From: Michael Tremer Date: Sun, 19 Jun 2011 11:53:59 +0000 (+0200) Subject: nss_ldap: Update to 265. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6679571b01afe178deaf72e5623639cbcae1e95c;p=ipfire-3.x.git nss_ldap: Update to 265. --- diff --git a/pkgs/nss_ldap/nss_ldap.nm b/pkgs/nss_ldap/nss_ldap.nm index 53a0160fa..d8599974f 100644 --- a/pkgs/nss_ldap/nss_ldap.nm +++ b/pkgs/nss_ldap/nss_ldap.nm @@ -25,7 +25,7 @@ include $(PKGROOT)/Include PKG_NAME = nss_ldap -PKG_VER = 262 +PKG_VER = 265 PKG_REL = 1 PKG_MAINTAINER = @@ -34,7 +34,7 @@ PKG_URL = http://www.padl.com/ PKG_LICENSE = LGPLv2+ PKG_SUMMARY = NSS library and PAM module for LDAP. -PKG_BUILD_DEPS+= cyrus-sasl-devel openldap-devel +PKG_BUILD_DEPS+= autoconf automake cyrus-sasl-devel openldap-devel define PKG_DESCRIPTION This package includes two LDAP access clients: nss_ldap and \ @@ -46,17 +46,58 @@ endef PKG_TARBALL = $(THISAPP).tar.gz -CONFIGURE_OPTIONS = \ - --prefix=/ \ - --libdir=/usr/lib \ +PKG_PATCHES = \ + nss_ldap-265-depth.patch \ + nss_ldap-254-soname.patch \ + nss_ldap-257-mozldap.patch \ + nss_ldap-259-res_init.patch \ + nss_ldap-264-checkcase.patch \ + nss_ldap-265-ent_internal.patch \ + nss_ldap-264-cloexec.patch \ + nss_ldap-265-local_users.patch \ + nss_ldap-265-erange.patch \ + nss_ldap-265-initgroups-minimum_uid.patch \ + nss_ldap-265-fix-uninit.patch \ + nss_ldap-265-padl-bug-418.patch \ + nss_ldap-265-setnetgrent.patch + +CONFIGURE_OPTIONS += \ --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --with-ldap=openldap \ - --enable-schema-mapping + --libdir=/lib \ + --with-ldap-lib=openldap \ + --enable-rfc2307bis \ + --with-ldap-conf-file=/etc/nss_ldap.conf \ + --with-ldap-secret-file=/etc/nss_ldap.secret + +define STAGE_PREPARE_CMDS + cd $(DIR_APP) && sed -i -e 's,^ldap.conf$$,nss_ldap.conf,g' *.5 + cd $(DIR_APP) && sed -i -e 's,^/etc/ldap\.,/etc/nss_ldap.,g' *.5 + cd $(DIR_APP) && sed -i -e 's,ldap.secret,nss_ldap.secret,g' *.5 + cd $(DIR_APP) && sed -i -e 's,(ldap.conf),(nss_ldap.conf),g' *.5 + + # Fix call for vers_string. + cd $(DIR_APP) && sed -e "s/vers_string/.\/&/g" -i Makefile* + + cd $(DIR_APP) && autoreconf -vfi +endef + +STAGE_BUILD_TARGETS += LDFLAGS="-Wl,-z,nodelete" + +STAGE_INSTALL_TARGETS += LIBC_VERS=$(PKG_VER) define STAGE_INSTALL_CMDS # Remove awkward directory rm -rvf $(BUILDROOT)/usr/usr + mv -v $(BUILDROOT)/lib/* $(BUILDROOT)/usr/lib + rm -rvf $(BUILDROOT)/lib + ln -svf libnss_ldap-$(PKG_VER).so $(BUILDROOT)/usr/lib/libnss_ldap.so + + rm -vf $(BUILDROOT)/etc/nsswitch.ldap + + cd $(DIR_APP) && sed 's|dc=padl|dc=example|g' ldap.conf > \ + $(BUILDROOT)/etc/nss_ldap.conf + touch $(BUILDROOT)/etc/nss_ldap.secret + ln -svf libnss_ldap.so.2 $(BUILDROOT)/usr/lib/libnss_ldap.so endef diff --git a/pkgs/nss_ldap/patches/nss_ldap-254-soname.patch b/pkgs/nss_ldap/patches/nss_ldap-254-soname.patch new file mode 100644 index 000000000..e832c2f0d --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-254-soname.patch @@ -0,0 +1,12 @@ +Set the soname which glibc expects us to have. +--- nss_ldap-254/configure.in 2007-02-26 16:40:53.000000000 -0500 ++++ nss_ldap-254/configure.in 2007-02-26 16:40:47.000000000 -0500 +@@ -92,7 +92,7 @@ + nss_ldap_so_LDFLAGS="-b -dynamic -G `cat exports.hpux`" + CPPFLAGS="$CPPFLAGS -I. -DHPUX" + TARGET_OS=HPUX ;; +-linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;; ++linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux -Wl,-soname=libnss_ldap.so.2" ;; + *) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic" ;; + esac + diff --git a/pkgs/nss_ldap/patches/nss_ldap-257-mozldap.patch b/pkgs/nss_ldap/patches/nss_ldap-257-mozldap.patch new file mode 100644 index 000000000..acb16df28 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-257-mozldap.patch @@ -0,0 +1,287 @@ +Go back to using AC_TRY_COMPILE to detect , which requires +that be included before it. + +Use the draft-specified value "0" instead of a preprocessor define which +mozldap doesn't provide (LDAP_OPT_SUCCESS). + +Don't fail to compile if libldap doesn't provide ldap_create_control(), +just fail at run-time if we try to use it. + +Only try to set non-portable options that the libldap which is being used +supports. + +Don't depend on ldap_alloc_ber_with_options() being there; fall back to +either ber_alloc_t() or the deprecated der_alloc(). + +Learn about Mozilla LDAP 6. + +Prefer to , because can also be the +security toolkit used by Mozilla's LDAP SDK rather than libc's nsswitch +header, and if we've set the include path, we could be screwed. + +Strip off any '/' which appears in our hostname before passing it to +ldap_init(). + +diff -up nss_ldap/configure.in nss_ldap/configure.in +--- nss_ldap/configure.in 2007-11-14 14:21:54.000000000 -0500 ++++ nss_ldap/configure.in 2007-11-14 15:01:32.000000000 -0500 +@@ -41,7 +41,7 @@ dnl + AC_ARG_ENABLE(configurable-krb5-ccname-env, [ --enable-configurable-krb5-ccname-env enable configurable Kerberos V credentials cache name (putenv method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_ENV)]) + AC_ARG_ENABLE(configurable-krb5-ccname-gssapi, [ --enable-configurable-krb5-ccname-gssapi enable configurable Kerberos V credentials cache name (gssapi method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_GSSAPI)]) + +-AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]]) ++AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|mozilla|netscape5|netscape4|netscape3|umich|openldap]]) + AC_ARG_WITH(ldap-dir, [ --with-ldap-dir=DIR base directory of LDAP SDK]) + AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file], + [ NSS_LDAP_PATH_CONF="$with_ldap_conf_file" ], +@@ -132,17 +132,18 @@ AC_SUBST(NSS_LDAP_LDFLAGS) + + AC_CHECK_HEADERS(lber.h) + AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate )) +-AC_CHECK_HEADERS(ldap_ssl.h) ++dnl AC_CHECK_HEADERS(ldap_ssl.h) + +-dnl AC_MSG_CHECKING(for ldap_ssl.h) +-dnl AC_TRY_COMPILE([#include +-dnl #include +-dnl #include ], , +-dnl [ +-dnl AC_MSG_RESULT(yes), +-dnl AC_DEFINE(HAVE_LDAP_SSL_H, 1) +-dnl ], +-dnl AC_MSG_RESULT(no)) ++AC_MSG_CHECKING(for ldap_ssl.h) ++AC_TRY_COMPILE([ ++ #include ++ #include ++ #include ],[], ++ [ ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(HAVE_LDAP_SSL_H,1,[Define if you have .]) ++ ], ++ AC_MSG_RESULT(no)) + + # For HP-UX and AIX we use private API, the headers for which + # are included locally. We need to do something to stop both +@@ -150,7 +151,8 @@ dnl AC_MSG_RESULT(no)) + case "$target_os" in + aix*) AC_CHECK_HEADERS(irs.h usersec.h) ;; + hpux*) AC_CHECK_HEADERS(nsswitch.h) ;; +- *) AC_CHECK_HEADERS(nss.h) ++ *) AC_CHECK_HEADERS(/usr/include/nss.h) ++ AC_CHECK_HEADERS(nss.h) + AC_CHECK_HEADERS(nsswitch.h) + AC_CHECK_HEADERS(irs.h) ;; + esac +@@ -297,6 +299,9 @@ if test -z "$found_ldap_lib" -a \( $with + AC_CHECK_LIB(lber, main) + AC_CHECK_LIB(ldap, main, [LIBS="-lldap $LIBS" found_ldap_lib=yes],,$LIBS) + fi ++if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = mozilla \); then ++AC_CHECK_LIB(ldap60, main, LIBS="-lssldap60 -lprldap60 -lldap60 -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) ++fi + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then + AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) + fi +@@ -331,6 +336,7 @@ AC_CHECK_FUNCS(ldap_init ldap_get_lderrn + AC_CHECK_FUNCS(ldap_ld_free ldap_explode_rdn ldap_set_option ldap_get_option) + AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext) + AC_CHECK_FUNCS(ldap_create_control ldap_create_page_control ldap_parse_page_control) ++AC_CHECK_FUNCS(ldap_alloc_ber_with_options ber_alloc_t der_alloc) + if test "$enable_ssl" \!= "no"; then + AC_CHECK_FUNCS(ldapssl_client_init ldap_start_tls_s ldap_pvt_tls_set_option ldap_start_tls) + fi +diff -up nss_ldap/ldap-nss.h nss_ldap/ldap-nss.h +--- nss_ldap/ldap-nss.h 2007-11-14 14:21:54.000000000 -0500 ++++ nss_ldap/ldap-nss.h 2007-11-14 15:05:57.000000000 -0500 +@@ -58,6 +58,8 @@ + #include + #include + #include ++#elif defined(HAVE__USR_INCLUDE_NSS_H) ++#include + #elif defined(HAVE_NSS_H) + #include + #elif defined(HAVE_IRS_H) +diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c +--- nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500 ++++ nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500 +@@ -1069,6 +1069,23 @@ do_init_session (LDAP ** ld, const char + defport = atoi (p + 1); + uri = uribuf; + } ++ else ++ { ++ size_t urilen = strlen(uri); ++ ++ if (urilen >= sizeof (uribuf)) ++ { ++ return NSS_UNAVAIL; ++ } ++ ++ memcpy (uribuf, uri, urilen); ++ uribuf[urilen] = '\0'; ++ ++ if ((urilen > 0) && (uribuf[urilen - 1] == '/')) ++ uribuf[urilen - 1] = '\0'; ++ ++ uri = uribuf; ++ } + + # ifdef HAVE_LDAP_INIT + *ld = ldap_init (uri, defport); +@@ -1537,7 +1554,7 @@ do_open (void) + + if (ldap_get_option + (__session.ls_conn, LDAP_OPT_PROTOCOL_VERSION, +- &version) == LDAP_OPT_SUCCESS) ++ &version) == 0) + { + if (version < LDAP_VERSION3) + { +@@ -1697,6 +1714,7 @@ do_ssl_options (ldap_config_t * cfg) + } + #endif /* LDAP_OPT_X_TLS_RANDOM_FILE */ + ++#ifdef LDAP_OPT_X_TLS_CACERTFILE + if (cfg->ldc_tls_cacertfile != NULL) + { + /* ca cert file */ +@@ -1709,7 +1727,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_CACERTDIR + if (cfg->ldc_tls_cacertdir != NULL) + { + /* ca cert directory */ +@@ -1722,7 +1742,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + /* require cert? */ + if (cfg->ldc_tls_checkpeer > -1) + { +@@ -1735,7 +1757,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE + if (cfg->ldc_tls_ciphers != NULL) + { + /* set cipher suite, certificate and private key: */ +@@ -1748,7 +1772,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_CERTFILE + if (cfg->ldc_tls_cert != NULL) + { + rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE, cfg->ldc_tls_cert); +@@ -1759,7 +1785,9 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + ++#ifdef LDAP_OPT_X_TLS_CERTFILE + if (cfg->ldc_tls_key != NULL) + { + rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE, cfg->ldc_tls_key); +@@ -1770,6 +1798,7 @@ do_ssl_options (ldap_config_t * cfg) + return LDAP_OPERATIONS_ERROR; + } + } ++#endif + + debug ("<== do_ssl_options"); + +diff -up nss_ldap/pagectrl.c nss_ldap/pagectrl.c +--- nss_ldap/pagectrl.c 2007-08-03 00:51:09.000000000 -0400 ++++ nss_ldap/pagectrl.c 2007-11-14 14:21:54.000000000 -0500 +@@ -38,6 +38,17 @@ static char rcsId[] = "$Id: pagectrl.c,v + #define LDAP_CONTROL_PAGE_OID "1.2.840.113556.1.4.319" + #endif + ++#ifndef HAVE_LDAP_CREATE_CONTROL ++#define ldap_create_control _nss_ldap_fail_to_create_control ++static int ++ldap_create_control(const char *oid, BerElement *value, ++ int iscritical, LDAPControl ** ctrlp) ++{ ++ *ctrlp = NULL; ++ return LDAP_ENCODING_ERROR; ++} ++#endif ++ + #ifndef HAVE_LDAP_CREATE_PAGE_CONTROL + /*--- + ldap_create_page_control +@@ -78,9 +89,6 @@ static char rcsId[] = "$Id: pagectrl.c,v + + ---*/ + +-#ifndef HAVE_LDAP_CREATE_CONTROL +-#error LDAP client library does not support ldap_create_control() +-#else + int + ldap_create_page_control (LDAP * ld, + unsigned long pagesize, +@@ -97,10 +105,24 @@ ldap_create_page_control (LDAP * ld, + return (LDAP_PARAM_ERROR); + } + ++#ifdef HAVE_LDAP_ALLOC_BER_WITH_OPTIONS + if ((ber = ldap_alloc_ber_with_options (ld)) == NULL) + { + return (LDAP_NO_MEMORY); + } ++#elif defined(HAVE_BER_ALLOC_T) && defined(LBER_USE_DER) ++ if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL) ++ { ++ return (LDAP_NO_MEMORY); ++ } ++#elif defined(HAVE_DER_ALLOC) ++ if ((ber = der_alloc()) == NULL) ++ { ++ return (LDAP_NO_MEMORY); ++ } ++#else ++ return (LDAP_NO_MEMORY); ++#endif + + tag = ber_printf (ber, "{i", pagesize); + if (tag == LBER_ERROR) +@@ -126,7 +148,6 @@ exit: + ber_free (ber, 1); + return (LDAP_ENCODING_ERROR); + } +-#endif /* HAVE_LDAP_CREATE_CONTROL */ + #endif /* HAVE_LDAP_CREATE_PAGE_CONTROL */ + + #ifndef HAVE_LDAP_PARSE_PAGE_CONTROL +@@ -154,9 +175,6 @@ exit: + + ---*/ + +-#ifndef HAVE_LDAP_CREATE_CONTROL +-#error LDAP client library does not support ldap_create_control() +-#else + int + ldap_parse_page_control (LDAP * ld, + LDAPControl ** ctrls, +@@ -222,5 +240,4 @@ foundPageControl: + + return (LDAP_SUCCESS); + } +-#endif /* HAVE_LDAP_CREATE_CONTROL */ + #endif /* HAVE_LDAP_PARSE_PAGE_CONTROL */ diff --git a/pkgs/nss_ldap/patches/nss_ldap-259-res_init.patch b/pkgs/nss_ldap/patches/nss_ldap-259-res_init.patch new file mode 100644 index 000000000..aed010dac --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-259-res_init.patch @@ -0,0 +1,146 @@ +Workaround for a NetworkManager/Upstart combination making things +interesting. When an application starts before the network is up, +/etc/resolv.conf is empty, causing the application to attempt to use a +local resolver. When the network comes up later, /etc/resolv.conf gets +populated with nameserver addresses, but the application doesn't re-read +it. This screws nss_ldap later on, because the LDAP client library +needs to be able to resolve the directory server's address, but it can't +without a local resolver which is probably not started. + +diff -up nss_ldap-259/configure.in nss_ldap-259/configure.in +--- nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400 ++++ nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400 +@@ -176,6 +176,7 @@ AC_CHECK_HEADERS(alignof.h) + AC_CHECK_HEADERS(rpc/rpcent.h) + AC_CHECK_HEADERS(sys/byteorder.h) + AC_CHECK_HEADERS(sys/un.h) ++AC_CHECK_HEADERS(sys/stat.h) + AC_CHECK_HEADERS(libc-lock.h) + AC_CHECK_HEADERS(bits/libc-lock.h) + AC_CHECK_HEADERS(sasl.h sasl/sasl.h) +diff -up nss_ldap-259/ldap-nss.c nss_ldap-259/ldap-nss.c +--- nss_ldap-259/ldap-nss.c 2008-04-16 10:42:15.000000000 -0400 ++++ nss_ldap-259/ldap-nss.c 2008-04-16 10:48:02.000000000 -0400 +@@ -44,10 +44,16 @@ static char rcsId[] = + #include + #include + #include ++#ifdef HAVE_SYS_STAT_H ++#include ++#endif + #include + #include + #include + #include ++#ifdef HAVE_RESOLV_H ++#include ++#endif + #ifdef HAVE_SYS_UN_H + #include + #endif +@@ -1021,8 +1027,31 @@ _nss_ldap_close (void) + do_close (); + } + ++static void ++_nss_ldap_res_init (const char *uri) ++{ ++ if (strncmp(uri, "ldapi://", 8) != 0) ++ { ++ struct stat st; ++ static time_t last_mtime = (time_t) -1; ++#if defined(HAVE_RESOLV_H) && defined(_PATH_RESCONF) ++ NSS_LDAP_DEFINE_LOCK (_nss_ldap_res_init_lock); ++ NSS_LDAP_LOCK (_nss_ldap_res_init_lock); ++ if (stat(_PATH_RESCONF, &st) == 0) ++ { ++ if (last_mtime != st.st_mtime) ++ { ++ last_mtime = st.st_mtime; ++ res_init(); ++ } ++ } ++ NSS_LDAP_UNLOCK (_nss_ldap_res_init_lock); ++#endif ++ } ++} ++ + static NSS_STATUS +-do_init_session (LDAP ** ld, const char *uri, int defport) ++do_init_session (LDAP ** ld, const char *uri, int defport, int res_init_hack) + { + int rc; + int ldaps; +@@ -1050,6 +1079,8 @@ do_init_session (LDAP ** ld, const char + uri = uribuf; + } + ++ if (res_init_hack) ++ _nss_ldap_res_init(uri); + rc = ldap_initialize (ld, uri); + #else + if (strncasecmp (uri, "ldap://", sizeof ("ldap://") - 1) != 0) +@@ -1075,6 +1106,8 @@ do_init_session (LDAP ** ld, const char + defport = atoi (p + 1); + uri = uribuf; + } ++ if (res_init_hack) ++ _nss_ldap_res_init(NULL); + # ifdef HAVE_LDAP_INIT + *ld = ldap_init (uri, defport); + # else +@@ -1346,7 +1379,8 @@ do_init (void) + + stat = do_init_session (&__session.ls_conn, + cfg->ldc_uris[__session.ls_current_uri], +- cfg->ldc_port); ++ cfg->ldc_port, ++ cfg->ldc_resolv_conf_res_init_hack); + if (stat != NSS_SUCCESS) + { + debug ("<== do_init (failed to initialize LDAP session)"); +diff -up nss_ldap-259/ldap-nss.h nss_ldap-259/ldap-nss.h +--- nss_ldap-259/ldap-nss.h 2008-04-16 10:45:49.000000000 -0400 ++++ nss_ldap-259/ldap-nss.h 2008-04-16 10:45:52.000000000 -0400 +@@ -400,6 +400,9 @@ struct ldap_config + time_t ldc_mtime; + + char **ldc_initgroups_ignoreusers; ++ ++ /* disable the do-res_init()-on-resolv.conf-changes hack */ ++ unsigned int ldc_resolv_conf_res_init_hack; + }; + + typedef struct ldap_config ldap_config_t; +diff -up nss_ldap-259/util.c nss_ldap-259/util.c +--- nss_ldap-259/util.c 2008-04-16 10:48:08.000000000 -0400 ++++ nss_ldap-259/util.c 2008-04-16 10:50:14.000000000 -0400 +@@ -680,6 +680,8 @@ NSS_STATUS _nss_ldap_init_config (ldap_c + } + } + ++ result->ldc_resolv_conf_res_init_hack = 1; ++ + return NSS_SUCCESS; + } + +@@ -1204,6 +1206,19 @@ _nss_ldap_readconfig (ldap_config_t ** p + { + t = &result->ldc_srv_domain; + } ++ else if (!strcasecmp (k, "nss_resolv_conf_res_init_hack")) ++ { ++ if (!strcasecmp (v, "on") || !strcasecmp (v, "yes") ++ || !strcasecmp (v, "true")) ++ { ++ result->ldc_resolv_conf_res_init_hack = 1; ++ } ++ else if (!strcasecmp (v, "off") || !strcasecmp (v, "no") ++ || !strcasecmp (v, "false")) ++ { ++ result->ldc_resolv_conf_res_init_hack = 0; ++ } ++ } + else + { + /* diff --git a/pkgs/nss_ldap/patches/nss_ldap-264-checkcase.patch b/pkgs/nss_ldap/patches/nss_ldap-264-checkcase.patch new file mode 100644 index 000000000..3a09db8f5 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-264-checkcase.patch @@ -0,0 +1,192 @@ +Search attribute which are not case-sensitive in a directory, but which +are in local files on a glibc-based system: + + posixAccount.uid: struct passwd.pw_name + shadowAccount.uid: struct shadow.sp_namp + posixGroup.cn: struct group.gr_name + ipService.cn,ipServiceProtocol: struct servent.s_name,s_proto + ipProtocol.cn: struct protoent.p_name + ipHost.cn: OK, actually not case-sensitive in local files + ipNetwork.cn: OK, actually not case-sensitive in local files + rfc822MailAlias.cn: OK, actually not case-sensitive in local files + oncRpc.cn: struct rpcent.r_name + nisNetgroup.cn: N/A + nisMap.nisMapName: N/A + nisObject.nisMapName: N/A + nisObject.cn: N/A + ieee802Device: N/A + bootableDevice: N/A + automount.automountKey: no defined structure + +This patch adds additional logic to reject the result of a search if the +field in the result which corresponds to the original request differs +by case from the actual request (for example, when a search for a group +named "bob" turns up a group named "Bob"), but currently only covers +glibc-style systems. Upstream #399. + +diff -ur nss_ldap-264/ldap-grp.c nss_ldap-264/ldap-grp.c +--- nss_ldap-264/ldap-grp.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-grp.c 2009-07-02 10:57:37.000000000 -0400 +@@ -1201,7 +1201,8 @@ + char *buffer, size_t buflen, int *errnop) + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getgrnam, +- LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP); ++ LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP) ++ AND_REQUIRE_MATCH(name, result->gr_name); + } + #elif defined(HAVE_NSSWITCH_H) + static NSS_STATUS +diff -ur nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c +--- nss_ldap-264/ldap-nss.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-nss.c 2009-07-02 10:46:39.000000000 -0400 +@@ -4300,4 +4300,17 @@ + return lderrno; + } + ++NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result, ++ const char *requested_name, ++ const char *actual_name) ++{ ++ if ((result == NSS_SUCCESS) && ++ (requested_name != NULL) && ++ (actual_name != NULL) && ++ (strcasecmp(requested_name, actual_name) == 0) && ++ (strcmp(requested_name, actual_name) != 0)) { ++ return NSS_NOTFOUND; ++ } ++ return result; ++} + +diff -ur nss_ldap-264/ldap-nss.h nss_ldap-264/ldap-nss.h +--- nss_ldap-264/ldap-nss.h 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-nss.h 2009-07-02 10:28:59.000000000 -0400 +@@ -911,4 +911,8 @@ + #ifdef CONFIGURE_KRB5_KEYTAB + int do_init_krb5_cache(ldap_config_t *config); + #endif /* CONFIGURE_KRB5_KEYTAB */ ++NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result, ++ const char *requested_name, ++ const char *actual_name); ++ + #endif /* _LDAP_NSS_LDAP_LDAP_NSS_H */ +diff -ur nss_ldap-264/ldap-parse.h nss_ldap-264/ldap-parse.h +--- nss_ldap-264/ldap-parse.h 2006-09-13 02:42:08.000000000 -0400 ++++ nss_ldap-264/ldap-parse.h 2009-07-02 10:56:54.000000000 -0400 +@@ -94,6 +94,7 @@ + + #define LOOKUP_NAME(name, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \ + ldap_args_t a; \ ++ NSS_STATUS s; \ + if (buflen < req_buflen) { \ + *errnop = ERANGE; \ + return NSS_TRYAGAIN; \ +@@ -101,7 +102,8 @@ + LA_INIT(a); \ + LA_STRING(a) = name; \ + LA_TYPE(a) = LA_TYPE_STRING; \ +- return _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser); ++ s = _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser); \ ++ return s + #define LOOKUP_NUMBER(number, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \ + ldap_args_t a; \ + if (buflen < req_buflen) { \ +@@ -199,4 +201,7 @@ + + #endif /* HAVE_NSSWITCH_H */ + ++#define AND_REQUIRE_MATCH(name,field) \ ++ == NSS_SUCCESS ? _nss_ldap_expect_name(s,name,field) : s ++ + #endif /* _LDAP_NSS_LDAP_LDAP_PARSE_H */ +diff -ur nss_ldap-264/ldap-proto.c nss_ldap-264/ldap-proto.c +--- nss_ldap-264/ldap-proto.c 2006-09-13 02:42:08.000000000 -0400 ++++ nss_ldap-264/ldap-proto.c 2009-07-02 10:58:25.000000000 -0400 +@@ -113,7 +113,8 @@ + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, + _nss_ldap_filt_getprotobyname, LM_PROTOCOLS, +- _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT); ++ _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT) ++ AND_REQUIRE_MATCH(name, result->p_name); + } + #endif + +diff -ur nss_ldap-264/ldap-pwd.c nss_ldap-264/ldap-pwd.c +--- nss_ldap-264/ldap-pwd.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-pwd.c 2009-07-02 10:57:15.000000000 -0400 +@@ -243,7 +243,8 @@ + char *buffer, size_t buflen, int *errnop) + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam, +- LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT); ++ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT) ++ AND_REQUIRE_MATCH(name, result->pw_name); + } + #elif defined(HAVE_NSSWITCH_H) + static NSS_STATUS +diff -ur nss_ldap-264/ldap-rpc.c nss_ldap-264/ldap-rpc.c +--- nss_ldap-264/ldap-rpc.