diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-05 01:30:59 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-05 01:30:59 +0000 |
| commit | ba6655ad2a7396c34681387cba66bc129d6fa267 (patch) | |
| tree | ec5b27cc60e0eb46ab94c6eb8be8c341b5556af9 | |
| parent | 22f47289d405fb4a1df6fb57d76e7c42892befac (diff) | |
automatic import of 389-ds-baseopeneuler24.03_LTS
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | 0001-CVE-2024-3657.patch | 213 | ||||
| -rw-r--r-- | 0002-CVE-2024-2199.patch | 108 | ||||
| -rw-r--r-- | 0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch | 31 | ||||
| -rw-r--r-- | 0004-CVE-2024-5953.patch | 145 | ||||
| -rw-r--r-- | 0005-CVE-2024-6237.patch | 25 | ||||
| -rw-r--r-- | 0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch | 88 | ||||
| -rw-r--r-- | 389-ds-base-devel.README | 4 | ||||
| -rw-r--r-- | 389-ds-base-git.sh | 16 | ||||
| -rw-r--r-- | 389-ds-base.spec | 1023 | ||||
| -rw-r--r-- | 389-ds-base.sysusers | 3 | ||||
| -rw-r--r-- | sources | 2 |
12 files changed, 1660 insertions, 0 deletions
@@ -0,0 +1,2 @@ +/389-ds-base-2.5.1.tar.bz2 +/jemalloc-5.3.0.tar.bz2 diff --git a/0001-CVE-2024-3657.patch b/0001-CVE-2024-3657.patch new file mode 100644 index 0000000..dba55ff --- /dev/null +++ b/0001-CVE-2024-3657.patch @@ -0,0 +1,213 @@ +From 5cfa136c48c477765cb20b007ad441ed21534e86 Mon Sep 17 00:00:00 2001 +From: Pierre Rogier <progier@redhat.com> +Date: Wed, 17 Apr 2024 18:18:04 +0200 +Subject: [PATCH] CVE-2024-3657 + +--- + .../tests/suites/filter/large_filter_test.py | 34 +++++- + ldap/servers/slapd/back-ldbm/index.c | 111 ++++++++++-------- + 2 files changed, 92 insertions(+), 53 deletions(-) + +diff --git a/dirsrvtests/tests/suites/filter/large_filter_test.py b/dirsrvtests/tests/suites/filter/large_filter_test.py +index 964facae5..5390a0f9c 100644 +--- a/dirsrvtests/tests/suites/filter/large_filter_test.py ++++ b/dirsrvtests/tests/suites/filter/large_filter_test.py +@@ -13,19 +13,29 @@ verify and testing Filter from a search + + import os + import pytest ++import ldap + +-from lib389._constants import PW_DM ++from lib389._constants import PW_DM, DEFAULT_SUFFIX, ErrorLog + from lib389.topologies import topology_st as topo + from lib389.idm.user import UserAccounts, UserAccount + from lib389.idm.account import Accounts + from lib389.backend import Backends + from lib389.idm.domain import Domain ++from lib389.utils import get_ldapurl_from_serverid + + SUFFIX = 'dc=anuj,dc=com' + + pytestmark = pytest.mark.tier1 + + ++def open_new_ldapi_conn(dsinstance): ++ ldapurl, certdir = get_ldapurl_from_serverid(dsinstance) ++ assert 'ldapi://' in ldapurl ++ conn = ldap.initialize(ldapurl) ++ conn.sasl_interactive_bind_s("", ldap.sasl.external()) ++ return conn ++ ++ + @pytest.fixture(scope="module") + def _create_entries(request, topo): + """ +@@ -159,6 +169,28 @@ def test_large_filter(topo, _create_entries, real_value): + assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3 + + ++def test_long_filter_value(topo): ++ """Exercise large eq filter with dn syntax attributes ++ ++ :id: b069ef72-fcc3-11ee-981c-482ae39447e5 ++ :setup: Standalone ++ :steps: ++ 1. Try to pass filter rules as per the condition. ++ :expectedresults: ++ 1. Pass ++ """ ++ inst = topo.standalone ++ conn = open_new_ldapi_conn(inst.serverid) ++ inst.config.loglevel(vals=(ErrorLog.DEFAULT,ErrorLog.TRACE,ErrorLog.SEARCH_FILTER)) ++ filter_value = "a\x1Edmin" * 1025 ++ conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})') ++ filter_value = "aAdmin" * 1025 ++ conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})') ++ filter_value = "*" ++ conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})') ++ inst.config.loglevel(vals=(ErrorLog.DEFAULT,)) ++ ++ + if __name__ == '__main__': + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s -v %s" % CURRENT_FILE) +diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c +index 86bc825fe..bdac0a616 100644 +--- a/ldap/servers/slapd/back-ldbm/index.c ++++ b/ldap/servers/slapd/back-ldbm/index.c +@@ -74,6 +74,32 @@ typedef struct _index_buffer_handle index_buffer_handle; + #define INDEX_BUFFER_FLAG_SERIALIZE 1 + #define INDEX_BUFFER_FLAG_STATS 2 + ++/* ++ * space needed to encode a byte: ++ * 0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx ++ * 0x22 and 0x5C requires 2 bytes: \" and \\ ++ * other requires 1 byte: c ++ */ ++static char encode_size[] = { ++ /* 0x00 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0x10 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0x20 */ 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, ++ /* 0x30 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, ++ /* 0x40 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, ++ /* 0x50 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, ++ /* 0x60 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, ++ /* 0x70 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, ++ /* 0x80 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0x90 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xA0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xB0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xC0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xD0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xE0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xF0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++}; ++ ++ + /* Index buffering functions */ + + static int +@@ -802,65 +828,46 @@ index_add_mods( + + /* + * Convert a 'struct berval' into a displayable ASCII string ++ * returns the printable string + */ +- +-#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"') +- + const char * + encode(const struct berval *data, char buf[BUFSIZ]) + { +- char *s; +- char *last; +- if (data == NULL || data->bv_len == 0) +- return ""; +- last = data->bv_val + data->bv_len - 1; +- for (s = data->bv_val; s < last; ++s) { +- if (SPECIAL(*s)) { +- char *first = data->bv_val; +- char *bufNext = buf; +- size_t bufSpace = BUFSIZ - 4; +- while (1) { +- /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */ +- if (bufSpace < (size_t)(s - first)) +- s = first + bufSpace - 1; +- if (s != first) { +- memcpy(bufNext, first, s - first); +- bufNext += (s - first); +- bufSpace -= (s - first); +- } +- do { +- if (bufSpace) { +- *bufNext++ = '\\'; +- --bufSpace; +- } +- if (bufSpace < 2) { +- memcpy(bufNext, "..", 2); +- bufNext += 2; +- goto bail; +- } +- if (*s == '\\' || *s == '"') { +- *bufNext++ = *s; +- --bufSpace; +- } else { +- sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s); +- bufNext += 2; +- bufSpace -= 2; +- } +- } while (++s <= last && SPECIAL(*s)); +- if (s > last) +- break; +- first = s; +- while (!SPECIAL(*s) && s <= last) +- ++s; +- } +- bail: +- *bufNext = '\0'; +- /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */ ++ if (!data || !data->bv_val) { ++ strcpy(buf, "<NULL>"); ++ return buf; ++ } ++ char *endbuff = &buf[BUFSIZ-4]; /* Reserve space to append "...