
dirsrvtests/suites/get_effective_rights/ger_test.py | 93
dirsrvtests/suites/ldapi/ldapi_test.py | 93
dirsrvtests/suites/linkedattrs_plugin/linked_attrs_test.py | 93
dirsrvtests/suites/mapping_tree/mapping_tree_test.py | 93
dirsrvtests/suites/memberof_plugin/memberof_test.py | 176
dirsrvtests/suites/memory_leaks/range_search_test.py | 138
dirsrvtests/suites/mep_plugin/mep_test.py | 93
dirsrvtests/suites/monitor/monitor_test.py | 93
dirsrvtests/suites/paged_results/paged_results_test.py | 93
dirsrvtests/suites/pam_passthru_plugin/pam_test.py | 93
dirsrvtests/suites/passthru_plugin/passthru_test.py | 93
dirsrvtests/suites/password/password_test.py | 143
dirsrvtests/suites/password/pwdAdmin_test.py | 447
dirsrvtests/suites/password/pwdPolicy_test.py | 82
dirsrvtests/suites/posix_winsync_plugin/posix_winsync_test.py | 93
dirsrvtests/suites/psearch/psearch_test.py | 93
dirsrvtests/suites/referint_plugin/referint_test.py | 93
dirsrvtests/suites/replication/cleanallruv_test.py | 1494
dirsrvtests/suites/replication/wait_for_async_feature_test.py | 280
dirsrvtests/suites/replsync_plugin/repl_sync_test.py | 93
dirsrvtests/suites/resource_limits/res_limits_test.py | 93
dirsrvtests/suites/retrocl_plugin/retrocl_test.py | 93
dirsrvtests/suites/reverpwd_plugin/reverpwd_test.py | 93
dirsrvtests/suites/roles_plugin/roles_test.py | 93
dirsrvtests/suites/rootdn_plugin/rootdn_plugin_test.py | 778
dirsrvtests/suites/sasl/sasl_test.py | 93
dirsrvtests/suites/schema/test_schema.py | 228
dirsrvtests/suites/schema_reload_plugin/schema_reload_test.py | 93
dirsrvtests/suites/snmp/snmp_test.py | 93
dirsrvtests/suites/ssl/ssl_test.py | 93
dirsrvtests/suites/syntax_plugin/syntax_test.py | 93
dirsrvtests/suites/usn_plugin/usn_test.py | 93
dirsrvtests/suites/views_plugin/views_test.py | 93
dirsrvtests/suites/vlv/vlv_test.py | 93
dirsrvtests/suites/whoami_plugin/whoami_test.py | 93
dirsrvtests/tests/data/README | 11
dirsrvtests/tests/data/basic/dse.ldif.broken | 95
dirsrvtests/tests/data/ticket47953/ticket47953.ldif | 27
dirsrvtests/tests/data/ticket47988/schema_ipa3.3.tar.gz |binary
dirsrvtests/tests/data/ticket47988/schema_ipa4.1.tar.gz |binary
dirsrvtests/tests/data/ticket48212/example1k_posix.ldif |17017 ++++++++++
dirsrvtests/tests/suites/acct_usability_plugin/acct_usability_test.py | 93
dirsrvtests/tests/suites/acctpolicy_plugin/acctpolicy_test.py | 93
dirsrvtests/tests/suites/acl/acl_test.py | 1059
dirsrvtests/tests/suites/attr_encryption/attr_encrypt_test.py | 93
dirsrvtests/tests/suites/attr_uniqueness_plugin/attr_uniqueness_test.py | 248
dirsrvtests/tests/suites/automember_plugin/automember_test.py | 93
dirsrvtests/tests/suites/basic/basic_test.py | 775
dirsrvtests/tests/suites/betxns/betxn_test.py | 258
dirsrvtests/tests/suites/chaining_plugin/chaining_test.py | 93
dirsrvtests/tests/suites/clu/clu_test.py | 115
dirsrvtests/tests/suites/clu/db2ldif_test.py | 92
dirsrvtests/tests/suites/collation_plugin/collatation_test.py | 93
dirsrvtests/tests/suites/config/config_test.py | 198
dirsrvtests/tests/suites/cos_plugin/cos_test.py | 93
dirsrvtests/tests/suites/deref_plugin/deref_test.py | 93
dirsrvtests/tests/suites/disk_monitoring/disk_monitor_test.py | 93
dirsrvtests/tests/suites/distrib_plugin/distrib_test.py | 93
dirsrvtests/tests/suites/dna_plugin/dna_test.py | 93
dirsrvtests/tests/suites/ds_logs/ds_logs_test.py | 93
dirsrvtests/tests/suites/dynamic-plugins/plugin_tests.py | 2406 +
dirsrvtests/tests/suites/dynamic-plugins/stress_tests.py | 146
dirsrvtests/tests/suites/dynamic-plugins/test_dynamic_plugins.py | 493
dirsrvtests/tests/suites/filter/filter_test.py | 152
dirsrvtests/tests/suites/get_effective_rights/ger_test.py | 93
dirsrvtests/tests/suites/ldapi/ldapi_test.py | 93
dirsrvtests/tests/suites/linkedattrs_plugin/linked_attrs_test.py | 93
dirsrvtests/tests/suites/mapping_tree/mapping_tree_test.py | 93
dirsrvtests/tests/suites/memberof_plugin/memberof_test.py | 176
dirsrvtests/tests/suites/memory_leaks/range_search_test.py | 138
dirsrvtests/tests/suites/mep_plugin/mep_test.py | 93
dirsrvtests/tests/suites/monitor/monitor_test.py | 93
dirsrvtests/tests/suites/paged_results/paged_results_test.py | 93
dirsrvtests/tests/suites/pam_passthru_plugin/pam_test.py | 93
dirsrvtests/tests/suites/passthru_plugin/passthru_test.py | 93
dirsrvtests/tests/suites/password/password_test.py | 143
dirsrvtests/tests/suites/password/pwdAdmin_test.py | 447
dirsrvtests/tests/suites/password/pwdPolicy_test.py | 82
dirsrvtests/tests/suites/posix_winsync_plugin/posix_winsync_test.py | 93
dirsrvtests/tests/suites/psearch/psearch_test.py | 93
dirsrvtests/tests/suites/referint_plugin/referint_test.py | 93
