Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-openldap-de...@lists.alioth.debian.org
Control: affects -1 src:openldap
For OpenLDAP in trixie, I would like to try following upstream's 2.6 LTS
release series.
Ubuntu have been doing this for a couple of years already, starting with
the 2.5 LTS series, without regrets as far as I know.
- Policy: https://wiki.ubuntu.com/OpenLDAPUpdates
- Recent upload (2.5.19): https://bugs.launchpad.net/bugs/2085192
The OpenLDAP release manager reviews each change and decides which
changes to backport to stable releases. The release policy is slightly
less strict than Debian: stable releases are frozen to significant
features and compatibility breaks, but can include minor fixes or
additions if they are judged to be low risk.
The full release policy is here:
https://lists.openldap.org/hyperkitty/list/openldap-annou...@openldap.org/thread/2QQNVWPUUG54JM7FGQHMMF3H4KS2PPKQ/
Upstream developers are active and react quickly to actionable
regression reports. The release manager is subscribed to the
pkg-openldap-devel mailing list and reads our bug reports.
Upstream QA includes:
- an extensive functional test suite
- a regression test suite (relatively new, but growing)
- upcoming releases are pre-announced and tested by the community before
release
On the Debian side:
- the functional test suite is run during build
- the regression suite is not (because the build time is already long)
- the package has only superficial autopkgtests, consisting of a few
smoke tests and regression tests
- reverse dependencies' autopkgtests contribute more coverage
The client library (libldap) is installed on most Debian systems, but it
is mature and doesn't change much. The server (slapd) has most of the
development activity, but fewer users.
The debdiff for the 2.6.10 update is attached.
Thank you for considering,
Ryan
diff -Nru openldap-2.6.9+dfsg/CHANGES openldap-2.6.10+dfsg/CHANGES
--- openldap-2.6.9+dfsg/CHANGES 2024-11-26 09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/CHANGES 2025-05-22 10:56:21.000000000 -0700
@@ -1,5 +1,32 @@
OpenLDAP 2.6 Change Log
+OpenLDAP 2.6.10 Release (2025/05/22)
+ Added slapd microsecond timestamp format for local logging (ITS#10140)
+ Fixed libldap ldap_result behavior with LDAP_MSG_RECEIVED (ITS#10229)
+ Fixed lloadd handling of starttls critical (ITS#10323)
+ Fixed slapd syncrepl when used with slapo-rwm (ITS#10290)
+ Fixed slapd regression with certain searches (ITS#10307)
+ Fixed slapo-autoca olcAutoCAserverClass object (ITS#10288)
+ Fixed slapo-pcache caching behaviors (ITS#10270)
+ Minor Cleanup
+ ITS#7080
+ ITS#7249
+ ITS#9934
+ ITS#10020
+ ITS#10168
+ ITS#10226
+ ITS#10279
+ ITS#10299
+ ITS#10302
+ ITS#10309
+ ITS#10312
+ ITS#10320
+ ITS#10325
+ ITS#10327
+ ITS#10328
+ ITS#10331
+ ITS#10336
+
OpenLDAP 2.6.9 Release (2024/11/26)
Fixed libldap TLS connection timeout handling (ITS#8047)
Fixed libldap GnuTLS incompatible pointer type (ITS#10253)
diff -Nru openldap-2.6.9+dfsg/build/version.var
openldap-2.6.10+dfsg/build/version.var
--- openldap-2.6.9+dfsg/build/version.var 2024-11-26 09:11:04.000000000
-0800
+++ openldap-2.6.10+dfsg/build/version.var 2025-05-22 10:56:21.000000000
-0700
@@ -15,9 +15,9 @@
ol_package=OpenLDAP
ol_major=2
ol_minor=6
-ol_patch=9
-ol_api_inc=20609
+ol_patch=10
+ol_api_inc=20610
ol_api_current=2
ol_api_revision=200
ol_api_age=0
-ol_release_date="2024/11/26"
+ol_release_date="2025/05/22"
diff -Nru openldap-2.6.9+dfsg/clients/tools/common.c
openldap-2.6.10+dfsg/clients/tools/common.c