\0" */ ++ char *ptout = buf; ++ unsigned char *ptin = (unsigned char*) data->bv_val; ++ unsigned char *endptin = ptin+data->bv_len; ++ ++ while (ptin < endptin) { ++ if (ptout >= endbuff) { ++ /* ++ * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be ++ * truncated anyway. So there is no real interrest to test if the original ++ * data contains no special characters and return it as is. ++ */ ++ strcpy(endbuff, "..."); + return buf; + } ++ switch (encode_size[*ptin]) { ++ case 1: ++ *ptout++ = *ptin++; ++ break; ++ case 2: ++ *ptout++ = '\\'; ++ *ptout++ = *ptin++; ++ break; ++ case 3: ++ sprintf(ptout, "\\%02x", *ptin++); ++ ptout += 3; ++ break; ++ } + } +- /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */ +- return data->bv_val; ++ *ptout = 0; ++ return buf; + } + + static const char * +-- +2.44.0 + diff --git a/0002-CVE-2024-2199.patch b/0002-CVE-2024-2199.patch new file mode 100644 index 0000000..d980f8c --- /dev/null +++ b/0002-CVE-2024-2199.patch @@ -0,0 +1,108 @@ +From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001 +From: James Chapman <jachapma@redhat.com> +Date: Wed, 1 May 2024 15:01:33 +0100 +Subject: [PATCH] CVE-2024-2199 + +--- + .../tests/suites/password/password_test.py | 56 +++++++++++++++++++ + ldap/servers/slapd/modify.c | 8 ++- + 2 files changed, 62 insertions(+), 2 deletions(-) + +diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py +index 1245feb31..e4abd9907 100644 +--- a/dirsrvtests/tests/suites/password/password_test.py ++++ b/dirsrvtests/tests/suites/password/password_test.py +@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st): + log.info('test_password_delete_specific_password: PASSED') + + ++def test_password_modify_non_utf8(topology_st): ++ """Attempt a modify of the userPassword attribute with ++ an invalid non utf8 value ++ ++ :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36 ++ :setup: Standalone instance ++ :steps: ++ 1. Add a user if it doesnt exist and set its password ++ 2. Verify password with a bind ++ 3. Modify userPassword attr with invalid value ++ 4. Attempt a bind with invalid password value ++ 5. Verify original password with a bind ++ :expectedresults: ++ 1. The user with userPassword should be added successfully ++ 2. Operation should be successful ++ 3. Server returns ldap.UNWILLING_TO_PERFORM ++ 4. Server returns ldap.INVALID_CREDENTIALS ++ 5. Operation should be successful ++ """ ++ ++ log.info('Running test_password_modify_non_utf8...') ++ ++ # Create user and set password ++ standalone = topology_st.standalone ++ users = UserAccounts(standalone, DEFAULT_SUFFIX) ++ if not users.exists(TEST_USER_PROPERTIES['uid'][0]): ++ user = users.create(properties=TEST_USER_PROPERTIES) ++ else: ++ user = users.get(TEST_USER_PROPERTIES['uid'][0]) ++ user.set('userpassword', PASSWORD) ++ ++ # Verify password ++ try: ++ user.bind(PASSWORD) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc']) ++ assert False ++ ++ # Modify userPassword with an invalid value ++ password = b'tes\x82t-password' # A non UTF-8 encoded password ++ with pytest.raises(ldap.UNWILLING_TO_PERFORM): ++ user.replace('userpassword', password) ++ ++ # Verify a bind fails with invalid pasword ++ with pytest.raises(ldap.INVALID_CREDENTIALS): ++ user.bind(password) ++ ++ # Verify we can still bind with original password ++ try: ++ user.bind(PASSWORD) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc']) ++ assert False ++ ++ log.info('test_password_modify_non_utf8: PASSED') ++ + if __name__ == '__main__': + # Run isolated + # -s for DEBUG mode +diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c +index a20984e0b..fb65d58b3 100644 +--- a/ldap/servers/slapd/modify.c ++++ b/ldap/servers/slapd/modify.c +@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) + * flagged - leave mod attributes alone */ + if (!repl_op && !skip_modified_attrs && lastmod) { + modify_update_last_modified_attr(pb, &smods); ++ slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods)); + } + ++ + if (0 == slapi_mods_get_num_mods(&smods)) { + /* nothing to do - no mods - this is not an error - just + send back LDAP_SUCCESS */ +@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) + + /* encode password */ + if (pw_encodevals_ext(pb, sdn, va)) { +- slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e)); +- send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL); ++ slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, " ++ "check value is utf8 string.\n", slapi_entry_get_dn_const(e)); ++ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, " ++ "check value is utf8 string.\n", 0, NULL); + valuearray_free(&va); + goto free_and_return; + } +-- +2.41.0 + diff --git a/0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch b/0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch new file mode 100644 index 0000000..061bc56 --- /dev/null +++ b/0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch @@ -0,0 +1,31 @@ +From 6c7047ad75016a7b767d70813a86b9a7b03ea49b Mon Sep 17 00:00:00 2001 +From: Simon Pichugin <spichugi@redhat.com> +Date: Wed, 5 Jun 2024 17:24:00 -0700 +Subject: [PATCH] Issue 6188 - Add nsslapd-haproxy-trusted-ip to cn=schema + (#6201) + +Description: Add HAProxy trusted IP address multi-valued attribute +to cn=schema in 01core389.ldif + +Related: https://github.com/389ds/389-ds-base/issues/6188 + +Reviewed by: @progier389 (Thanks!) +--- + ldap/schema/01core389.ldif | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif +index fad8bc2f9..c98e5b34b 100644 +--- a/ldap/schema/01core389.ldif ++++ b/ldap/schema/01core389.ldif +@@ -331,6 +331,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2390 NAME 'nsds5ReplicaKeepAliveUpdateIn + attributeTypes: ( 2.16.840.1.113730.3.1.2391 NAME 'dsEntryDN' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION SINGLE-VALUE USAGE directoryOperation X-ORIGIN '389 Directory Server' ) + attributeTypes: ( 2.16.840.1.113730.3.1.2392 NAME 'nsslapd-return-original-entrydn' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) + attributeTypes: ( 2.16.840.1.113730.3.1.2393 NAME 'nsslapd-auditlog-display-attrs' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) ++attributeTypes: ( 2.16.840.1.113730.3.1.2398 NAME 'nsslapd-haproxy-trusted-ip' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN '389 Directory Server' ) + # + # objectclasses + # +-- +2.45.2 + diff --git a/0004-CVE-2024-5953.patch b/0004-CVE-2024-5953.patch new file mode 100644 index 0000000..37c2179 --- /dev/null +++ b/0004-CVE-2024-5953.patch @@ -0,0 +1,145 @@ +From 52a9ee6556a0467f5134fb6392ff1681a38f3252 Mon Sep 17 00:00:00 2001 +From: Pierre Rogier <progier@redhat.com> +Date: Fri, 14 Jun 2024 13:27:10 +0200 +Subject: [PATCH] CVE-2024-5953 + +--- + .../tests/suites/password/regression_test.py | 51 ++++++++++++++++++- + ldap/servers/plugins/pwdstorage/md5_pwd.c | 9 +++- + ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 6 +++ + 3 files changed, 64 insertions(+), 2 deletions(-) + +diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py +index 4876ff435..160d6f01d 100644 +--- a/dirsrvtests/tests/suites/password/regression_test.py ++++ b/dirsrvtests/tests/suites/password/regression_test.py +@@ -8,11 +8,12 @@ + import pytest + import time + import glob ++import base64 + from lib389._constants import PASSWORD, DN_DM, DEFAULT_SUFFIX + from lib389._constants import SUFFIX, PASSWORD, DN_DM, DN_CONFIG, PLUGIN_RETRO_CHANGELOG, DEFAULT_SUFFIX, DEFAULT_CHANGELOG_DB, DEFAULT_BENAME + from lib389 import Entry + from lib389.topologies import topology_m1 as topo_supplier +-from lib389.idm.user import UserAccounts ++from lib389.idm.user import UserAccounts, UserAccount + from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer, ds_supports_new_changelog + from lib389.topologies import topology_st as topo + from lib389.idm.organizationalunit import OrganizationalUnits +@@ -40,6 +41,13 @@ TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1', + TEST_PASSWORDS2 = ( + 'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12@redhat.com', '2GN1pwtest123', 'People123') + ++SUPPORTED_SCHEMES = ( ++ "{SHA}", "{SSHA}", "{SHA256}", "{SSHA256}", ++ "{SHA384}", "{SSHA384}", "{SHA512}", "{SSHA512}", ++ "{crypt}", "{NS-MTA-MD5}", "{clear}", "{MD5}", ++ "{SMD5}", "{PBKDF2_SHA256}", "{PBKDF2_SHA512}", ++ "{GOST_YESCRYPT}", "{PBKDF2-SHA256}", "{PBKDF2-SHA512}" ) ++ + def _check_unhashed_userpw(inst, user_dn, is_present=False): + """Check if unhashed#user#password attribute is present or not in the changelog""" + unhashed_pwd_attribute = 'unhashed#user#password' +@@ -319,6 +327,47 @@ def test_unhashed_pw_switch(topo_supplier): + # Add debugging steps(if any)... + pass + ++@pytest.mark.parametrize("scheme", SUPPORTED_SCHEMES ) ++def test_long_hashed_password(topo, create_user, scheme): ++ """Check that hashed password with very long value does not cause trouble ++ ++ :id: 252a1f76-114b-11ef-8a7a-482ae39447e5 ++ :setup: standalone Instance ++ :parametrized: yes ++ :steps: ++ 1. Add a test user user ++ 2. Set a long password with requested