dirsrvtests/tests/suites/replication/cleanallruv_test.py | 1494
dirsrvtests/tests/suites/replication/wait_for_async_feature_test.py | 280
dirsrvtests/tests/suites/replsync_plugin/repl_sync_test.py | 93
dirsrvtests/tests/suites/resource_limits/res_limits_test.py | 93
dirsrvtests/tests/suites/retrocl_plugin/retrocl_test.py | 93
dirsrvtests/tests/suites/reverpwd_plugin/reverpwd_test.py | 93
dirsrvtests/tests/suites/roles_plugin/roles_test.py | 93
dirsrvtests/tests/suites/rootdn_plugin/rootdn_plugin_test.py | 778
dirsrvtests/tests/suites/sasl/sasl_test.py | 93
dirsrvtests/tests/suites/schema/test_schema.py | 228
dirsrvtests/tests/suites/schema_reload_plugin/schema_reload_test.py | 93
dirsrvtests/tests/suites/snmp/snmp_test.py | 93
dirsrvtests/tests/suites/ssl/ssl_test.py | 93
dirsrvtests/tests/suites/syntax_plugin/syntax_test.py | 93
dirsrvtests/tests/suites/usn_plugin/usn_test.py | 93
dirsrvtests/tests/suites/views_plugin/views_test.py | 93
dirsrvtests/tests/suites/vlv/vlv_test.py | 93
dirsrvtests/tests/suites/whoami_plugin/whoami_test.py | 93
dirsrvtests/tests/tickets/finalizer.py | 64
dirsrvtests/tests/tickets/ticket365_test.py | 169
dirsrvtests/tests/tickets/ticket47313_test.py | 174
dirsrvtests/tests/tickets/ticket47384_test.py | 167
dirsrvtests/tests/tickets/ticket47431_test.py | 259
dirsrvtests/tests/tickets/ticket47462_test.py | 365
dirsrvtests/tests/tickets/ticket47490_test.py | 691
dirsrvtests/tests/tickets/ticket47553_test.py | 166
dirsrvtests/tests/tickets/ticket47560_test.py | 253
dirsrvtests/tests/tickets/ticket47573_test.py | 347
dirsrvtests/tests/tickets/ticket47619_test.py | 220
dirsrvtests/tests/tickets/ticket47640_test.py | 130
dirsrvtests/tests/tickets/ticket47653MMR_test.py | 473
dirsrvtests/tests/tickets/ticket47653_test.py | 381
dirsrvtests/tests/tickets/ticket47664_test.py | 225
dirsrvtests/tests/tickets/ticket47669_test.py | 265
dirsrvtests/tests/tickets/ticket47676_test.py | 406
dirsrvtests/tests/tickets/ticket47714_test.py | 263
dirsrvtests/tests/tickets/ticket47721_test.py | 468
dirsrvtests/tests/tickets/ticket47781_test.py | 188
dirsrvtests/tests/tickets/ticket47787_test.py | 561
dirsrvtests/tests/tickets/ticket47808_test.py | 166
dirsrvtests/tests/tickets/ticket47815_test.py | 179
dirsrvtests/tests/tickets/ticket47819_test.py | 296
dirsrvtests/tests/tickets/ticket47823_test.py | 1021
dirsrvtests/tests/tickets/ticket47824_test.py | 265
dirsrvtests/tests/tickets/ticket47828_test.py | 728
dirsrvtests/tests/tickets/ticket47829_test.py | 656
dirsrvtests/tests/tickets/ticket47833_test.py | 274
dirsrvtests/tests/tickets/ticket47838_test.py | 841
dirsrvtests/tests/tickets/ticket47869MMR_test.py | 346
dirsrvtests/tests/tickets/ticket47871_test.py | 226
dirsrvtests/tests/tickets/ticket47900_test.py | 344
dirsrvtests/tests/tickets/ticket47910_test.py | 205
dirsrvtests/tests/tickets/ticket47920_test.py | 194
dirsrvtests/tests/tickets/ticket47921_test.py | 163
dirsrvtests/tests/tickets/ticket47927_test.py | 313
dirsrvtests/tests/tickets/ticket47931_test.py | 207
dirsrvtests/tests/tickets/ticket47937_test.py | 188
dirsrvtests/tests/tickets/ticket47950_test.py | 223
dirsrvtests/tests/tickets/ticket47953_test.py | 128
dirsrvtests/tests/tickets/ticket47963_test.py | 199
dirsrvtests/tests/tickets/ticket47966_test.py | 227
dirsrvtests/tests/tickets/ticket47970_test.py | 158
dirsrvtests/tests/tickets/ticket47973_test.py | 185
dirsrvtests/tests/tickets/ticket47980_test.py | 662
dirsrvtests/tests/tickets/ticket47981_test.py | 295
dirsrvtests/tests/tickets/ticket47988_test.py | 503
dirsrvtests/tests/tickets/ticket48005_test.py | 415
dirsrvtests/tests/tickets/ticket48013_test.py | 134
dirsrvtests/tests/tickets/ticket48026_test.py | 168
dirsrvtests/tests/tickets/ticket48109_test.py | 394
dirsrvtests/tests/tickets/ticket48170_test.py | 96
dirsrvtests/tests/tickets/ticket48191_test.py | 323
dirsrvtests/tests/tickets/ticket48194_test.py | 499
dirsrvtests/tests/tickets/ticket48212_test.py | 210
dirsrvtests/tests/tickets/ticket48214_test.py | 171
dirsrvtests/tests/tickets/ticket48226_test.py | 249
dirsrvtests/tests/tickets/ticket48228_test.py | 336
dirsrvtests/tests/tickets/ticket48233_test.py | 105
dirsrvtests/tests/tickets/ticket48252_test.py | 178
dirsrvtests/tests/tickets/ticket48265_test.py | 130
dirsrvtests/tests/tickets/ticket48312_test.py | 168
dirsrvtests/tests/tickets/ticket48325_test.py | 270
dirsrvtests/tests/tickets/ticket48362_test.py | 278
dirsrvtests/tests/tickets/ticket48369_test.py | 124
dirsrvtests/tests/tickets/ticket48370_test.py | 236
dirsrvtests/tests/tickets/ticket48497_test.py | 177
dirsrvtests/tests/tickets/ticket48745_test.py | 185
dirsrvtests/tests/tickets/ticket48746_test.py | 213