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-rpc.c 2009-07-02 10:58:01.000000000 -0400 +@@ -123,7 +123,8 @@ + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, + _nss_ldap_filt_getrpcbyname, LM_RPC, _nss_ldap_parse_rpc, +- LDAP_NSS_BUFLEN_DEFAULT); ++ LDAP_NSS_BUFLEN_DEFAULT) ++ AND_REQUIRE_MATCH(name, result->r_name); + } + #endif + +diff -ur nss_ldap-264/ldap-service.c nss_ldap-264/ldap-service.c +--- nss_ldap-264/ldap-service.c 2009-07-02 15:44:14.000000000 -0400 ++++ nss_ldap-264/ldap-service.c 2009-07-02 15:45:07.000000000 -0400 +@@ -230,16 +230,20 @@ + char *buffer, size_t buflen, int *errnop) + { + ldap_args_t a; ++ NSS_STATUS s; + + LA_INIT (a); + LA_STRING (a) = name; + LA_TYPE (a) = (proto == NULL) ? LA_TYPE_STRING : LA_TYPE_STRING_AND_STRING; + LA_STRING2 (a) = proto; + +- return _nss_ldap_getbyname (&a, result, buffer, buflen, errnop, +- ((proto == NULL) ? _nss_ldap_filt_getservbyname +- : _nss_ldap_filt_getservbynameproto), +- LM_SERVICES, _nss_ldap_parse_serv); ++ s = _nss_ldap_getbyname (&a, result, buffer, buflen, errnop, ++ ((proto == NULL) ? _nss_ldap_filt_getservbyname ++ : _nss_ldap_filt_getservbynameproto), ++ LM_SERVICES, _nss_ldap_parse_serv); ++ s = _nss_ldap_expect_name(s, name, result->s_name); ++ s = _nss_ldap_expect_name(s, proto, result->s_proto); ++ return s; + } + #endif + +diff -ur nss_ldap-264/ldap-spwd.c nss_ldap-264/ldap-spwd.c +--- nss_ldap-264/ldap-spwd.c 2009-07-02 11:01:03.000000000 -0400 ++++ nss_ldap-264/ldap-spwd.c 2009-07-02 10:58:50.000000000 -0400 +@@ -149,7 +149,8 @@ + char *buffer, size_t buflen, int *errnop) + { + LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getspnam, +- LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT); ++ LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT) ++ AND_REQUIRE_MATCH (name, result->sp_namp); + } + #elif defined(HAVE_NSSWITCH_H) + static NSS_STATUS +--- nss_ldap-264/ldap-automount.c 2009-07-02 16:03:30.000000000 -0400 ++++ nss_ldap-264/ldap-automount.c 2009-07-02 16:03:48.000000000 -0400 +@@ -384,7 +384,7 @@ + _nss_ldap_filt_getautomntbyname, + LM_AUTOMOUNT, + _nss_ldap_parse_automount); +- ++ stat = _nss_ldap_expect_name(stat, key, canon_key ? *canon_key : NULL); + if (stat != NSS_NOTFOUND) + { + break; /* on success or error other than not found */ diff --git a/pkgs/nss_ldap/patches/nss_ldap-264-cloexec.patch b/pkgs/nss_ldap/patches/nss_ldap-264-cloexec.patch new file mode 100644 index 000000000..acdbea06b --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-264-cloexec.patch @@ -0,0 +1,11 @@ +diff -up nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c +--- nss_ldap-264/ldap-nss.c 2009-07-23 18:55:15.290388484 -0400 ++++ nss_ldap-264/ldap-nss.c 2009-07-23 19:01:33.328398737 -0400 +@@ -896,6 +896,7 @@ do_drop_connection(int sd, int closeSd) + /* we must let dup2 close sd for us to avoid race conditions + * in multithreaded code. + */ ++ fcntl (dummyfd, F_SETFD, 1L); + do_dupfd (dummyfd, sd); + do_closefd (dummyfd); + } diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-depth.patch b/pkgs/nss_ldap/patches/nss_ldap-265-depth.patch new file mode 100644 index 000000000..a1bd07f51 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-depth.patch @@ -0,0 +1,186 @@ +Check if we can use thread-local storage, and if we can, use one to avoid a +self-deadlock if we recurse into our own host resolution routines from inside +of another lookup attempt. Revised from patch originally submitted for #340. + +diff -up nss_ldap-265/config.h.in nss_ldap-265/config.h.in +--- nss_ldap-265/config.h.in 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/config.h.in 2010-01-08 17:29:49.000000000 -0500 +@@ -304,6 +304,11 @@ + /* Define to 1 if you have the header file. */ + #undef HAVE_THREAD_H + ++/* Define if your toolchain supports thread-local storage, which can be used ++ for detecting self- and mutual-recursion problems when performing ++ host/address lookups. */ ++#undef HAVE_THREAD_LOCAL_STORAGE ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_UNISTD_H + +diff -up nss_ldap-265/configure.in nss_ldap-265/configure.in +--- nss_ldap-265/configure.in 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/configure.in 2010-01-08 17:29:49.000000000 -0500 +@@ -27,6 +27,14 @@ dnl + + AC_ARG_ENABLE(debugging, [ --enable-debugging enable debug code ], [AC_DEFINE(DEBUG)]) + ++AC_MSG_CHECKING(for thread-local storage) ++AC_TRY_COMPILE([],[static __thread int _nss_ldap_recursion_count;], ++ [ ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(HAVE_THREAD_LOCAL_STORAGE,1,[Define if your toolchain supports thread-local storage, which can be used for detecting self- and mutual-recursion problems when performing host/address lookups.]) ++ ], ++ AC_MSG_RESULT(no)) ++ + dnl + dnl --enable-paged-results is now deprecated; if this option is set, + dnl then paged results will be enabled by default. However, it can +diff -up nss_ldap-265/depth.c nss_ldap-265/depth.c +--- nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500 ++++ nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500 +@@ -0,0 +1,24 @@ ++#include "config.h" ++#include "depth.h" ++ ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++static __thread int depth = 0; ++ ++int ++_nss_ldap_get_depth (void) ++{ ++ return depth; ++} ++ ++int ++_nss_ldap_inc_depth (void) ++{ ++ return ++depth; ++} ++ ++int ++_nss_ldap_dec_depth (void) ++{ ++ return --depth; ++} ++#endif +diff -up nss_ldap-265/depth.h nss_ldap-265/depth.h +--- nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500 ++++ nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500 +@@ -0,0 +1,3 @@ ++int _nss_ldap_get_depth (void); ++int _nss_ldap_inc_depth (void); ++int _nss_ldap_dec_depth (void); +diff -up nss_ldap-265/ldap-hosts.c nss_ldap-265/ldap-hosts.c +--- nss_ldap-265/ldap-hosts.c 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/ldap-hosts.c 2010-01-08 17:33:38.000000000 -0500 +@@ -66,6 +66,7 @@ static char rcsId[] = + #include "ldap-nss.h" + #include "ldap-hosts.h" + #include "util.h" ++#include "depth.h" + + #ifdef HAVE_PORT_AFTER_H + #include +@@ -280,6 +281,11 @@ _nss_ldap_gethostbyname2_r (const char * + } + #endif + ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + LA_INIT (a); + LA_STRING (a) = name; + LA_TYPE (a) = LA_TYPE_STRING; +@@ -355,6 +361,11 @@ _nss_ldap_gethostbyaddr_r (struct in_add + NSS_STATUS status; + ldap_args_t a; + ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + /* if querying by IPv6 address, make sure the address is "normalized" -- + * it should contain no leading zeros and all components of the address. + * still we can't fit an IPv6 address in an int, so who cares for now. +@@ -391,6 +402,11 @@ _nss_ldap_sethostent_r (nss_backend_t * + #endif + #if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H) + { ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + LOOKUP_SETENT (hosts_context); + } + #endif +@@ -403,6 +419,11 @@ _nss_ldap_endhostent_r (nss_backend_t * + #endif + #if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H) + { ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + LOOKUP_ENDENT (hosts_context); + } + #endif +@@ -435,6 +456,11 @@ _nss_ldap_gethostent_r (struct hostent * + { + NSS_STATUS status; + ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif ++ + status = _nss_ldap_getent (&hosts_context, + result, + buffer, +diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c +--- nss_ldap-265/ldap-nss.c 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/ldap-nss.c 2010-01-08 17:29:49.000000000 -0500 +@@ -93,6 +93,7 @@ static char rcsId[] = + #include "util.h" + #include "dnsconfig.h" + #include "pagectrl.h" ++#include "depth.h" + + #if defined(HAVE_THREAD_H) && !defined(_AIX) + #ifdef HAVE_PTHREAD_ATFORK +@@ -578,6 +579,9 @@ _nss_ldap_enter (void) + debug ("==> _nss_ldap_enter"); + + NSS_LDAP_LOCK (__lock); ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ _nss_ldap_inc_depth(); ++#endif + + /* + * Patch for Debian Bug 130006: +@@ -623,6 +627,9 @@ _nss_ldap_leave (void) + } + #endif /* HAVE_SIGACTION */ + ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ _nss_ldap_dec_depth(); ++#endif + NSS_LDAP_UNLOCK (__lock); + + debug ("<== _nss_ldap_leave"); +diff -up nss_ldap-265/Makefile.am nss_ldap-265/Makefile.am +--- nss_ldap-265/Makefile.am 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/Makefile.am 2010-01-08 17:31:45.000000000 -0500 +@@ -23,7 +23,7 @@ nss_ldap_so_SOURCES = ldap-nss.c ldap-pw + ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \ + ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \ + dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c \ +- vers.c ++ vers.c depth.c + + nss_ldap_so_LDFLAGS = @nss_ldap_so_LDFLAGS@ + diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-ent_internal.patch b/pkgs/nss_ldap/patches/nss_ldap-265-ent_internal.patch new file mode 100644 index 000000000..c4592da27 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-ent_internal.patch @@ -0,0 +1,102 @@ +Distinguish between contexts that are somewhat persistent and one-offs +which are used to fulfill part of a larger request. Proposed for #322. + +diff -up nss_ldap-265/ldap-grp.c nss_ldap-265/ldap-grp.c +--- nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500 ++++ nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500 +@@ -859,7 +859,7 @@ ng_chase (const char *dn, ldap_initgroup + LA_STRING (a) = dn; + LA_TYPE (a) = LA_TYPE_STRING; + +- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL) ++ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL) + { + return NSS_UNAVAIL; + } +@@ -931,7 +931,7 @@ ng_chase_backlink (const char ** members + LA_STRING_LIST (a) = filteredMembersOf; + LA_TYPE (a) = LA_TYPE_STRING_LIST_OR; + +- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL) ++ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL) + { + free (filteredMembersOf); + return NSS_UNAVAIL; +diff -up nss_ldap-265/ldap-netgrp.c nss_ldap-265/ldap-netgrp.c +--- nss_ldap-265/ldap-netgrp.c 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265/ldap-netgrp.c 2010-01-08 17:38:38.000000000 -0500 +@@ -691,7 +691,7 @@ do_innetgr_nested (ldap_innetgr_args_t * + LA_TYPE (a) = LA_TYPE_STRING; + LA_STRING (a) = nested; /* memberNisNetgroup */ + +- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL) ++ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL) + { + debug ("<== do_innetgr_nested: failed to initialize context"); + return NSS_UNAVAIL; +diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c +--- nss_ldap-265/ldap-nss.c 2010-01-08 17:38:38.000000000 -0500 ++++ nss_ldap-265/ldap-nss.c 2010-01-08 17:40:37.000000000 -0500 +@@ -2043,6 +2043,7 @@ _nss_ldap_ent_context_init_locked (ent_c + debug ("<== _nss_ldap_ent_context_init_locked"); + return NULL; + } ++ ctx->ec_internal = 0; + *pctx = ctx; + } + else +@@ -2104,7 +2105,8 @@ do_context_release (ent_context_t * ctx, + + LS_INIT (ctx->ec_state); + +- if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT)) ++ if (!ctx->ec_internal && ++ _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT)) + { + do_close (); + } +@@ -2113,6 +2115,16 @@ do_context_release (ent_context_t * ctx, + free (ctx); + } + ++ent_context_t * ++_nss_ldap_ent_context_init_internal_locked (ent_context_t ** pctx) ++{ ++ ent_context_t *ctx; ++ ctx = _nss_ldap_ent_context_init_locked (pctx); ++ if (ctx != NULL) ++ ctx->ec_internal = 1; ++ return ctx; ++} ++ + /* + * Clears a given context; we require the caller + * to acquire the