scheme ++ 3. Bind on that user using a wrong password ++ 4. Check that instance is still alive ++ 5. Remove the added user ++ :expectedresults: ++ 1. Success ++ 2. Success ++ 3. Should get ldap.INVALID_CREDENTIALS exception ++ 4. Success ++ 5. Success ++ """ ++ inst = topo.standalone ++ inst.simple_bind_s(DN_DM, PASSWORD) ++ users = UserAccounts(inst, DEFAULT_SUFFIX) ++ # Make sure that server is started as this test may crash it ++ inst.start() ++ # Adding Test user (It may already exists if previous test failed) ++ user2 = UserAccount(inst, dn='uid=test_user_1002,ou=People,dc=example,dc=com') ++ if not user2.exists(): ++ user2 = users.create_test_user(uid=1002, gid=2002) ++ # Setting hashed password ++ passwd = 'A'*4000 ++ hashed_passwd = scheme.encode('utf-8') + base64.b64encode(passwd.encode('utf-8')) ++ user2.replace('userpassword', hashed_passwd) ++ # Bind on that user using a wrong password ++ with pytest.raises(ldap.INVALID_CREDENTIALS): ++ conn = user2.bind(PASSWORD) ++ # Check that instance is still alive ++ assert inst.status() ++ # Remove the added user ++ user2.delete() ++ + + if __name__ == '__main__': + # Run isolated +diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c +index 1e2cf58e7..b9a48d5ca 100644 +--- a/ldap/servers/plugins/pwdstorage/md5_pwd.c ++++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c +@@ -37,6 +37,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd) + unsigned char hash_out[MD5_HASH_LEN]; + unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */ + SECItem binary_item; ++ size_t dbpwd_len = strlen(dbpwd); + + ctx = PK11_CreateDigestContext(SEC_OID_MD5); + if (ctx == NULL) { +@@ -45,6 +46,12 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd) + goto loser; + } + ++ if (dbpwd_len >= sizeof b2a_out) { ++ slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, ++ "The hashed password stored in the user entry is longer than any valid md5 hash"); ++ goto loser; ++ } ++ + /* create the hash */ + PK11_DigestBegin(ctx); + PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd)); +@@ -57,7 +64,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd) + bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item); + /* bver points to b2a_out upon success */ + if (bver) { +- rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd)); ++ rc = slapi_ct_memcmp(bver, dbpwd, dbpwd_len); + } else { + slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, + "Could not base64 encode hashed value for password compare"); +diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c +index dcac4fcdd..82b8c9501 100644 +--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c ++++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c +@@ -255,6 +255,12 @@ pbkdf2_sha256_pw_cmp(const char *userpwd, const char *dbpwd) + passItem.data = (unsigned char *)userpwd; + passItem.len = strlen(userpwd); + ++ if (pwdstorage_base64_decode_len(dbpwd, dbpwd_len) > sizeof dbhash) { ++ /* Hashed value is too long and cannot match any value generated by pbkdf2_sha256_hash */ ++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value. (hashed value is too long)\n"); ++ return result; ++ } ++ + /* Decode the DBpwd to bytes from b64 */ + if (PL_Base64Decode(dbpwd, dbpwd_len, dbhash) == NULL) { + slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value\n"); +-- +2.44.0 + diff --git a/0005-CVE-2024-6237.patch b/0005-CVE-2024-6237.patch new file mode 100644 index 0000000..780cfa8 --- /dev/null +++ b/0005-CVE-2024-6237.patch @@ -0,0 +1,25 @@ +From 323f74c69f84a8482413ecd73cf61d09cfc4a0a1 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz <tbordaz@redhat.com> +Date: Mon, 24 Jun 2024 15:51:28 +0200 +Subject: [PATCH] CVE-2024-6237 + +--- + ldap/servers/plugins/syntaxes/inchain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/syntaxes/inchain.c b/ldap/servers/plugins/syntaxes/inchain.c +index df19c973b..0a6a04e9f 100644 +--- a/ldap/servers/plugins/syntaxes/inchain.c ++++ b/ldap/servers/plugins/syntaxes/inchain.c +@@ -277,7 +277,7 @@ inchain_values2keys(Slapi_PBlock *pb, Slapi_Value **vals, Slapi_Value ***ivals, + slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &base_sdn); + + if (! slapi_attr_is_dn_syntax_type(mrTYPE)) { +- slapi_log_err(SLAPI_LOG_ERR, "inchain", "Requires distinguishedName syntax. AttributeDescription %s is not distinguishedName\n"); ++ slapi_log_err(SLAPI_LOG_ERR, "inchain", "Requires distinguishedName syntax. AttributeDescription %s is not distinguishedName\n", mrTYPE); + result = (Slapi_Value **)slapi_ch_calloc(1, sizeof(Slapi_Value *)); + *ivals = result; + return(0); +-- +2.44.0 + diff --git a/0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch b/0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch new file mode 100644 index 0000000..2486c76 --- /dev/null +++ b/0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch @@ -0,0 +1,88 @@ +From cf6cdd05b7ddab36a0196d614b7a28b4372cf801 Mon Sep 17 00:00:00 2001 +From: tbordaz <tbordaz@redhat.com> +Date: Mon, 24 Jun 2024 13:41:35 +0200 +Subject: [PATCH] Issue 6227 - dsconf schema does not show inChain matching + rule (#6228) + +Bug description: + The registered inChain MR does defined any matching rule + syntax (mr_syntax). + When dsconf reads the matching rules (read_schema_dse) + it only reports those which have OID and SYNTAX. + As a consequence InChain was not reported. + +Fix description: + The syntax defines that assersion syntax that is + distinguished name. Add this syntax to the register + struct + +relates: #6227 + +Reviewed by: Pierre Rogier (Thanks !) +--- + .../tests/suites/filter/inchain_test.py | 19 +++++++++++++++++++ + ldap/servers/plugins/syntaxes/inchain.c | 4 ++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/dirsrvtests/tests/suites/filter/inchain_test.py b/dirsrvtests/tests/suites/filter/inchain_test.py +index c650b9374..d1d276edf 100644 +--- a/dirsrvtests/tests/suites/filter/inchain_test.py ++++ b/dirsrvtests/tests/suites/filter/inchain_test.py +@@ -15,6 +15,7 @@ from lib389._constants import DEFAULT_SUFFIX, PW_DM, PLUGIN_MEMBER_OF + from lib389.topologies import topology_st as topo + from lib389.plugins import MemberOfPlugin + ++from lib389.schema import Schema + from lib389.idm.user import UserAccount, UserAccounts + from lib389.idm.account import Accounts + from lib389.idm.account import Anonymous +@@ -812,6 +813,24 @@ def test_invalid_assertion(topo): + memberof = topo.standalone.search_s(DEFAULT_SUFFIX, SCOPE_SUBTREE, "(member:%s:=%s)" % (INCHAIN_OID, user)) + assert len(memberof) == 0 + ++def test_check_dsconf_matchingrule(topo): ++ """Test that the matching rule 'inchain' is listed by dsconf ++ ++ :id: b8dd4049-ccec-4316-bc9c-5aa5c5afcfbd ++ :setup: Standalone Instance ++ :steps: ++ 1. fetch matching rules from the schema ++ 2. Checks that matching rules contains inchaineMatch matching rule ++ :expectedresults: ++ 1. Success ++ 2. Success ++ """ ++ schema = Schema(topo.standalone) ++ mrs = [ f"{mr.oid} {mr.names[0]}" for mr in schema.get_matchingrules() if len(mr.names) > 0 ] ++ for mr in mrs: ++ log.info("retrieved matching rules are: %s", mr) ++ assert '1.2.840.113556.1.4.1941 inchainMatch' in mrs ++ + if __name__ == "__main__": + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s -v %s" % CURRENT_FILE) +diff --git a/ldap/servers/plugins/syntaxes/inchain.c b/ldap/servers/plugins/syntaxes/inchain.c +index 52d0c4994..df19c973b 100644 +--- a/ldap/servers/plugins/syntaxes/inchain.c ++++ b/ldap/servers/plugins/syntaxes/inchain.c +@@ -38,7 +38,7 @@ static char *names[] = {"inchain", "inchain", LDAP_MATCHING_RULE_IN_CHAIN_OID, 0 + static Slapi_PluginDesc pdesc = {"inchain-matching-rule", VENDOR, DS_PACKAGE_VERSION, + "inchain matching rule plugin"}; + +-static const char *inchainMatch_names[] = {"inchainMatch", "1.2.840.113556.1.4.1941", NULL}; ++static const char *inchainMatch_names[] = {"inchainMatch", LDAP_MATCHING_RULE_IN_CHAIN_OID, NULL}; + + static struct mr_plugin_def mr_plugin_table[] = { + { +@@ -64,7 +64,7 @@ static struct mr_plugin_def mr_plugin_table[] = { + "the AVA comparisons evaluate to Undefined and the remaining AVA " + "comparisons return TRUE then the distinguishedNameMatch rule " + "evaluates to Undefined.", +- NULL, ++ DN_SYNTAX_OID, + 0, + NULL /* dn only for now */ + }, /* matching rule desc */ +-- +2.45.2 + diff --git a/389-ds-base-devel.README b/389-ds-base-devel.README new file mode 100644 index 0000000..190c874 --- /dev/null +++ b/389-ds-base-devel.README @@ -0,0 +1,4 @@ +For detailed information on developing plugins for +389 Directory Server visit. + +http://port389/wiki/Plugins diff --git a/389-ds-base-git.sh b/389-ds-base-git.sh new file mode 100644 index 0000000..0043901 --- /dev/null +++ b/389-ds-base-git.