dirsrvtests/tests/tickets/ticket48759_test.py | 285
dirsrvtests/tests/tmp/README | 10
dirsrvtests/tickets/finalizer.py | 64
dirsrvtests/tickets/ticket365_test.py | 169
dirsrvtests/tickets/ticket47313_test.py | 174
dirsrvtests/tickets/ticket47384_test.py | 167
dirsrvtests/tickets/ticket47431_test.py | 259
dirsrvtests/tickets/ticket47462_test.py | 365
dirsrvtests/tickets/ticket47490_test.py | 691
dirsrvtests/tickets/ticket47553_test.py | 166
dirsrvtests/tickets/ticket47560_test.py | 253
dirsrvtests/tickets/ticket47573_test.py | 347
dirsrvtests/tickets/ticket47619_test.py | 220
dirsrvtests/tickets/ticket47640_test.py | 130
dirsrvtests/tickets/ticket47653MMR_test.py | 473
dirsrvtests/tickets/ticket47653_test.py | 381
dirsrvtests/tickets/ticket47664_test.py | 225
dirsrvtests/tickets/ticket47669_test.py | 265
dirsrvtests/tickets/ticket47676_test.py | 406
dirsrvtests/tickets/ticket47714_test.py | 263
dirsrvtests/tickets/ticket47721_test.py | 468
dirsrvtests/tickets/ticket47781_test.py | 188
dirsrvtests/tickets/ticket47787_test.py | 561
dirsrvtests/tickets/ticket47808_test.py | 166
dirsrvtests/tickets/ticket47815_test.py | 179
dirsrvtests/tickets/ticket47819_test.py | 296
dirsrvtests/tickets/ticket47823_test.py | 1021
dirsrvtests/tickets/ticket47824_test.py | 265
dirsrvtests/tickets/ticket47828_test.py | 728
dirsrvtests/tickets/ticket47829_test.py | 656
dirsrvtests/tickets/ticket47833_test.py | 274
dirsrvtests/tickets/ticket47838_test.py | 841
dirsrvtests/tickets/ticket47869MMR_test.py | 346
dirsrvtests/tickets/ticket47871_test.py | 226
dirsrvtests/tickets/ticket47900_test.py | 344
dirsrvtests/tickets/ticket47910_test.py | 205
dirsrvtests/tickets/ticket47920_test.py | 194
dirsrvtests/tickets/ticket47921_test.py | 163
dirsrvtests/tickets/ticket47927_test.py | 313
dirsrvtests/tickets/ticket47931_test.py | 207
dirsrvtests/tickets/ticket47937_test.py | 188
dirsrvtests/tickets/ticket47950_test.py | 223
dirsrvtests/tickets/ticket47953_test.py | 128
dirsrvtests/tickets/ticket47963_test.py | 199
dirsrvtests/tickets/ticket47966_test.py | 227
dirsrvtests/tickets/ticket47970_test.py | 158
dirsrvtests/tickets/ticket47973_test.py | 185
dirsrvtests/tickets/ticket47980_test.py | 662
dirsrvtests/tickets/ticket47981_test.py | 295
dirsrvtests/tickets/ticket47988_test.py | 503
dirsrvtests/tickets/ticket48005_test.py | 415
dirsrvtests/tickets/ticket48013_test.py | 134
dirsrvtests/tickets/ticket48026_test.py | 168
dirsrvtests/tickets/ticket48109_test.py | 394
dirsrvtests/tickets/ticket48170_test.py | 96
dirsrvtests/tickets/ticket48191_test.py | 323
dirsrvtests/tickets/ticket48194_test.py | 499
dirsrvtests/tickets/ticket48212_test.py | 210
dirsrvtests/tickets/ticket48214_test.py | 171
dirsrvtests/tickets/ticket48226_test.py | 249
dirsrvtests/tickets/ticket48228_test.py | 336
dirsrvtests/tickets/ticket48233_test.py | 105
dirsrvtests/tickets/ticket48252_test.py | 178
dirsrvtests/tickets/ticket48265_test.py | 130
dirsrvtests/tickets/ticket48312_test.py | 168
dirsrvtests/tickets/ticket48325_test.py | 270
dirsrvtests/tickets/ticket48362_test.py | 278
dirsrvtests/tickets/ticket48369_test.py | 124
dirsrvtests/tickets/ticket48370_test.py | 236
dirsrvtests/tmp/README | 10
ldap/servers/plugins/replication/repl5_replica.c | 2
ldap/servers/slapd/back-ldbm/ldbm_delete.c | 44
ldap/servers/slapd/plugin_mr.c | 124
rpm/389-ds-base.spec.in | 2
275 files changed, 53095 insertions(+), 50385 deletions(-)
New commits:
commit 34056f90a6425cf3416bb7f8932bdaa42ccef806
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Mon Apr 18 18:08:20 2016 +0300
releasing package 389-ds-base version 1.3.4.9-1
diff --git a/debian/changelog b/debian/changelog
index 8e3c773..515d427 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,10 @@
-389-ds-base (1.3.4.9-1) UNRELEASED; urgency=medium
+389-ds-base (1.3.4.9-1) unstable; urgency=medium
* New upstream release.
* support-non-nss-libldap.diff: Support libldap built against gnutls.
(LP: #1564179)
- -- Timo Aaltonen <tjaalton at debian.org> Mon, 18 Apr 2016 18:04:11 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Mon, 18 Apr 2016 18:08:14 +0300
389-ds-base (1.3.4.8-4) unstable; urgency=medium
commit b94148a5d8e2b62b25aa7562da075b4bc8e67d5d
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Mon Apr 18 18:08:08 2016 +0300
support-non-nss-libldap.diff: Support libldap built against gnutls. (LP: #1564179)
diff --git a/debian/changelog b/debian/changelog
index ab7f8f6..8e3c773 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+389-ds-base (1.3.4.9-1) UNRELEASED; urgency=medium
+
+ * New upstream release.
+ * support-non-nss-libldap.diff: Support libldap built against gnutls.