lock. +diff -up nss_ldap-265/ldap-nss.h nss_ldap-265/ldap-nss.h +--- nss_ldap-265/ldap-nss.h 2010-01-08 17:38:38.000000000 -0500 ++++ nss_ldap-265/ldap-nss.h 2010-01-08 17:42:34.000000000 -0500 +@@ -574,6 +574,8 @@ struct ent_context + ldap_state_t ec_state; /* eg. for services */ + int ec_msgid; /* message ID */ + LDAPMessage *ec_res; /* result chain */ ++ int ec_internal; /* this context is just a part of a larger ++ * query for information */ + ldap_service_search_descriptor_t *ec_sd; /* current sd */ + struct berval *ec_cookie; /* cookie for paged searches */ + int ec_eof; /* reached notional end of file */ +@@ -769,6 +771,15 @@ ent_context_t *_nss_ldap_ent_context_ini + ent_context_t *_nss_ldap_ent_context_init_locked (ent_context_t **); + + /* ++ * _nss_ldap_ent_context_init_internal_locked() has the same ++ * behaviour, except it marks the context as one that's being ++ * used to fetch additional data used in answering a request, i.e. ++ * that this isn't the "main" context ++ */ ++ ++ent_context_t *_nss_ldap_ent_context_init_internal_locked (ent_context_t **); ++ ++/* + * _nss_ldap_ent_context_release() is used to manually free a context + */ + void _nss_ldap_ent_context_release (ent_context_t **); diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-erange.patch b/pkgs/nss_ldap/patches/nss_ldap-265-erange.patch new file mode 100644 index 000000000..0bdfe5ac3 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-erange.patch @@ -0,0 +1,17 @@ +If we were supposed to set ERANGE, do so again, in case do_close() or +_nss_ldap_leave() overwrote errno with some other value. Upstream #421. + +diff -up nss_ldap-265/ldap-nss.ce nss_ldap-265/ldap-nss.c +--- nss_ldap-265/ldap-nss.ce 2010-07-08 16:17:07.000000000 -0400 ++++ nss_ldap-265/ldap-nss.c 2010-07-08 16:17:03.000000000 -0400 +@@ -3572,6 +3572,10 @@ _nss_ldap_getbyname (ldap_args_t * args, + + debug ("<== _nss_ldap_getbyname"); + ++ /* at least for the cases where we know we have to return ERANGE */ ++ if (stat == NSS_TRYAGAIN) ++ do_map_errno(stat, errnop); ++ + return stat; + } + diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-fix-uninit.patch b/pkgs/nss_ldap/patches/nss_ldap-265-fix-uninit.patch new file mode 100644 index 000000000..f0f8793b2 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-fix-uninit.patch @@ -0,0 +1,10 @@ +--- nss_ldap-265/ldap-nss.c.orig 2010-10-18 22:11:18.112108167 +1100 ++++ nss_ldap-265/ldap-nss.c 2010-10-18 22:13:20.030169868 +1100 +@@ -3449,6 +3449,7 @@ + + debug ("==> _nss_ldap_getbyname"); + ++ memset(&ctx, 0, sizeof(ent_context_t)); + ctx.ec_msgid = -1; + ctx.ec_cookie = NULL; + ctx.ec_eof = 0; diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-initgroups-minimum_uid.patch b/pkgs/nss_ldap/patches/nss_ldap-265-initgroups-minimum_uid.patch new file mode 100644 index 000000000..44f454cb6 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-initgroups-minimum_uid.patch @@ -0,0 +1,190 @@ +This builds off of the recursion checking introduced by -depth to avoid +a deadlock if/when we recurse into ourselves while looking up the user's +UID to compare it to the configured value. Revision for upstream #341. + +diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c +--- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400 +@@ -34,6 +34,7 @@ + #endif + + #include ++#include + #include + #include + #include +@@ -4356,20 +4357,55 @@ + int + _nss_ldap_test_initgroups_ignoreuser (const char *user) + { +- char **p; ++ char **p, *buf; ++ size_t buflen; ++ struct passwd pwd, *passwd; + +- if (__config == NULL) +- return 0; +- +- if (__config->ldc_initgroups_ignoreusers == NULL) +- return 0; +- +- for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++) ++ if (__config != NULL) + { +- if (strcmp (*p, user) == 0) +- return 1; ++ if (__config->ldc_initgroups_ignoreusers != NULL) ++ for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++) ++ { ++ if (strcmp (*p, user) == 0) ++ return 1; ++ } ++ if (__config->ldc_initgroups_minimum_uid >= 0) ++ { ++ memset (&pwd, 0, sizeof(pwd)); ++ buflen = 0x100; ++ buf = malloc(buflen); ++ if (buf != NULL) ++ { ++ passwd = NULL; ++ while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) && ++ (passwd != &pwd)) ++ { ++ switch (errno) ++ { ++ case ERANGE: ++ buflen *= 2; ++ free(buf); ++ if (buflen > 0x100000) ++ buf = NULL; ++ else ++ buf = malloc(buflen); ++ break; ++ case EINTR: ++ continue; ++ break; ++ default: ++ free(buf); ++ buf = NULL; ++ break; ++ } ++ if (buf == NULL) ++ break; ++ } ++ } ++ if ((passwd == &pwd) && (passwd->pw_uid < 1000)) ++ return 1; ++ } + } +- + return 0; + } + +diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h +--- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400 +@@ -400,6 +400,7 @@ + time_t ldc_mtime; + + char **ldc_initgroups_ignoreusers; ++ int ldc_initgroups_minimum_uid; + + /* disable the do-res_init()-on-resolv.conf-changes hack */ + unsigned int ldc_resolv_conf_res_init_hack; +diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c +--- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400 +@@ -49,6 +49,7 @@ + #include "ldap-nss.h" + #include "ldap-pwd.h" + #include "util.h" ++#include "depth.h" + + #ifdef HAVE_PORT_AFTER_H + #include +@@ -242,6 +243,10 @@ + struct passwd * result, + char *buffer, size_t buflen, int *errnop) + { ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif + LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam, + LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT) + AND_REQUIRE_MATCH(name, result->pw_name); +@@ -261,6 +266,10 @@ + struct passwd *result, + char *buffer, size_t buflen, int *errnop) + { ++#ifdef HAVE_THREAD_LOCAL_STORAGE ++ if (_nss_ldap_get_depth() > 0) ++ return NSS_STATUS_UNAVAIL; ++#endif + LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid, + LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT); + } +diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5 +--- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400 +@@ -445,6 +445,14 @@ + to return NSS_STATUS_NOTFOUND if called with a listed users as + its argument. + .TP ++.B nss_initgroups_minimum_uid ++This option directs the ++.B nss_ldap ++implementation of ++.BR initgroups(3) ++to return NSS_STATUS_NOTFOUND if called with a user whose UID is ++below the value given as the argument. ++.TP + .B nss_getgrent_skipmembers + Specifies whether or not to populate the members list in + the group structure for group lookups. If very large groups +diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c +--- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400 ++++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400 +@@ -669,6 +669,7 @@ + result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME; + result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES; + result->ldc_initgroups_ignoreusers = NULL; ++ result->ldc_initgroups_minimum_uid = -1; + + for (i = 0; i <= LM_NONE; i++) + { +@@ -1180,6 +1181,10 @@ + break; + } + } ++ else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID)) ++ { ++ result->ldc_initgroups_minimum_uid = atoi(v); ++ } + else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS)) + { + if (!strcasecmp (v, "on") || !strcasecmp (v, "yes") +diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h +--- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500 ++++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400 +@@ -92,6 +92,7 @@ + #define NSS_LDAP_KEY_PAGESIZE "pagesize" + #define NSS_LDAP_KEY_INITGROUPS "nss_initgroups" + #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers" ++#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid" + #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers" + + /* more reconnect policy fine-tuning */ +--- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400 ++++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500 +@@ -177,8 +177,8 @@ + #nss_base_aliases ou=Aliases,dc=padl,dc=com?one + #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one + +-# Just assume that there are no supplemental groups for these named users +-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody ++# Just assume that there are no supplemental groups for system users. ++nss_initgroups_minimum_uid 500 + + # attribute/objectclass mapping + # Syntax: diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-local_users.patch b/pkgs/nss_ldap/patches/nss_ldap-265-local_users.patch new file mode 100644 index 000000000..2978ce17c --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-local_users.patch @@ -0,0 +1,17 @@ +Configure by default to fail, quickly, requests for supplemental group +information for "root", "ldap", and assorted other users as whom services +run or who are mentioned by the DBus configuration. This patch will never +be pretty. + +--- pam_ldap-180/ldap.conf 2005-08-17 18:35:13.000000000 -0400 ++++ pam_ldap-180/ldap.conf 2006-02-09 14:14:05.000000000 -0500 +@@ -177,6 +177,9 @@ + #nss_base_aliases ou=Aliases,dc=padl,dc=com?one + #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one + ++# Just assume that there are no supplemental groups for these named users ++nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody ++ + # attribute/objectclass mapping + # Syntax: + #nss_map_attribute rfc2307attribute mapped_attribute diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-padl-bug-418.patch b/pkgs/nss_ldap/patches/nss_ldap-265-padl-bug-418.patch new file mode 100644 index 000000000..120377d23 --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-padl-bug-418.patch @@ -0,0 +1,36 @@ +diff -up nss_ldap-253/ldap-nss.c.padl418 nss_ldap-253/ldap-nss.c +--- nss_ldap-253/ldap-nss.c.padl418 2010-11-17 14:08:24.000000000 +0000 ++++ nss_ldap-253/ldap-nss.c 2010-11-18 00:34:22.000000000 +0000 +@@ -1272,9 +1272,14 @@ do_init (void) + } + } + +- __session.ls_conn = NULL; ++ /* looks like a problem. could be initialized, but not connected */ ++ if (__session.ls_state != LS_UNINITIALIZED) ++ { ++ debug ("<== do_init (already initialized)"); ++ goto initialized; ++ } ++ + __session.ls_timestamp = 0; +- __session.ls_state = LS_UNINITIALIZED; + + #if defined(HAVE_PTHREAD_ONCE) && defined(HAVE_PTHREAD_ATFORK) + if (pthread_once (&__once, do_atfork_setup) != 0) +@@ -1394,6 +1399,7 @@ do_init (void) + + debug ("<== do_init (initialized session)"); + ++initialized: + return NSS_SUCCESS; + } + +@@ -1614,6 +1620,7 @@ do_open (void) + } + else + { ++ syslog(LOG_ERR, "nss-ldap: do_open: do_start_tls failed:stat=%d", stat); + do_close (); + debug ("<== do_open (TLS startup failed)"); + return stat; diff --git a/pkgs/nss_ldap/patches/nss_ldap-265-setnetgrent.patch b/pkgs/nss_ldap/patches/nss_ldap-265-setnetgrent.patch new file mode 100644 index 000000000..e17345adb --- /dev/null +++ b/pkgs/nss_ldap/patches/nss_ldap-265-setnetgrent.patch @@ -0,0 +1,11 @@ +--- nss_ldap/ldap-netgrp.c ++++ nss_ldap/ldap-netgrp.c +@@ -372,7 +372,7 @@ _nss_ldap_setnetgrent (char *group, stru + _nss_ldap_filt_getnetgrent, LM_NETGROUP, + _nss_ldap_load_netgr); + +- if (stat == NSS_NOTFOUND) ++ if (stat != NSS_SUCCESS) + return stat; + + LOOKUP_SETENT (_ngbe);