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +DATE=`date +%Y%m%d` +# use a real tag name here +VERSION=1.3.5.14 +PKGNAME=389-ds-base +TAG=${TAG:-$PKGNAME-$VERSION} +URL="https://git.fedorahosted.org/git/?p=389/ds.git;a=snapshot;h=$TAG;sf=tgz" +SRCNAME=$PKGNAME-$VERSION + +wget -O $SRCNAME.tar.gz "$URL" + +echo convert tgz format to tar.bz2 format + +gunzip $PKGNAME-$VERSION.tar.gz +bzip2 $PKGNAME-$VERSION.tar diff --git a/389-ds-base.spec b/389-ds-base.spec new file mode 100644 index 0000000..6a60120 --- /dev/null +++ b/389-ds-base.spec @@ -0,0 +1,1023 @@ + +%global pkgname dirsrv +%global srcname 389-ds-base + +# Exclude i686 bit arches +ExcludeArch: i686 + +# If perl-Socket-2.000 or newer is available, set 0 to use_Socket6. +%global use_Socket6 0 + +%global use_asan 0 +%global use_rust 1 +%global bundle_jemalloc 1 +%if %{use_asan} +%global bundle_jemalloc 0 +%endif + +%if %{bundle_jemalloc} +%global jemalloc_name jemalloc +%global jemalloc_ver 5.3.0 +%global __provides_exclude ^libjemalloc\\.so.*$ +%endif + +# Use Clang instead of GCC +%global use_clang 0 + +# Build cockpit plugin +%global use_cockpit 0 + +# fedora 15 and later uses tmpfiles.d +# otherwise, comment this out +%{!?with_tmpfiles_d: %global with_tmpfiles_d %{_sysconfdir}/tmpfiles.d} + +# systemd support +%global groupname %{pkgname}.target + +# set PIE flag +%global _hardened_build 1 + +# Filter argparse-manpage from autogenerated package Requires +%global __requires_exclude ^python.*argparse-manpage + +# Force to require nss version greater or equal as the version available at the build time +# See bz1986327 +%define dirsrv_requires_ge() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") + +Summary: 389 Directory Server (base) +Name: 389-ds-base +Version: 2.5.1 +Release: 2%{?dist} +License: GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0 +URL: https://www.port389.org +Conflicts: selinux-policy-base < 3.9.8 +Conflicts: freeipa-server < 4.0.3 +Obsoletes: %{name} <= 1.4.0.9 +Obsoletes: %{name}-legacy-tools < 1.4.4.6 +Obsoletes: %{name}-legacy-tools-debuginfo < 1.4.4.6 +Provides: ldif2ldbm >= 0 + +##### Bundled cargo crates list - START ##### +Provides: bundled(crate(addr2line)) = 0.21.0 +Provides: bundled(crate(adler)) = 1.0.2 +Provides: bundled(crate(ahash)) = 0.7.8 +Provides: bundled(crate(atty)) = 0.2.14 +Provides: bundled(crate(autocfg)) = 1.3.0 +Provides: bundled(crate(backtrace)) = 0.3.71 +Provides: bundled(crate(base64)) = 0.13.1 +Provides: bundled(crate(bitflags)) = 2.5.0 +Provides: bundled(crate(byteorder)) = 1.5.0 +Provides: bundled(crate(cbindgen)) = 0.26.0 +Provides: bundled(crate(cc)) = 1.0.97 +Provides: bundled(crate(cfg-if)) = 1.0.0 +Provides: bundled(crate(clap)) = 3.2.25 +Provides: bundled(crate(clap_lex)) = 0.2.4 +Provides: bundled(crate(concread)) = 0.2.21 +Provides: bundled(crate(crossbeam)) = 0.8.4 +Provides: bundled(crate(crossbeam-channel)) = 0.5.12 +Provides: bundled(crate(crossbeam-deque)) = 0.8.5 +Provides: bundled(crate(crossbeam-epoch)) = 0.9.18 +Provides: bundled(crate(crossbeam-queue)) = 0.3.11 +Provides: bundled(crate(crossbeam-utils)) = 0.8.19 +Provides: bundled(crate(errno)) = 0.3.8 +Provides: bundled(crate(fastrand)) = 2.1.0 +Provides: bundled(crate(fernet)) = 0.1.4 +Provides: bundled(crate(foreign-types)) = 0.3.2 +Provides: bundled(crate(foreign-types-shared)) = 0.1.1 +Provides: bundled(crate(getrandom)) = 0.2.15 +Provides: bundled(crate(gimli)) = 0.28.1 +Provides: bundled(crate(hashbrown)) = 0.12.3 +Provides: bundled(crate(heck)) = 0.4.1 +Provides: bundled(crate(hermit-abi)) = 0.1.19 +Provides: bundled(crate(indexmap)) = 1.9.3 +Provides: bundled(crate(instant)) = 0.1.12 +Provides: bundled(crate(itoa)) = 1.0.11 +Provides: bundled(crate(jobserver)) = 0.1.31 +Provides: bundled(crate(libc)) = 0.2.154 +Provides: bundled(crate(linux-raw-sys)) = 0.4.13 +Provides: bundled(crate(lock_api)) = 0.4.12 +Provides: bundled(crate(log)) = 0.4.21 +Provides: bundled(crate(lru)) = 0.7.8 +Provides: bundled(crate(memchr)) = 2.7.2 +Provides: bundled(crate(miniz_oxide)) = 0.7.2 +Provides: bundled(crate(object)) = 0.32.2 +Provides: bundled(crate(once_cell)) = 1.19.0 +Provides: bundled(crate(openssl)) = 0.10.64 +Provides: bundled(crate(openssl-macros)) = 0.1.1 +Provides: bundled(crate(openssl-sys)) = 0.9.102 +Provides: bundled(crate(os_str_bytes)) = 6.6.1 +Provides: bundled(crate(parking_lot)) = 0.11.2 +Provides: bundled(crate(parking_lot_core)) = 0.8.6 +Provides: bundled(crate(paste)) = 0.1.18 +Provides: bundled(crate(paste-impl)) = 0.1.18 +Provides: bundled(crate(pin-project-lite)) = 0.2.14 +Provides: bundled(crate(pkg-config)) = 0.3.30 +Provides: bundled(crate(ppv-lite86)) = 0.2.17 +Provides: bundled(crate(proc-macro-hack)) = 0.5.20+deprecated +Provides: bundled(crate(proc-macro2)) = 1.0.82 +Provides: bundled(crate(quote)) = 1.0.36 +Provides: bundled(crate(rand)) = 0.8.5 +Provides: bundled(crate(rand_chacha)) = 0.3.1 +Provides: bundled(crate(rand_core)) = 0.6.4 +Provides: bundled(crate(redox_syscall)) = 0.2.16 +Provides: bundled(crate(rustc-demangle)) = 0.1.24 +Provides: bundled(crate(rustix)) = 0.38.34 +Provides: bundled(crate(ryu)) = 1.0.18 +Provides: bundled(crate(scopeguard)) = 1.2.0 +Provides: bundled(crate(serde)) = 1.0.201 +Provides: bundled(crate(serde_derive)) = 1.0.201 +Provides: bundled(crate(serde_json)) = 1.0.117 +Provides: bundled(crate(smallvec)) = 1.13.2 +Provides: bundled(crate(strsim)) = 0.10.0 +Provides: bundled(crate(syn)) = 2.0.61 +Provides: bundled(crate(tempfile)) = 3.10.1 +Provides: bundled(crate(termcolor)) = 1.4.1 +Provides: bundled(crate(textwrap)) = 0.16.1 +Provides: bundled(crate(tokio)) = 1.37.0 +Provides: bundled(crate(tokio-macros)) = 2.2.0 +Provides: bundled(crate(toml)) = 0.5.11 +Provides: bundled(crate(unicode-ident)) = 1.0.12 +Provides: bundled(crate(uuid)) = 0.8.2 +Provides: bundled(crate(vcpkg)) = 0.2.15 +Provides: bundled(crate(version_check)) = 0.9.4 +Provides: bundled(crate(wasi)) = 0.11.0+wasi_snapshot_preview1 +Provides: bundled(crate(winapi)) = 0.3.9 +Provides: bundled(crate(winapi-i686-pc-windows-gnu)) = 0.4.0 +Provides: bundled(crate(winapi-util)) = 0.1.8 +Provides: bundled(crate(winapi-x86_64-pc-windows-gnu)) = 0.4.0 +Provides: bundled(crate(windows-sys)) = 0.52.0 +Provides: bundled(crate(windows-targets)) = 0.52.5 +Provides: bundled(crate(windows_aarch64_gnullvm)) = 0.52.5 +Provides: bundled(crate(windows_aarch64_msvc)) = 0.52.5 +Provides: bundled(crate(windows_i686_gnu)) = 0.52.5 +Provides: bundled(crate(windows_i686_gnullvm)) = 0.52.5 +Provides: bundled(crate(windows_i686_msvc)) = 0.52.5 +Provides: bundled(crate(windows_x86_64_gnu)) = 0.52.5 +Provides: bundled(crate(windows_x86_64_gnullvm)) = 0.52.5 +Provides: bundled(crate(windows_x86_64_msvc)) = 0.52.5 +Provides: bundled(crate(zeroize)) = 1.7.0 +Provides: bundled(crate(zeroize_derive)) = 1.4.2 +Provides: bundled(npm(@aashutoshrathi/word-wrap)) = 1.2.6 +Provides: bundled(npm(@eslint-community/eslint-utils)) = 4.4.0 +Provides: bundled(npm(@eslint-community/regexpp)) = 4.5.1 +Provides: bundled(npm(@eslint/eslintrc)) = 2.0.3 +Provides: bundled(npm(@eslint/js)) = 8.42.0 +Provides: bundled(npm(@fortawesome/fontawesome-common-types)) = 0.2.36 +Provides: bundled(npm(@fortawesome/fontawesome-svg-core)) = 1.2.36 +Provides: bundled(npm(@fortawesome/free-solid-svg-icons)) = 5.15.4 +Provides: bundled(npm(@fortawesome/react-fontawesome)) = 0.1.19 +Provides: bundled(npm(@humanwhocodes/config-array)) = 0.11.10 +Provides: bundled(npm(@humanwhocodes/module-importer)) = 1.0.1 +Provides: bundled(npm(@humanwhocodes/object-schema)) = 1.2.1 +Provides: bundled(npm(@nodelib/fs.scandir)) = 2.1.5 +Provides: bundled(npm(@nodelib/fs.stat)) = 2.0.5 +Provides: bundled(npm(@nodelib/fs.walk)) = 1.2.8 +Provides: bundled(npm(@patternfly/patternfly)) = 4.224.2 +Provides: bundled(npm(@patternfly/react-charts)) = 6.94.19 +Provides: bundled(npm(@patternfly/react-core)) = 4.276.8 +Provides: bundled(npm(@patternfly/react-icons)) = 4.93.6 +Provides: bundled(npm(@patternfly/react-styles)) = 4.92.6 +Provides: bundled(npm(@patternfly/react-table)) = 4.113.0 +Provides: bundled(npm(@patternfly/react-tokens)) = 4.94.6 +Provides: bundled(npm(@types/d3-array)) = 3.0.5 +Provides: bundled(npm(@types/d3-color)) = 3.1.0 +Provides: bundled(npm(@types/d3-ease)) = 3.0.0 +Provides: bundled(npm(@types/d3-interpolate)) = 3.0.1 +Provides: bundled(npm(@types/d3-path)) = 3.0.0 +Provides: bundled(npm(@types/d3-scale)) = 4.0.3 +Provides: bundled(npm(@types/d3-shape)) = 3.1.1 +Provides: bundled(npm(@types/d3-time)) = 3.0.0 +Provides: bundled(npm(@types/d3-timer)) = 3.0.0 +Provides: bundled(npm(acorn)) = 8.8.2 +Provides: bundled(npm(acorn-jsx)) = 5.3.2 +Provides: bundled(npm(ajv)) = 6.12.6 +Provides: bundled(npm(ansi-regex)) = 5.0.1 +Provides: bundled(npm(ansi-styles)) = 4.3.0 +Provides: bundled(npm(argparse)) = 2.0.1 +Provides: bundled(npm(attr-accept)) = 1.1.3 +Provides: bundled(npm(balanced-match)) = 1.0.2 +Provides: bundled(npm(brace-expansion)) = 1.1.11 +Provides: bundled(npm(callsites)) = 3.1.0 +Provides: bundled(npm(chalk)) = 4.1.2 +Provides: bundled(npm(color-convert)) = 2.0.1 +Provides: bundled(npm(color-name)) = 1.1.4 +Provides: bundled(npm(concat-map)) = 0.0.1 +Provides: bundled(npm(core-js)) = 2.6.12 +Provides: bundled(npm(cross-spawn)) = 7.0.3 +Provides: bundled(npm(d3-array)) = 3.2.4 +Provides: bundled(npm(d3-color)) = 3.1.0 +Provides: bundled(npm(d3-ease)) = 3.0.1 +Provides: bundled(npm(d3-format)) = 3.1.0 +Provides: bundled(npm(d3-interpolate)) = 3.0.1 +Provides: bundled(npm(d3-path)) = 3.1.0 +Provides: bundled(npm(d3-scale)) = 4.0.2 +Provides: bundled(npm(d3-shape)) = 3.2.0 +Provides: bundled(npm(d3-time)) = 3.1.0 +Provides: bundled(npm(d3-time-format)) = 4.1.0 +Provides: bundled(npm(d3-timer)) = 3.0.1 +Provides: bundled(npm(debug)) = 4.3.4 +Provides: bundled(npm(deep-is)) = 0.1.4 +Provides: bundled(npm(delaunator)) = 4.0.1 +Provides: bundled(npm(delaunay-find)) = 0.0.6 +Provides: bundled(npm(doctrine)) = 3.0.0 +Provides: bundled(npm(encoding)) = 0.1.13 +Provides: bundled(npm(escape-string-regexp)) = 4.0.0 +Provides: bundled(npm(eslint)) = 8.42.0 +Provides: bundled(npm(eslint-plugin-react-hooks)) = 4.6.0 +Provides: bundled(npm(eslint-scope)) = 7.2.0 +Provides: bundled(npm(eslint-visitor-keys)) = 3.4.1 +Provides: bundled(npm(espree)) = 9.5.2 +Provides: bundled(npm(esquery)) = 1.5.0 +Provides: bundled(npm(esrecurse)) = 4.3.0 +Provides: bundled(npm(estraverse)) = 5.3.0 +Provides: bundled(npm(esutils)) = 2.0.3 +Provides: bundled(npm(fast-deep-equal)) = 3.1.3 +Provides: bundled(npm(fast-json-stable-stringify)) = 2.1.0 +Provides: bundled(npm(fast-levenshtein)) = 2.0.6 +Provides: bundled(npm(fastq)) = 1.15.0 +Provides: bundled(npm(file-entry-cache)) = 6.0.1 +Provides: bundled(npm(file-selector)) = 0.1.19 +Provides: bundled(npm(find-up)) = 5.0.0 +Provides: bundled(npm(flat-cache)) = 3.0.4 +Provides: bundled(npm(flatted)) = 3.2.7 +Provides: bundled(npm(focus-trap)) = 6.9.2 +Provides: bundled(npm(fs.realpath)) = 1.0.0 +Provides: bundled(npm(gettext-parser)) = 2.0.0 +Provides: bundled(npm(glob)) = 7.2.3 +Provides: bundled(npm(glob-parent)) = 6.0.2 +Provides: bundled(npm(globals)) = 13.20.0 +Provides: bundled(npm(graphemer)) = 1.4.0 +Provides: bundled(npm(has-flag)) = 4.0.0 +Provides: bundled(npm(hoist-non-react-statics)) = 3.3.2 +Provides: bundled(npm(iconv-lite)) = 0.6.3 +Provides: bundled(npm(ignore)) = 5.2.4 +Provides: bundled(npm(import-fresh)) = 3.3.0 +Provides: bundled(npm(imurmurhash)) = 0.1.4 +Provides: bundled(npm(inflight)) = 1.0.6 +Provides: bundled(npm(inherits)) = 2.0.4 +Provides: bundled(npm(internmap)) = 2.0.3 +Provides: bundled(npm(is-extglob)) = 2.1.1 +Provides: bundled(npm(is-glob)) = 4.0.3 +Provides: bundled(npm(is-path-inside)) = 3.0.3 +Provides: bundled(npm(isexe)) = 2.0.0 +Provides: bundled(npm(js-tokens)) = 4.0.0 +Provides: bundled(npm(js-yaml)) = 4.1.0 +Provides: bundled(npm(json-schema-traverse)) = 0.4.1 +Provides: bundled(npm(json-stable-stringify-without-jsonify)) = 1.0.1 +Provides: bundled(npm(json-stringify-safe)) = 5.0.1 +Provides: bundled(npm(levn)) = 0.4.1 +Provides: bundled(npm(locate-path)) = 6.0.0 +Provides: bundled(npm(lodash)) = 4.17.21 +Provides: bundled(npm(lodash.merge)) = 4.6.2 +Provides: bundled(npm(loose-envify)) = 1.4.0 +Provides: bundled(npm(minimatch)) = 3.1.2 +Provides: bundled(npm(ms)) = 2.1.2 +Provides: bundled(npm(natural-compare)) = 1.4.0 +Provides: bundled(npm(object-assign)) = 4.1.1 +Provides: bundled(npm(once)) = 1.4.0 +Provides: bundled(npm(optionator)) = 0.9.3 +Provides: bundled(npm(p-limit)) = 3.1.0 +Provides: bundled(npm(p-locate)) = 5.0.0 +Provides: bundled(npm(parent-module)) = 1.0.1 +Provides: bundled(npm(path-exists)) = 4.0.0 +Provides: bundled(npm(path-is-absolute)) = 1.0.1 +Provides: bundled(npm(path-key)) = 3.1.1 +Provides: bundled(npm(popper.js)) = 1.16.1 +Provides: bundled(npm(prelude-ls)) = 1.2.1 +Provides: bundled(npm(prop-types)) = 15.8.1 +Provides: bundled(npm(prop-types-extra)) = 1.1.1 +Provides: bundled(npm(punycode)) = 2.3.0 +Provides: bundled(npm(queue-microtask)) = 1.2.3 +Provides: bundled(npm(react)) = 17.0.2 +Provides: bundled(npm(react-dom)) = 17.0.2 +Provides: bundled(npm(react-dropzone)) = 9.0.0 +Provides: bundled(npm(react-fast-compare)) = 3.2.2 +Provides: bundled(npm(react-is)) = 16.13.1 +Provides: bundled(npm(resolve-from)) = 4.0.0 +Provides: bundled(npm(reusify)) = 1.0.4 +Provides: bundled(npm(rimraf)) = 3.0.2 +Provides: bundled(npm(run-parallel)) = 1.2.0 +Provides: bundled(npm(safe-buffer)) = 5.2.1 +Provides: bundled(npm(safer-buffer)) = 2.1.2 +Provides: bundled(npm(scheduler)) = 0.20.2 +Provides: bundled(npm(shebang-command)) = 2.0.0 +Provides: bundled(npm(shebang-regex)) = 3.0.0 +Provides: bundled(npm(strip-ansi)) = 6.0.1 +Provides: bundled(npm(strip-json-comments)) = 3.1.1 +Provides: bundled(npm(supports-color)) = 7.2.0 +Provides: bundled(npm(tabbable)) = 5.3.3 +Provides: bundled(npm(text-table)) = 0.2.0 +Provides: bundled(npm(tippy.js)) = 5.1.2 +Provides: bundled(npm(tslib)) = 2.5.3 +Provides: bundled(npm(type-check)) = 0.4.0 +Provides: bundled(npm(type-fest)) = 0.20.2 +Provides: bundled(npm(uri-js)) = 4.4.1 +Provides: bundled(npm(victory-area)) = 36.6.10 +Provides: bundled(npm(victory-axis)) = 36.6.10 +Provides: bundled(npm(victory-bar)) = 36.6.10 +Provides: bundled(npm(victory-brush-container)) = 36.6.10 +Provides: bundled(npm(victory-chart)) = 36.6.10 +Provides: bundled(npm(victory-core)) = 36.6.10 +Provides: bundled(npm(victory-create-container)) = 36.6.10 +Provides: bundled(npm(victory-cursor-container)) = 36.6.10 +Provides: bundled(npm(victory-group)) = 36.6.10 +Provides: bundled(npm(victory-legend)) = 36.6.10 +Provides: bundled(npm(victory-line)) = 36.6.10 +Provides: bundled(npm(victory-pie)) = 36.6.10 +Provides: bundled(npm(victory-polar-axis)) = 36.6.10 +Provides: bundled(npm(victory-scatter)) = 36.6.10 +Provides: bundled(npm(victory-selection-container)) = 36.6.10 +Provides: bundled(npm(victory-shared-events)) = 36.6.10 +Provides: bundled(npm(victory-stack)) = 36.6.10 +Provides: bundled(npm(victory-tooltip)) = 36.6.10 +Provides: bundled(npm(victory-vendor)) = 36.6.10 +Provides: bundled(npm(victory-voronoi-container)) = 36.6.10 +Provides: bundled(npm(victory-zoom-container)) = 36.6.10 +Provides: bundled(npm(warning)) = 4.0.3 +Provides: bundled(npm(which)) = 2.0.2 +Provides: bundled(npm(wrappy)) = 1.0.2 +Provides: bundled(npm(yocto-queue)) = 0.1.0 +##### Bundled cargo crates list - END ##### + +BuildRequires: nspr-devel >= 4.32 +BuildRequires: nss-devel >= 3.67.0-7 + +BuildRequires: openldap-devel +BuildRequires: lmdb-devel +BuildRequires: libdb-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: icu +BuildRequires: libicu-devel +BuildRequires: pcre-devel +BuildRequires: cracklib-devel +BuildRequires: json-c-devel +%if %{use_clang} +BuildRequires: libatomic +BuildRequires: clang +%else +BuildRequires: gcc +BuildRequires: gcc-c++ +%endif +# The following are needed to build the snmp ldap-agent +BuildRequires: net-snmp-devel +BuildRequires: lm_sensors-devel +BuildRequires: bzip2-devel +BuildRequires: zlib-devel +BuildRequires: openssl-devel +# the following is for the pam passthru auth plug-in +BuildRequires: pam-devel +BuildRequires: systemd-units +BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros +%{?sysusers_requires_compat} +%if %{use_asan} +BuildRequires: libasan +%endif +# If rust is enabled +%if %{use_rust} +BuildRequires: cargo +BuildRequires: rust +%endif +BuildRequires: pkgconfig +BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(krb5) + +# Needed to support regeneration of the autotool artifacts. +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +# For our documentation +BuildRequires: doxygen +# For tests! +BuildRequires: libcmocka-devel +BuildRequires: libevent-devel +# For lib389 and related components +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-ldap +BuildRequires: python%{python3_pkgversion}-six +BuildRequires: python%{python3_pkgversion}-pyasn1 +BuildRequires: python%{python3_pkgversion}-pyasn1-modules +BuildRequires: python%{python3_pkgversion}-dateutil +BuildRequires: python%{python3_pkgversion}-argcomplete +BuildRequires: python%{python3_pkgversion}-argparse-manpage +BuildRequires: python%{python3_pkgversion}-libselinux +BuildRequires: python%{python3_pkgversion}-policycoreutils +BuildRequires: python%{python3_pkgversion}-cryptography + +# For cockpit +%if %{use_cockpit} +BuildRequires: rsync +%endif + +Requires: %{name}-libs = %{version}-%{release} +Requires: python%{python3_pkgversion}-lib389 = %{version}-%{release} +Requires: lmdb-libs + +# this is needed for using semanage from our setup scripts +Requires: policycoreutils-python-utils +Requires: /usr/sbin/semanage +Requires: libsemanage-python%{python3_pkgversion} +Requires: selinux-policy >= 3.14.1-29 + +# the following are needed for some of our scripts +Requires: openldap-clients +Requires: /usr/bin/c_rehash +Requires: python%{python3_pkgversion}-ldap +Requires: acl +Requires: zlib +Requires: json-c + +# this is needed to setup SSL if you are not using the +# administration server package +Requires: nspr >= 4.32 +Requires: nss >= 3.67.0-7 +Requires: nss-tools +%dirsrv_requires_ge nss + +# these are not found by the auto-dependency method +# they are required to support the mandatory LDAP SASL mechs +Requires: cyrus-sasl-gssapi +Requires: cyrus-sasl-md5 +Requires: cyrus-sasl-plain + +# this is needed for verify-db.pl +Requires: libdb-utils + +# Needed for password dictionary checks +Requires: cracklib-dicts + +# Needed by logconv.pl +Requires: perl-DB_File +Requires: perl-Archive-Tar +Requires: perl-debugger +Requires: perl-sigtrap + +# Picks up our systemd deps. +%{?systemd_requires} + +Obsoletes: %{name} <= 1.3.5.4 + +Source0: https://releases.pagure.org/389-ds-base/%{name}-%{version}.tar.bz2 +# 389-ds-git.sh should be used to generate the source tarball from git +Source1: %{name}-git.sh +Source2: %{name}-devel.README +%if %{bundle_jemalloc} +Source3: https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2 +%endif +Source4: 389-ds-base.sysusers +Patch01: 0001-CVE-2024-3657.patch +Patch02: 0002-CVE-2024-2199.patch +Patch03: 0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch +Patch04: 0004-CVE-2024-5953.patch +Patch05: 0005-CVE-2024-6237.patch +Patch06: 0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch + + +%description +389 Directory Server is an LDAPv3 compliant server. The base package includes +the LDAP server and command line utilities for server administration. +%if %{use_asan} +WARNING! This build is linked to Address Sanitisation libraries. This probably +isn't what you want. Please contact support immediately. +Please see http://seclists.org/oss-sec/2016/q1/363 for more information. +%endif + +%package libs +Summary: Core libraries for 389 Directory Server +BuildRequires: nspr >= 4.32 +BuildRequires: nss >= 3.67.0-7 +BuildRequires: openldap-devel +BuildRequires: libdb-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: libicu-devel +BuildRequires: pcre-devel +BuildRequires: libtalloc-devel +BuildRequires: libevent-devel +BuildRequires: libtevent-devel +Requires: krb5-libs +Requires: libevent +BuildRequires: systemd-devel +BuildRequires: make +Provides: svrcore = 4.1.4 +Conflicts: svrcore +Obsoletes: svrcore <= 4.1.3 + +%description libs +Core libraries for the 389 Directory Server base package. These libraries +are used by the main package and the -devel package. This allows the -devel +package to be installed with just the -libs package and without the main package. + +%package devel +Summary: Development libraries for 389 Directory Server +Requires: %{name}-libs = %{version}-%{release} +Requires: pkgconfig +Requires: nspr-devel +Requires: nss-devel >= 3.34 +Requires: openldap-devel +Requires: libtalloc +Requires: libevent +Requires: libtevent +Requires: systemd-libs +Provides: svrcore-devel = 4.1.4 +Conflicts: svrcore-devel +Obsoletes: svrcore-devel <= 4.1.3 + +%description devel +Development Libraries and headers for the 389 Directory Server base package. + +%package snmp +Summary: SNMP Agent for 389 Directory Server +Requires: %{name} = %{version}-%{release} + +Obsoletes: %{name} <= 1.4.0.0 + +%description snmp +SNMP Agent for the 389 Directory Server base package. + +%package -n python%{python3_pkgversion}-lib389 +Summary: A library for accessing, testing, and configuring the 389 Directory Server +BuildArch: noarch +Requires: openssl +Requires: iproute +Requires: 389-ds-base +Recommends: bash-completion +Requires: python%{python3_pkgversion} +Requires: python%{python3_pkgversion}-distro +Requires: python%{python3_pkgversion}-ldap +Requires: python%{python3_pkgversion}-six +Requires: python%{python3_pkgversion}-pyasn1 +Requires: python%{python3_pkgversion}-pyasn1-modules +Requires: python%{python3_pkgversion}-dateutil +Requires: python%{python3_pkgversion}-argcomplete +Requires: python%{python3_pkgversion}-libselinux +Requires: python%{python3_pkgversion}-setuptools +Requires: python%{python3_pkgversion}-cryptography +%{?python_provide:%python_provide python%{python3_pkgversion}-lib389} + +%description -n python%{python3_pkgversion}-lib389 +This module contains tools and libraries for accessing, testing, + and configuring the 389 Directory Server. + +%if %{use_cockpit} +%package -n cockpit-389-ds +Summary: Cockpit UI Plugin for configuring and administering the 389 Directory Server +BuildArch: noarch +Requires: cockpit +Requires: 389-ds-base +Requires: python%{python3_pkgversion} +Requires: python%{python3_pkgversion}-lib389 + +%description -n cockpit-389-ds +A cockpit UI Plugin for configuring and administering the 389 Directory Server +%endif + +%prep + +%autosetup -p1 -v -n %{name}-%{version} +%if %{bundle_jemalloc} +%setup -q -n %{name}-%{version} -T -D -b 3 +%endif + +cp %{SOURCE2} README.devel + +# The configure macro will modify some autoconf-related files, which upsets +# cargo when it tries to verify checksums in those files. If we just truncate +# that file list, cargo won't have anything to complain about. +find vendor -name .cargo-checksum.json \ + -exec sed -i.uncheck -e 's/"files":{[^}]*}/"files":{ }/' '{}' '+' + +%build + +OPENLDAP_FLAG="--with-openldap" +%{?with_tmpfiles_d: TMPFILES_FLAG="--with-tmpfiles-d=%{with_tmpfiles_d}"} +# hack hack hack https://bugzilla.redhat.com/show_bug.cgi?id=833529 +NSSARGS="--with-nss-lib=%{_libdir} --with-nss-inc=%{_includedir}/nss3" + +%if %{use_asan} +ASAN_FLAGS="--enable-asan --enable-debug" +%endif + +%if %{use_rust} +RUST_FLAGS="--enable-rust --enable-rust-offline" +%endif + +%if !