+ (LP: #1564179)
+
+ -- Timo Aaltonen <tjaalton at debian.org> Mon, 18 Apr 2016 18:04:11 +0300
+
389-ds-base (1.3.4.8-4) unstable; urgency=medium
* use-perl-move.diff: Dropped, 'rename' is more reliable.
diff --git a/debian/patches/series b/debian/patches/series
index f2b5082..3b403b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ fix-obsolete-target.diff
fix-saslpath.diff
reproducible-build.diff
fix-systemctl-path.diff
+support-non-nss-libldap.diff
diff --git a/debian/patches/support-non-nss-libldap.diff b/debian/patches/support-non-nss-libldap.diff
new file mode 100644
index 0000000..5ae9a46
--- /dev/null
+++ b/debian/patches/support-non-nss-libldap.diff
@@ -0,0 +1,1811 @@
+From 2d268628ba9a8fef7648af4498cadaba9e963153 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi at redhat.com>
+Date: Thu, 14 Apr 2016 12:56:19 -0700
+Subject: [PATCH] Ticket #47536 - Allow usage of OpenLDAP libraries that don't
+ use NSS for crypto
+
+Design Doc: http://www.port389.org/docs/389ds/design/allow-usage-of-openldap-lib-w-openssl.html
+
+This patch also addresses the issue described in
+ Ticket #48756 - if startTLS is enabled, perl utilities fail to start.
+The ticket #48756 is closed as dup of Ticket #47536.
+
+Note: Instead of checking with "OpenSSL" for the openldap client library,
+ this patch checks with "Not MozNSS" for non-Fedora/RHEL platform support.
+---
+ ldap/admin/src/scripts/DSUtil.pm.in | 13 +
+ ldap/schema/01core389.ldif | 7 +-
+ .../servers/plugins/replication/repl5_connection.c | 8 +-
+ .../plugins/replication/windows_connection.c | 8 +-
+ ldap/servers/slapd/ldaputil.c | 120 ++-
+ ldap/servers/slapd/libglobs.c | 26 +
+ ldap/servers/slapd/proto-slap.h | 2 +
+ ldap/servers/slapd/slap.h | 4 +-
+ ldap/servers/slapd/slapi-plugin.h | 23 +-
+ ldap/servers/slapd/slapi-private.h | 3 +
+ ldap/servers/slapd/ssl.c | 919 ++++++++++++++++++---
+ ldap/servers/slapd/util.c | 123 +--
+ 12 files changed, 1054 insertions(+), 202 deletions(-)
+
+--- a/ldap/admin/src/scripts/DSUtil.pm.in
++++ b/ldap/admin/src/scripts/DSUtil.pm.in
+@@ -1245,6 +1245,19 @@ sub get_info {
+ $info{ldapiURL} = "ldapi://" . $value;
+ }
+
++ while($entry = readOneEntry $ldif){
++ if($entry->getDN() eq "cn=encryption,cn=config"){
++ $foundcfg = "yes";
++ last;
++ }
++ }
++ if($foundcfg eq "yes"){
++ $info{cacertfile} = $entry->getValues("CACertExtractFile");
++ if ($info{cacertfile}) {
++ $ENV{LDAPTLS_CACERT}=$info{cacertfile};
++ }
++ }
++
+ close (DSE);
+ return %info;
+ }
+--- a/ldap/schema/01core389.ldif
++++ b/ldap/schema/01core389.ldif
+@@ -103,6 +103,9 @@ attributeTypes: ( allowWeakCipher-oid NA
+ attributeTypes: ( nsSSLToken-oid NAME 'nsSSLToken' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+ attributeTypes: ( nsSSLPersonalitySSL-oid NAME 'nsSSLPersonalitySSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+ attributeTypes: ( nsSSLActivation-oid NAME 'nsSSLActivation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
++attributeTypes: ( CACertExtractFile-oid NAME 'CACertExtractFile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
++attributeTypes: ( ServerKeyExtractFile-oid NAME 'ServerKeyExtractFile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
++attributeTypes: ( ServerCertExtractFile-oid NAME 'ServerCertExtractFile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+ attributeTypes: ( 2.16.840.1.113730.3.1.2091 NAME 'nsslapd-suffix' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' )
+ attributeTypes: ( 2.16.840.1.113730.3.1.2092 NAME 'nsslapd-ldapiautodnsuffix' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' )
+ attributeTypes: ( 2.16.840.1.113730.3.1.2095 NAME 'connection' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+@@ -293,8 +296,8 @@ objectClasses: ( 2.16.840.1.113730.3.2.1
+ objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
+ objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
+ objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
+-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher) X-ORIGIN 'Netscape' )
+-objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
++objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $ CACertExtractFile ) X-ORIGIN 'Netscape' )
++objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation $ ServerKeyExtractFile $ ServerCertExtractFile ) X-ORIGIN 'Netscape' )
+ objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' )
+ objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
+
+--- a/ldap/servers/plugins/replication/repl5_connection.c
++++ b/ldap/servers/plugins/replication/repl5_connection.c
+@@ -1234,9 +1234,9 @@ conn_connect(Repl_Connection *conn)
+ * initialisation should be done before ever trying to open any connection at all.
+ */
+ if (conn->transport_flags == TRANSPORT_FLAG_TLS) {
+- secure = 2;
++ secure = SLAPI_LDAP_INIT_FLAG_startTLS;
+ } else if (conn->transport_flags == TRANSPORT_FLAG_SSL) {
+- secure = 1;
++ secure = SLAPI_LDAP_INIT_FLAG_SSL;
+ }
+
+ if (secure > 0) {
+@@ -1261,7 +1261,7 @@ conn_connect(Repl_Connection *conn)
+ "%s: Trying %s%s slapi_ldap_init_ext\n",
+ agmt_get_long_name(conn->agmt),
+ secure ? "secure" : "non-secure",
+- (secure == 2) ? " startTLS" : "");
++ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? " startTLS" : "");
+ /* shared = 1 because we will read results from a second thread */
+ if (conn->ld) {
+ /* Since we call slapi_ldap_init, we must call slapi_ldap_unbind */
+@@ -1279,7 +1279,7 @@ conn_connect(Repl_Connection *conn)
+ "%s: Failed to establish %s%sconnection to the consumer\n",
+ agmt_get_long_name(conn->agmt),
+ secure ? "secure " : "",
+- (secure == 2) ? "startTLS " : "");
++ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? "startTLS " : "");
+ goto done;
+ }
+
+--- a/ldap/servers/plugins/replication/windows_connection.c
++++ b/ldap/servers/plugins/replication/windows_connection.c
+@@ -1313,9 +1313,9 @@ windows_conn_connect(Repl_Connection *co
+ * initialisation should be done before ever trying to open any connection at all.
+ */
+ if (conn->transport_flags == TRANSPORT_FLAG_TLS) {
+- secure = 2;
++ secure = SLAPI_LDAP_INIT_FLAG_startTLS;
+ } else if (conn->transport_flags == TRANSPORT_FLAG_SSL) {
+- secure = 1;
++ secure = SLAPI_LDAP_INIT_FLAG_SSL;
+ }
+
+ if (secure > 0) {
+@@ -1340,7 +1340,7 @@ windows_conn_connect(Repl_Connection *co
+ "%s: Trying %s%s slapi_ldap_init_ext\n",
+ agmt_get_long_name(conn->agmt),
+ secure ? "secure" : "non-secure",
+- (secure == 2) ? " startTLS" : "");
++ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? " startTLS" : "");
+
+ conn->ld = slapi_ldap_init_ext(NULL, conn->hostname, conn->port, secure, 0, NULL);
+ if (NULL == conn->ld)
+@@ -1353,7 +1353,7 @@ windows_conn_connect(Repl_Connection *co
+ "%s: Failed to establish %s%sconnection to the consumer\n",
+ agmt_get_long_name(conn->agmt),
+ secure ? "secure " : "",
+- (secure == 2) ? "startTLS " : "");
++ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? "startTLS " : "");
+ goto done;
+ }
+
+--- a/ldap/servers/slapd/ldaputil.c
++++ b/ldap/servers/slapd/ldaputil.c
+@@ -560,6 +560,7 @@ setup_ol_tls_conn(LDAP *ld, int clientau
+ int optval = 0;
+ int ssl_strength = 0;
+ int rc = 0;
++ const char *cacert = NULL;
+
+ if (config_get_ssl_check_hostname()) {
+ ssl_strength = LDAP_OPT_X_TLS_HARD;
+@@ -572,7 +573,29 @@ setup_ol_tls_conn(LDAP *ld, int clientau
+ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
+ "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
+ }
+- /* tell it where our cert db is */
++ if (slapi_client_uses_non_nss(ld)) {
++ cacert = slapi_get_cacertfile();
++ if (cacert) {
++ /* CA Cert PEM file exists. Set the path to openldap option. */
++ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, cacert);
++ if (rc) {
++ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
++ "Could not set CA cert path [%s]: %d:%s\n",
++ cacert, rc, ldap_err2string(rc));
++ }
++ }
++ if (!slapi_client_uses_openssl(ld)) {
++ const int crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
++ /* Sets the CRL evaluation strategy. */
++ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
++ if (rc) {
++ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
++ "Could not set CRLCHECK [%d]: %d:%s\n",
++ crlcheck, rc, ldap_err2string(rc));
++ }
++ }
++ }
++ /* tell it where our cert db/file is */
+ if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, certdir))) {
+ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
+ "failed: unable to set CACERTDIR option to %s\n", certdir);
+@@ -616,8 +639,8 @@ setup_ol_tls_conn(LDAP *ld, int clientau
+ on the secure setting (389 for ldap, 636 for ldaps, 389 for starttls)
+ secure takes 1 of 3 values - 0 means regular ldap, 1 means ldaps, 2
+ means regular ldap with starttls.
+- filename is the ldapi file name - if this is given, and no other options
+- are given, ldapi is assumed.
++ ldapi_socket is the ldapi file name
++ if this is given, and no other options are given, ldapi is assumed.
+ */
+ /* util_sasl_path: the string argument for putenv.
+ It must be a global or a static */
+@@ -627,12 +650,12 @@ LDAP *
+ slapi_ldap_init_ext(
+ const char *ldapurl, /* full ldap url */
+ const char *hostname, /* can also use this to override
+- host in url */
++ host in url */
+ int port, /* can also use this to override port in url */
+ int secure, /* 0 for ldap, 1 for ldaps, 2 for starttls -
+- override proto in url */
++ override proto in url */
+ int shared, /* if true, LDAP* will be shared among multiple threads */
+- const char *filename /* for ldapi */
++ const char *ldapi_socket /* for ldapi */
+ )
+ {
+ LDAPURLDesc *ludp = NULL;
+@@ -686,16 +709,16 @@ slapi_ldap_init_ext(
+ /* use secure setting from url if none given */
+ if (!secure && ludp) {
+ if (secureurl) {
+- secure = 1;
++ secure = SLAPI_LDAP_INIT_FLAG_SSL;
+ } else if (0/* starttls option - not supported yet in LDAP URLs */) {
+- secure = 2;
++ secure = SLAPI_LDAP_INIT_FLAG_startTLS;
+ }
+ }
+
+ /* ldap_url_parse doesn't yet handle ldapi */
+ /*
+- if (!filename && ludp && ludp->lud_file) {
+- filename = ludp->lud_file;
++ if (!ldapi_socket && ludp && ludp->lud_file) {
++ ldapi_socket = ludp->lud_file;
+ }
+ */
+
+@@ -743,10 +766,11 @@ slapi_ldap_init_ext(
+ } else {
+ char *makeurl = NULL;
+
+- if (filename) {
+- makeurl = slapi_ch_smprintf("ldapi://%s/", filename);
++ if (ldapi_socket) {
++ makeurl = slapi_ch_smprintf("ldapi://%s/", ldapi_socket);
+ } else { /* host port */
+- makeurl = convert_to_openldap_uri(hostname, port, (secure == 1 ? "ldaps" : "ldap"));
++ makeurl = convert_to_openldap_uri(hostname, port,
++ (secure == SLAPI_LDAP_INIT_FLAG_SSL ? "ldaps" : "ldap"));
+ }
+ if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
+@@ -777,15 +801,15 @@ slapi_ldap_init_ext(
+ * hostname (such as localhost.localdomain).