%{use_cockpit} +COCKPIT_FLAGS="--disable-cockpit" +%endif + +%if %{use_clang} +export CC=clang +export CXX=clang++ +CLANG_FLAGS="--enable-clang" +%endif + +%if %{bundle_jemalloc} +# Override page size, bz #1545539 +# 4K +%ifarch %ix86 %arm x86_64 s390x +%define lg_page --with-lg-page=12 +%endif + +# 64K +%ifarch ppc64 ppc64le aarch64 +%define lg_page --with-lg-page=16 +%endif + +# Override huge page size on aarch64 +# 2M instead of 512M +%ifarch aarch64 +%define lg_hugepage --with-lg-hugepage=21 +%endif + +# Build jemalloc +pushd ../%{jemalloc_name}-%{jemalloc_ver} +%configure \ + --libdir=%{_libdir}/%{pkgname}/lib \ + --bindir=%{_libdir}/%{pkgname}/bin \ + --enable-prof +make %{?_smp_mflags} +popd +%endif + +# Enforce strict linking +%define _ld_strict_symbol_defs 1 + +# Rebuild the autotool artifacts now. +autoreconf -fiv + +%configure --enable-autobind --with-selinux $TMPFILES_FLAG \ + --with-systemd \ + --with-systemdsystemunitdir=%{_unitdir} \ + --with-systemdsystemconfdir=%{_sysconfdir}/systemd/system \ + --with-systemdgroupname=%{groupname} \ + --libexecdir=%{_libexecdir}/%{pkgname} \ + $NSSARGS $ASAN_FLAGS $RUST_FLAGS $CLANG_FLAGS $COCKPIT_FLAGS \ + --enable-cmocka --enable-new-dtags --with-libldap-r=no + + +# lib389 +make src/lib389/setup.py +pushd ./src/lib389 +%py3_build +popd +# argparse-manpage dynamic man pages have hardcoded man v1 in header, +# need to change it to v8 +sed -i "1s/\"1\"/\"8\"/" %{_builddir}/%{name}-%{version}/src/lib389/man/dsconf.8 +sed -i "1s/\"1\"/\"8\"/" %{_builddir}/%{name}-%{version}/src/lib389/man/dsctl.8 +sed -i "1s/\"1\"/\"8\"/" %{_builddir}/%{name}-%{version}/src/lib389/man/dsidm.8 +sed -i "1s/\"1\"/\"8\"/" %{_builddir}/%{name}-%{version}/src/lib389/man/dscreate.8 + +# Generate symbolic info for debuggers +export XCFLAGS=$RPM_OPT_FLAGS + +#make %{?_smp_mflags} +make + +%install + +mkdir -p %{buildroot}%{_datadir}/gdb/auto-load%{_sbindir} +%if %{use_cockpit} +mkdir -p %{buildroot}%{_datadir}/cockpit +%endif +make DESTDIR="$RPM_BUILD_ROOT" install + +%if %{use_cockpit} +find %{buildroot}%{_datadir}/cockpit/389-console -type d | sed -e "s@%{buildroot}@@" | sed -e 's/^/\%dir /' > cockpit.list +find %{buildroot}%{_datadir}/cockpit/389-console -type f | sed -e "s@%{buildroot}@@" >> cockpit.list +%endif + +# Copy in our docs from doxygen. +cp -r %{_builddir}/%{name}-%{version}/man/man3 $RPM_BUILD_ROOT/%{_mandir}/man3 + +# lib389 +pushd src/lib389 +%py3_install +popd + +mkdir -p $RPM_BUILD_ROOT/var/log/%{pkgname} +mkdir -p $RPM_BUILD_ROOT/var/lib/%{pkgname} +mkdir -p $RPM_BUILD_ROOT/var/lock/%{pkgname} + +# for systemd +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/%{groupname}.wants +install -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/389-ds-base.conf + +# remove libtool archives and static libs +rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/*.a +rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/*.la +rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/plugins/*.a +rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/plugins/*.la +rm -f $RPM_BUILD_ROOT%{_libdir}/libsvrcore.a +rm -f $RPM_BUILD_ROOT%{_libdir}/libsvrcore.la + +%if %{bundle_jemalloc} +pushd ../%{jemalloc_name}-%{jemalloc_ver} +make DESTDIR="$RPM_BUILD_ROOT" install_lib install_bin +cp -pa COPYING ../%{name}-%{version}/COPYING.jemalloc +cp -pa README ../%{name}-%{version}/README.jemalloc +popd +%endif + +%check +# This checks the code, if it fails it prints why, then re-raises the fail to shortcircuit the rpm build. +if ! make DESTDIR="$RPM_BUILD_ROOT" check; then cat ./test-suite.log && false; fi + +%post +if [ -n "$DEBUGPOSTTRANS" ] ; then + output=$DEBUGPOSTTRANS + output2=${DEBUGPOSTTRANS}.upgrade +else + output=/dev/null + output2=/dev/null +fi +# reload to pick up any changes to systemd files +/bin/systemctl daemon-reload >$output 2>&1 || : + +# https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation +# Soft static allocation for UID and GID +# sysusers.d format https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format +%sysusers_create_compat %{SOURCE4} + +# Reload our sysctl before we restart (if we can) +sysctl --system &> $output; true + +# Gather the running instances so we can restart them +instbase="%{_sysconfdir}/%{pkgname}" +ninst=0 +for dir in $instbase/slapd-* ; do + echo dir = $dir >> $output 2>&1 || : + if [ ! -d "$dir" ] ; then continue ; fi + case "$dir" in *.removed) continue ;; esac + basename=`basename $dir` + inst="%{pkgname}@`echo $basename | sed -e 's/slapd-//g'`" + echo found instance $inst - getting status >> $output 2>&1 || : + if /bin/systemctl -q is-active $inst ; then + echo instance $inst is running >> $output 2>&1 || : + instances="$instances $inst" + else + echo instance $inst is not running >> $output 2>&1 || : + fi + ninst=`expr $ninst + 1` +done +if [ $ninst -eq 0 ] ; then + echo no instances to upgrade >> $output 2>&1 || : + exit 0 # have no instances to upgrade - just skip the rest +else + # restart running instances + echo shutting down all instances . . . >> $output 2>&1 || : + for inst in $instances ; do + echo stopping instance $inst >> $output 2>&1 || : + /bin/systemctl stop $inst >> $output 2>&1 || : + done + for inst in $instances ; do + echo starting instance $inst >> $output 2>&1 || : + /bin/systemctl start $inst >> $output 2>&1 || : + done +fi + + +%preun +if [ $1 -eq 0 ]; then # Final removal + # remove instance specific service files/links + rm -rf %{_sysconfdir}/systemd/system/%{groupname}.wants/* > /dev/null 2>&1 || : +fi + +%postun +if [ $1 = 0 ]; then # Final removal + rm -rf /var/run/%{pkgname} +fi + +%post snmp +%systemd_post %{pkgname}-snmp.service + +%preun snmp +%systemd_preun %{pkgname}-snmp.service %{groupname} + +%postun snmp +%systemd_postun_with_restart %{pkgname}-snmp.service + +exit 0 + +%files +%if %{bundle_jemalloc} +%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.jemalloc +%license COPYING.jemalloc +%else +%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl +%endif +%dir %{_sysconfdir}/%{pkgname} +%dir %{_sysconfdir}/%{pkgname}/schema +%config(noreplace)%{_sysconfdir}/%{pkgname}/schema/*.ldif +%dir %{_sysconfdir}/%{pkgname}/config +%dir %{_sysconfdir}/systemd/system/%{groupname}.wants +%{_sysusersdir}/389-ds-base.conf +%config(noreplace)%{_sysconfdir}/%{pkgname}/config/slapd-collations.conf +%config(noreplace)%{_sysconfdir}/%{pkgname}/config/certmap.conf +%{_datadir}/%{pkgname} +%{_datadir}/gdb/auto-load/* +%{_unitdir} +%{_bindir}/dbscan +%{_mandir}/man1/dbscan.1.gz +%{_bindir}/ds-replcheck +%{_mandir}/man1/ds-replcheck.1.gz +%{_bindir}/ds-logpipe.py +%{_mandir}/man1/ds-logpipe.py.1.gz +%{_bindir}/ldclt +%{_mandir}/man1/ldclt.1.gz +%{_bindir}/logconv.pl +%{_mandir}/man1/logconv.pl.1.gz +%{_bindir}/pwdhash +%{_mandir}/man1/pwdhash.1.gz +#%caps(CAP_NET_BIND_SERVICE=pe) {_sbindir}/ns-slapd +%{_sbindir}/ns-slapd +%{_mandir}/man8/ns-slapd.8.gz +%{_sbindir}/openldap_to_ds +%{_mandir}/man8/openldap_to_ds.8.gz +%{_libexecdir}/%{pkgname}/ds_systemd_ask_password_acl +%{_libexecdir}/%{pkgname}/ds_selinux_restorecon.sh +%{_mandir}/man5/99user.ldif.5.gz +%{_mandir}/man5/certmap.conf.5.gz +%{_mandir}/man5/slapd-collations.conf.5.gz +%{_mandir}/man5/dirsrv.5.gz +%{_mandir}/man5/dirsrv.systemd.5.gz +%{_libdir}/%{pkgname}/python +%dir %{_libdir}/%{pkgname}/plugins +%{_libdir}/%{pkgname}/plugins/*.so +# This has to be hardcoded to /lib - $libdir changes between lib/lib64, but +# sysctl.d is always in /lib. +%{_prefix}/lib/sysctl.d/* +%dir %{_localstatedir}/lib/%{pkgname} +%dir %{_localstatedir}/log/%{pkgname} +%ghost %dir %{_localstatedir}/lock/%{pkgname} +%exclude %{_sbindir}/ldap-agent* +%exclude %{_mandir}/man1/ldap-agent.1.gz +%exclude %{_unitdir}/%{pkgname}-snmp.service +%if %{bundle_jemalloc} +%{_libdir}/%{pkgname}/lib/ +%{_libdir}/%{pkgname}/bin/ +%exclude %{_libdir}/%{pkgname}/bin/jemalloc-config +%exclude %{_libdir}/%{pkgname}/bin/jemalloc.sh +%exclude %{_libdir}/%{pkgname}/lib/libjemalloc.a +%exclude %{_libdir}/%{pkgname}/lib/libjemalloc.so +%exclude %{_libdir}/%{pkgname}/lib/libjemalloc_pic.a +%exclude %{_libdir}/%{pkgname}/lib/pkgconfig +%endif + +%files devel +%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel +%{_mandir}/man3/* +%{_includedir}/svrcore.h +%{_includedir}/%{pkgname} +%{_libdir}/libsvrcore.so +%{_libdir}/%{pkgname}/libslapd.so +%{_libdir}/%{pkgname}/libns-dshttpd.so +%{_libdir}/%{pkgname}/libldaputil.so +%{_libdir}/pkgconfig/svrcore.pc +%{_libdir}/pkgconfig/dirsrv.pc + +%files libs +%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel +%dir %{_libdir}/%{pkgname} +%{_libdir}/libsvrcore.so.