+ */
+ if((rc = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON))){
+- slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
++ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
+ "Could not set ldap option LDAP_OPT_X_SASL_NOCANON for (%s), error %d (%s)\n",
+ ldapurl, rc, ldap_err2string(rc) );
+ }
+ }
+ #else /* !USE_OPENLDAP */
+- if (filename) {
++ if (ldapi_socket) {
+ /* ldapi in mozldap client is not yet supported */
+- } else if (secure == 1) {
++ } else if (secure == SLAPI_LDAP_INIT_FLAG_SSL) {
+ ld = ldapssl_init(hostname, port, secure);
+ } else { /* regular ldap and/or starttls */
+ /*
+@@ -809,7 +833,7 @@ slapi_ldap_init_ext(
+ }
+ }
+
+- if ((ld != NULL) && !filename) {
++ if (ld && !ldapi_socket) {
+ /*
+ * Set the outbound LDAP I/O timeout based on the server config.
+ */
+@@ -857,7 +881,7 @@ slapi_ldap_init_ext(
+ * LDAP* if it has already gone through ldapssl_init -
+ * so, use NULL if using starttls
+ */
+- if (secure == 1) {
++ if (secure == SLAPI_LDAP_INIT_FLAG_SSL) {
+ myld = ld;
+ }
+
+@@ -881,7 +905,7 @@ slapi_ldap_init_ext(
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)\n",
+ prerr, slapd_pr_strerror(prerr));
+ }
+- if (secure == 1) {
++ if (secure == SLAPI_LDAP_INIT_FLAG_SSL) {
+ /* tell bind code we are using SSL */
+ ldap_set_option(ld, LDAP_OPT_SSL, LDAP_OPT_ON);
+ }
+@@ -889,7 +913,7 @@ slapi_ldap_init_ext(
+ }
+ }
+
+- if (ld && (secure == 2)) {
++ if (ld && (secure == SLAPI_LDAP_INIT_FLAG_startTLS)) {
+ /*
+ * We don't have a way to stash context data with the LDAP*, so we
+ * stash the information in the client controls (currently unused).
+@@ -919,8 +943,8 @@ slapi_ldap_init_ext(
+ slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_init_ext",
+ "Success: set up conn to [%s:%d]%s\n",
+ hostname, port,
+- (secure == 2) ? " using startTLS" :
+- ((secure == 1) ? " using SSL" : ""));
++ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? " using startTLS" :
++ ((secure == SLAPI_LDAP_INIT_FLAG_SSL) ? " using SSL" : ""));
+ done:
+ ldap_free_urldesc(ludp);
+
+@@ -974,7 +998,7 @@ ldaputil_get_saslpath()
+ LDAP *
+ slapi_ldap_init( char *ldaphost, int ldapport, int secure, int shared )
+ {
+- return slapi_ldap_init_ext(NULL, ldaphost, ldapport, secure, shared, NULL);
++ return slapi_ldap_init_ext(NULL, ldaphost, ldapport, secure, shared, NULL/*, NULL*/);
+ }
+
+ /*
+@@ -1011,7 +1035,7 @@ slapi_ldap_bind(
+ ldap_get_option(ld, LDAP_OPT_CLIENT_CONTROLS, &clientctrls);
+ if (clientctrls && clientctrls[0] &&
+ slapi_control_present(clientctrls, START_TLS_OID, NULL, NULL)) {
+- secure = 2;
++ secure = SLAPI_LDAP_INIT_FLAG_startTLS;
+ } else {
+ #if defined(USE_OPENLDAP)
+ /* openldap doesn't have a SSL/TLS yes/no flag - so grab the
+@@ -1020,7 +1044,7 @@ slapi_ldap_bind(
+
+ ldap_get_option(ld, LDAP_OPT_URI, &ldapurl);
+ if (ldapurl && !PL_strncasecmp(ldapurl, "ldaps", 5)) {
+- secure = 1;
++ secure = SLAPI_LDAP_INIT_FLAG_SSL;
+ }
+ slapi_ch_free_string(&ldapurl);
+ #else /* !USE_OPENLDAP */
+@@ -1058,7 +1082,7 @@ slapi_ldap_bind(
+ bvcreds.bv_len = creds ? strlen(creds) : 0;
+ }
+
+- if (secure == 2) { /* send start tls */
++ if (secure == SLAPI_LDAP_INIT_FLAG_startTLS) { /* send start tls */
+ rc = ldap_start_tls_s(ld, NULL /* serverctrls?? */, NULL);
+ if (LDAP_SUCCESS != rc) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
+@@ -2367,3 +2391,47 @@ slapi_berval_get_msg_len(struct berval *
+
+ return len;
+ }
++
++int
++slapi_client_uses_non_nss(LDAP *ld)
++{
++ static int not_nss = 0;
++#if defined(USE_OPENLDAP)
++ static int initialized = 0;
++ char *package_name = NULL;
++ int rc;
++
++ if (initialized) {
++ return not_nss;
++ }
++ rc = ldap_get_option(ld, LDAP_OPT_X_TLS_PACKAGE, &package_name);
++ if (!rc && PL_strcasecmp(package_name, "MozNSS")) {
++ not_nss = 1;
++ slapi_ch_free_string(&package_name);
++ }
++ initialized = 1;
++#endif
++ return not_nss;
++}
++
++int
++slapi_client_uses_openssl(LDAP *ld)
++{
++ static int is_openssl = 0;
++#if defined(USE_OPENLDAP)
++ static int initialized = 0;
++ char *package_name = NULL;
++ int rc;
++
++ if (initialized) {
++ return is_openssl;
++ }
++ rc = ldap_get_option(ld, LDAP_OPT_X_TLS_PACKAGE, &package_name);
++ if (!rc && PL_strcasecmp(package_name, "OpenSSL")) {
++ is_openssl = 1;
++ slapi_ch_free_string(&package_name);
++ }