* +%{_libdir}/%{pkgname}/libslapd.so.* +%{_libdir}/%{pkgname}/libns-dshttpd.so.* +%{_libdir}/%{pkgname}/libldaputil.so.* +%{_libdir}/%{pkgname}/librewriters.so* +%if %{bundle_jemalloc} +%{_libdir}/%{pkgname}/lib/libjemalloc.so.2 +%endif + +%files snmp +%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel +%config(noreplace)%{_sysconfdir}/%{pkgname}/config/ldap-agent.conf +%{_sbindir}/ldap-agent* +%{_mandir}/man1/ldap-agent.1.gz +%{_unitdir}/%{pkgname}-snmp.service + +%files -n python%{python3_pkgversion}-lib389 +%doc LICENSE LICENSE.GPLv3+ +%{python3_sitelib}/lib389* +%{_sbindir}/dsconf +%{_mandir}/man8/dsconf.8.gz +%{_sbindir}/dscreate +%{_mandir}/man8/dscreate.8.gz +%{_sbindir}/dsctl +%{_mandir}/man8/dsctl.8.gz +%{_sbindir}/dsidm +%{_mandir}/man8/dsidm.8.gz +%{_libexecdir}/%{pkgname}/dscontainer + +%if %{use_cockpit} +%files -n cockpit-389-ds -f cockpit.list +%{_datarootdir}/metainfo/389-console/org.port389.cockpit_console.metainfo.xml +%doc README.md +%endif + +%changelog +* Tue Jul 09 2024 James Chapman <jachapma@redhat.com> - 2.5.1-2 +- Bump version to 2.5.1-2 +- Resolves: RHEL-44324 - unauthenticated user can trigger a DoS by sending a specific extended search request +- Resolves: RHEL-40946 - Malformed userPassword hash may cause Denial of Service +- Resolves: RHEL-33087 - dsconf schema does not show inChain matching rule +- Resolves: RHEL-28177 - Malformed userPassword may cause crash at do_modify in slapd/modify.c +- Resolves: RHEL-25070 - nsslapd-haproxy-trusted-ip is not in schema + +* Tue May 07 2024 James Chapman <jachapma@redhat.com> - 2.5.1-1 +- Bump version to 2.5.1-1 +- Resolves: RHEL-31777 - Rebase 389-ds-base.2.5.1 in RHEL 9.5 +- Resolves: RHEL-33348 - redhat-ds:11/389-ds-base: potential denial of service via specially crafted kerberos AS-REQ requ + +* Thu Apr 04 2024 Viktor Ashirov <vashirov@redhat.com> - 2.4.5-6 +- Bump version to 2.4.5-6 +- Resolves: RHEL-30588 - [RFE] allows plugins to log multi-factor authentication notification + +* Mon Mar 18 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.5-5 +- Bump version to 2.4.5-5 +- Rebuild for exception phase + +* Thu Mar 14 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.5-4 +- Bump version to 2.4.5-4 +- Resolves: RHEL-5130 - RFE Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix + +* Fri Jan 19 2024 Viktor Ashirov <vashirov@redhat.com> - 2.4.5-3 +- Bump version to 2.4.5-3 +- Fix License tag + +* Mon Jan 15 2024 James Chapman <jachapma@redhat.com> - 2.4.5-2 +- Bump version to 2.4.5-2 +- Resolves: RHEL-15907 - Rebase 389-ds-base in RHEL 9.4 +- Resolves: RHEL-5142 - RFE Disable Transparent Huge Pages when using large caches +- Resolves: RHEL-5130 - RFE Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix +- Resolves: RHEL-5133 - RFE Provide a history for 'LastLoginTime' +- Resolves: RHEL-16984 - RFE inChain Matching Rule + +* Fri Jan 12 2024 James Chapman <jachapma@redhat.com> - 2.4.5-1 +- Bump version to 2.4.5-1 +- Resolves: RHEL-15907 - Rebase 389-ds-base in RHEL 9.4 +- Resolves: RHEL-5142 - RFE Disable Transparent Huge Pages when using large caches +- Resolves: RHEL-5130 - RFE Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix +- Resolves: RHEL-5133 - RFE Provide a history for 'LastLoginTime' +- Resolves: RHEL-16984 - RFE inChain Matching Rule + +* Tue Nov 21 2023 James Chapman <jachapma@redhat.com> - 2.4.4-1 +- Bump version to 2.4.4-1 +- Resolves: RHEL-15907 - Rebase 389-ds-base-2.4 in RHEL 9.4 +- Resolves: RHEL-16830 - ns-slapd crash in slapi_attr_basetype + +* Thu Sep 7 2023 Simon Pichugin <spichugi@redhat.com> - 2.3.6-3 +- Bump version to 2.3.6-3 +- Resolves: rhbz#2236163 - Regression: replication can't be enabled for consumer or hub role + +* Tue Aug 8 2023 Mark Reynolds <mreynolds@redhat.com> - 2.3.6-2 +- Bump version to 2.3.6-2 +- Resolves: rhbz#2225532 - 389-ds-base FTBFS with rust-1.71.0 +- Resolves: rhbz#2218209 - useradd: invalid user ID '389:389': installing 389-ds-base in container fails to create the dirsrv user +- Resolves: rhbz#2207691 - python3-lib389: Python tarfile extraction needs change to avoid a warning +- Resolves: rhbz#2179278 - dirsrv failed to start after reboot because "dirsrv" did not have access on /run/dirsrv + +* Mon Jul 24 2023 Mark Reynolds <mreynolds@redhat.com> - 2.3.4-3 +- Bump version to 2.3.4-3 +- Resolves: rhbz#2189954 - RFE Improve reponse time to filters containing 'nsrole' +- Resolves: rhbz#2189946 - RFE support of slapi_memberof for plugins/core server +- Resolves: rhbz#1974242 - Paged search impacts performance + +* Fri May 19 2023 Mark Reynolds <mreynolds@redhat.com> - 2.3.4-2 +- Bump version to 2.3.4-2 +- Resolves: rhbz#2188627 - Fix license + +* Thu May 18 2023 Mark Reynolds <mreynolds@redhat.com> - 2.3.4-1 +- Bump version to 2.3.4-1 +- Resolves: rhbz#2188627 - Rebase 389-ds-base-2.3 in RHEL 9.3 + +* Wed Mar 08 2023 Simon Pichugin <spichugi@redhat.com> - 2.2.4-4 +- Resolves: rhbz#2095366 - [RFE] 389-ds-base systemd-sysusers + +* Tue Dec 13 2022 Mark Reynolds <mreynolds@redhat.com> - 2.2.4-3 +- Bump version to 2.2.4-3 +- Resolves: rhbz#2142636 - pam mutex lock causing high etimes, affecting red hat internal sso +- Resolves: rhbz#2093981 - RFE - Create Security Audit Log +- Resolves: rhbz#2132697 - [RFE] 389ds: run as non-root +- Resolves: rhbz#2124660 - Retro changelog trimming uses maxage incorrectly +- Resolves: rhbz#2114039 - Current pbkdf2 hardcoded parameters are no longer secure +- Resolves: rhbz#2112998 - performance search rate: checking if an entry is a referral is expensive +- Resolves: rhbz#2112361 - Supplier should do periodic update to avoid slow replication when a new direct update happen +- Resolves: rhbz#2109891 - Migrate 389 to pcre2 + + +* Mon Dec 12 2022 Mark Reynolds <mreynolds@redhat.com> - 2.2.4-2 +- Bump version to 2.2.4-2 +- Resolves: Bug 1859271 - RFE - Extend log of operations statistics in access log +- Resolves: Bug 2093981 - RFE - Create Security Audit Log +- Resolves: Bug 2109891 - Migrate 389 to pcre2 +- Resolves: Bug 2112361 - Supplier should do periodic update to avoid slow replication when a new direct update happen +- Resolves: Bug 2112998 - performance search rate: checking if an entry is a referral is expensive +- Resolves: Bug 2114039 - Current pbkdf2 hardcoded parameters are no longer secure +- Resolves: Bug 2124660 - Retro changelog trimming uses maxage incorrectly +- Resolves: Bug 2132697 - RFE - run as non-root +- Resolves: Bug 2142636 - pam mutex lock causing high etimes, affecting red hat internal sso + +* Fri Nov 11 2022 Mark Reynolds <mreynolds@redhat.com> - 2.2.4-1 +- Bump version to 2.2.4-1 +- Resolves: Bug 1132524 - [RFE] Compression of log files + diff --git a/389-ds-base.sysusers b/389-ds-base.sysusers new file mode 100644 index 0000000..32a3452 --- /dev/null +++ b/389-ds-base.sysusers @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +g dirsrv 389 +u dirsrv 389:389 "user for 389-ds-base" /usr/share/dirsrv/ /sbin/nologin @@ -0,0 +1,2 @@ +175849cb38e23d26a9bdc23f42cb5169 389-ds-base-2.5.1.tar.bz2 +09a8328574dab22a7df848eae6dbbf53 jemalloc-5.3.0.tar.bz2 |