++ initialized = 1;
++#endif
++ return is_openssl;
++}
+--- a/ldap/servers/slapd/libglobs.c
++++ b/ldap/servers/slapd/libglobs.c
+@@ -244,6 +244,7 @@ slapi_int_t init_malloc_mmap_threshold;
+ #ifdef MEMPOOL_EXPERIMENTAL
+ slapi_onoff_t init_mempool_switch;
+ #endif
++slapi_onoff_t init_extract_pem;
+
+ #define DEFAULT_SSLCLIENTAPTH "off"
+ #define DEFAULT_ALLOW_ANON_ACCESS "on"
+@@ -1094,6 +1095,10 @@ static struct config_get_and_set {
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.maxsimplepaged_per_conn,
+ CONFIG_INT, (ConfigGetFunc)config_get_maxsimplepaged_per_conn, DEFAULT_MAXSIMPLEPAGED_PER_CONN_STR},
++ {CONFIG_EXTRACT_PEM, config_set_extract_pem,
++ NULL, 0,
++ (void**)&global_slapdFrontendConfig.extract_pem,
++ CONFIG_ON_OFF, (ConfigGetFunc)config_get_extract_pem, &init_extract_pem},
+ #ifdef ENABLE_NUNC_STANS
+ {CONFIG_ENABLE_NUNC_STANS, config_set_enable_nunc_stans,
+ NULL, 0,
+@@ -1568,6 +1573,7 @@ FrontendConfig_init () {
+ }
+ }
+ #endif /* MEMPOOL_EXPERIMENTAL */
++ init_extract_pem = cfg->extract_pem = LDAP_OFF;
+
+ init_config_get_and_set();
+ }
+@@ -7834,6 +7840,26 @@ config_get_maxsimplepaged_per_conn()
+ return retVal;
+ }
+
++int
++config_set_extract_pem(const char *attrname, char *value, char *errorbuf, int apply)
++{
++ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
++ int retVal = LDAP_SUCCESS;
++
++ retVal = config_set_onoff(attrname, value, &(slapdFrontendConfig->extract_pem), errorbuf, apply);
++ return retVal;
++}
++
++int
++config_get_extract_pem()
++{
++ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
++ int retVal;
++
++ retVal = slapdFrontendConfig->extract_pem;
++ return retVal;
++}
++
+ #if defined(LINUX)
+ int
+ config_set_malloc_mxfast(const char *attrname, char *value, char *errorbuf, int apply)
+--- a/ldap/servers/slapd/proto-slap.h
++++ b/ldap/servers/slapd/proto-slap.h
+@@ -565,6 +565,7 @@ int config_get_cn_uses_dn_syntax_in_dns(
+ int config_get_enable_nunc_stans(void);
+ int config_set_enable_nunc_stans(const char *attrname, char *value, char *errorbuf, int apply);
+ #endif
++int config_set_extract_pem(const char *attrname, char *value, char *errorbuf, int apply);
+
+ PLHashNumber hashNocaseString(const void *key);
+ PRIntn hashNocaseCompare(const void *v1, const void *v2);
+@@ -578,6 +579,7 @@ int config_get_malloc_mmap_threshold();
+ #endif
+
+ int config_get_maxsimplepaged_per_conn();
++int config_get_extract_pem();
+
+ int is_abspath(const char *);
+ char* rel2abspath( char * );
+--- a/ldap/servers/slapd/slap.h
++++ b/ldap/servers/slapd/slap.h
+@@ -2093,6 +2093,8 @@ typedef struct _slapdEntryPoints {
+
+ #define CONFIG_MAXSIMPLEPAGED_PER_CONN_ATTRIBUTE "nsslapd-maxsimplepaged-per-conn"
+
++#define CONFIG_EXTRACT_PEM "nsslapd-extract-pemfiles"
++
+ /* getenv alternative */
+ #define CONFIG_MALLOC_MXFAST "nsslapd-malloc-mxfast"
+ #define CONFIG_MALLOC_TRIM_THRESHOLD "nsslapd-malloc-trim-threshold"
+@@ -2362,6 +2364,7 @@ typedef struct _slapdFrontendConfig {
+ int malloc_trim_threshold; /* mallopt M_TRIM_THRESHOLD */
+ int malloc_mmap_threshold; /* mallopt M_MMAP_THRESHOLD */
+ #endif
++ slapi_onoff_t extract_pem; /* If "on", export key/cert as pem files */
+ } slapdFrontendConfig_t;
+
+ /* possible values for slapdFrontendConfig_t.schemareplace */
+--- a/ldap/servers/slapd/slapi-plugin.h
++++ b/ldap/servers/slapd/slapi-plugin.h
+@@ -6151,12 +6151,14 @@ int slapi_rwlock_get_size();
+ /*
+ * thread-safe LDAP connections
+ */
++#define SLAPI_LDAP_INIT_FLAG_SSL 1 /* SSL */
++#define SLAPI_LDAP_INIT_FLAG_startTLS 2 /* startTLS */
+ /**
+ * Initializes an LDAP connection, and returns a handle to the connection.
+ *
+ * \param ldaphost Hostname or IP address - NOTE: for TLS or GSSAPI, should be the FQDN
+ * \param ldapport LDAP server port number (default 389)
+- * \param secure \c 0 - LDAP \c 1 - LDAPS \c 2 - startTLS
++ * \param secure \c 0 - LDAP \c SLAPI_LDAP_INIT_FLAG_SSL - LDAPS \c SLAPI_LDAP_INIT_FLAG_startTLS - startTLS
+ * \param shared \c 0 - single thread access \c 1 - LDAP* will be shared among multiple threads
+ * \return A pointer to an LDAP* handle
+ *
+@@ -6175,6 +6177,7 @@ LDAP *slapi_ldap_init( char *ldaphost, i
+ * \see slapi_ldap_init_ext()
+ */
+ void slapi_ldap_unbind( LDAP *ld );
++
+ /**
+ * Initializes an LDAP connection, and returns a handle to the connection.
+ *
+@@ -6182,9 +6185,9 @@ void slapi_ldap_unbind( LDAP *ld );
+ * ldapi://path - if \c NULL, #hostname, #port, and #secure must be provided
+ * \param hostname Hostname or IP address - NOTE: for TLS or GSSAPI, should be the FQDN
+ * \param port LDAP server port number (default 389)
+- * \param secure \c 0 - LDAP \c 1 - LDAPS \c 2 - startTLS
++ * \param secure \c 0 - LDAP \c SLAPI_LDAP_INIT_FLAG_SSL - LDAPS \c SLAPI_LDAP_INIT_FLAG_startTLS - startTLS
+ * \param shared \c 0 - single thread access \c 1 - LDAP* will be shared among multiple threads
+- * \param filename - currently not supported
++ * \param ldapi_socket - ldapi socket path
+ * \return A pointer to an LDAP* handle
+ *
+ * \note Use #slapi_ldap_unbind() to close and free the handle
+@@ -6200,7 +6203,7 @@ LDAP *slapi_ldap_init_ext(
+ int secure, /* 0 for ldap, 1 for ldaps, 2 for starttls -
+ override proto in url */
+ int shared, /* if true, LDAP* will be shared among multiple threads */
+- const char *filename /* for ldapi */
++ const char *ldap_socket /* ldapi socket path */
+ );
+ /**
+ * The LDAP bind request - this function handles all of the different types of mechanisms
+@@ -6237,6 +6240,18 @@ int slapi_ldap_bind(
+ );
+
+ /**
++ * Return the full path of PEM format CA Cert
++ *
++ * \return the full path of PEM format CA Cert
++ */
++const char * slapi_get_cacertfile();
++
++/**
++ * Set the full path of PEM format CA Cert
++ */
++void slapi_set_cacertfile(char *certfile);
++
++/**
+ * Create either a v1 Proxy Auth Control or a v2 Proxied Auth Control
+ *
+ * \param ld the LDAP connection handle
+--- a/ldap/servers/slapd/slapi-private.h
++++ b/ldap/servers/slapd/slapi-private.h
+@@ -1160,6 +1160,7 @@ char* slapd_get_tmp_dir( void );
+ #include <stdio.h> /* GGOODREPL - For BUFSIZ, below, gak */
+ const char* escape_string (const char* str, char buf[BUFSIZ]);
+ const char* escape_string_with_punctuation(const char* str, char buf[BUFSIZ]);
++const char* escape_string_for_filename(const char* str);
+ void strcpy_unescape_value( char *d, const char *s );
+
+ char *slapi_berval_get_string_copy(const struct berval *bval);
+@@ -1304,6 +1305,8 @@ void add_internal_modifiersname(Slapi_PB
+
+ /* ldaputil.c */
+ char *ldaputil_get_saslpath();
++int slapi_client_uses_non_nss(LDAP *ld);
++int slapi_client_uses_openssl(LDAP *ld);
+
+ /* ssl.c */
+ /*
+--- a/ldap/servers/slapd/ssl.c
++++ b/ldap/servers/slapd/ssl.c
+@@ -231,6 +231,19 @@ PRBool enableSSL3 = PR_FALSE;
+ */
+ PRBool enableTLS1 = PR_TRUE;
+
++/*
++ * OpenLDAP client library with OpenSSL (ticket 47536)
++ */
++#define PEMEXT ".pem"
++/* CA cert pem file */
++static char *CACertPemFile = NULL;
++
++/* helper functions for openldap update. */
++static int slapd_extract_cert(Slapi_Entry *entry, int isCA);
++static int slapd_extract_key(Slapi_Entry *entry, char *token, PK11SlotInfo *slot);
++static void entrySetValue(Slapi_DN *sdn, char *type, char *value);
++static char *gen_pem_path(char *filename);
++
+ static void
+ slapd_SSL_report(int degree, char *fmt, va_list args)
+ {
+@@ -277,7 +290,7 @@ getSupportedCiphers()
+ SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[i].num,&info,sizeof(info));
+ /* only support FIPS approved ciphers in FIPS mode */
+ if (!isFIPS || info.isFIPS) {
+- cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
++ cipher_names[idx++] = slapi_ch_smprintf("%s%s%s%s%s%s%d",
+ _conf_ciphers[i].name,sep,
+ info.symCipherName,sep,
+ info.macAlgorithmName,sep,
+@@ -315,7 +328,7 @@ getEnabledCiphers()
+ SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+ if (enabled) {
+ SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
+- enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
++ enabled_cipher_names[idx++] = slapi_ch_smprintf("%s%s%s%s%s%s%d",
+ _conf_ciphers[x].name,sep,
+ info.symCipherName,sep,
+ info.macAlgorithmName,sep,
+@@ -496,7 +509,7 @@ charray2str(char **ary, const char *deli
+ if (str) {
+ str = PR_sprintf_append(str, "%s%s", delim, *ary++);
+ } else {
+- str = PR_smprintf("%s", *ary++);
++ str = slapi_ch_smprintf("%s", *ary++);
+ }
+ }
+
+@@ -678,7 +691,7 @@ _conf_setciphers(char *ciphers, int flag
+ slapi_ch_free((void **)&unsuplist); /* strings inside are static */
+
+ if (!enabledOne) {
+- char *nocipher = PR_smprintf("No active cipher suite is available.");
++ char *nocipher = slapi_ch_smprintf("No active cipher suite is available.");
+ return nocipher;
+ }
+ _conf_dumpciphers();
+@@ -777,6 +790,31 @@ freeChildren( char **list ) {
+ }
+ }
+
++static void
++entrySetValue(Slapi_DN *sdn, char *type, char *value)
++{
++ Slapi_PBlock mypb;
++ LDAPMod attr;
++ LDAPMod *mods[2];
++ char *values[2];
++
++ values[0] = value;
++ values[1] = NULL;
++
++ /* modify the attribute */
++ attr.mod_type = type;
++ attr.mod_op = LDAP_MOD_REPLACE;
++ attr.mod_values = values;
++
++ mods[0] = &attr;
++ mods[1] = NULL;
++
++ pblock_init(&mypb);
++ slapi_modify_internal_set_pb_ext(&mypb, sdn, mods, NULL, NULL, (void *)plugin_get_default_component_id(), 0);
++ slapi_modify_internal_pb(&mypb);
++ pblock_done(&mypb);
++}
++
+ /* Logs a warning and returns 1 if cert file doesn't exist. You
+ * can skip the warning log message by setting no_log to 1.*/
+ static int
+@@ -784,8 +822,8 @@ warn_if_no_cert_file(const char *dir, in
More information about the Pkg-fedora-ds-maintainers
mailing list