--- openldap-2.6.9+dfsg/clients/tools/common.c 2024-11-26 09:11:04.000000000
-0800
+++ openldap-2.6.10+dfsg/clients/tools/common.c 2025-05-22 10:56:21.000000000
-0700
@@ -780,6 +780,9 @@
exit( EXIT_FAILURE );
}
ldapuri = ber_strdup( optarg );
+ if ( ldapuri == NULL ) {
+ exit( EXIT_FAILURE );
+ }
break;
case 'I':
#ifdef HAVE_CYRUS_SASL
@@ -980,6 +983,9 @@
break;
case 'w': /* password */
passwd.bv_val = ber_strdup( optarg );
+ if ( passwd.bv_val == NULL ) {
+ exit( EXIT_FAILURE );
+ }
{
char* p;
@@ -1166,6 +1172,7 @@
LDAP *ld = NULL;
if ( debug ) {
+#ifdef LDAP_DEBUG
if( ber_set_option( NULL, LBER_OPT_DEBUG_LEVEL, &debug )
!= LBER_OPT_SUCCESS )
{
@@ -1178,6 +1185,10 @@
fprintf( stderr,
"Could not set LDAP_OPT_DEBUG_LEVEL %d\n",
debug );
}
+#else /* !LDAP_DEBUG */
+ fprintf( stderr,
+ "Must compile with LDAP_DEBUG for debugging\n",
prog );
+#endif /* !LDAP_DEBUG */
}
#ifdef SIGPIPE
@@ -1476,6 +1487,9 @@
tool_exit( ld, EXIT_FAILURE );
}
passwd.bv_val = ber_strdup( pw );
+ if ( passwd.bv_val == NULL ) {
+ tool_exit( ld, EXIT_FAILURE );
+ }
passwd.bv_len = strlen( passwd.bv_val );
}
}
diff -Nru openldap-2.6.9+dfsg/clients/tools/ldapvc.c
openldap-2.6.10+dfsg/clients/tools/ldapvc.c
--- openldap-2.6.9+dfsg/clients/tools/ldapvc.c 2024-11-26 09:11:04.000000000
-0800
+++ openldap-2.6.10+dfsg/clients/tools/ldapvc.c 2025-05-22 10:56:21.000000000
-0700
@@ -165,6 +165,9 @@
}
vc_sasl_mech = ber_strdup(cvalue);
+ if (vc_sasl_mech == NULL) {
+ exit(EXIT_FAILURE);
+ }
#else
#endif
@@ -182,6 +185,9 @@
}
vc_sasl_realm = ber_strdup(cvalue);
+ if (vc_sasl_realm == NULL) {
+ exit(EXIT_FAILURE);
+ }
#else
fprintf(stderr,
_("%s: not compiled with SASL support\n"),
prog);
@@ -202,6 +208,9 @@
}
vc_sasl_authcid = ber_strdup(cvalue);
+ if (vc_sasl_authcid == NULL) {
+ exit(EXIT_FAILURE);
+ }
#else
fprintf(stderr,
_("%s: not compiled with SASL support\n"),
prog);
@@ -222,6 +231,9 @@
}
vc_sasl_authzid = ber_strdup(cvalue);
+ if (vc_sasl_authzid == NULL) {
+ exit(EXIT_FAILURE);
+ }
#else
fprintf(stderr,
_("%s: not compiled with SASL support\n"),
prog);
@@ -242,6 +254,9 @@
}
vc_sasl_secprops = ber_strdup(cvalue);
+ if (vc_sasl_secprops == NULL) {
+ exit(EXIT_FAILURE);
+ }
#else
fprintf(stderr,
_("%s: not compiled with SASL support\n"),
prog);
diff -Nru openldap-2.6.9+dfsg/contrib/slapd-modules/autogroup/autogroup.c
openldap-2.6.10+dfsg/contrib/slapd-modules/autogroup/autogroup.c
--- openldap-2.6.9+dfsg/contrib/slapd-modules/autogroup/autogroup.c
2024-11-26 09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/contrib/slapd-modules/autogroup/autogroup.c
2025-05-22 10:56:21.000000000 -0700
@@ -529,6 +529,7 @@
o.ors_attrs = agf->agf_anlist ? agf->agf_anlist : slap_anlist_no_attrs;
o.o_do_not_cache = 1;
o.o_abandon = 0;
+ o.o_managedsait = SLAP_CONTROL_NONCRITICAL;
agg.agg_group = age;
agg.agg_filter = agf;
@@ -2130,6 +2131,7 @@
op->ors_slimit = SLAP_NO_LIMIT;
op->ors_attrs = slap_anlist_no_attrs;
op->o_do_not_cache = 1;
+ op->o_managedsait = SLAP_CONTROL_CRITICAL;
op->o_bd = be;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
diff -Nru openldap-2.6.9+dfsg/contrib/slapd-modules/variant/variant.c
openldap-2.6.10+dfsg/contrib/slapd-modules/variant/variant.c
--- openldap-2.6.9+dfsg/contrib/slapd-modules/variant/variant.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/contrib/slapd-modules/variant/variant.c
2025-05-22 10:56:21.000000000 -0700
@@ -696,7 +696,7 @@
{ "passReplication", "on|off", 2, 2, 0,
ARG_ON_OFF|ARG_OFFSET,
(void *)offsetof( variant_info_t, passReplication ),
- "( OLcfgOvAt:9.1 NAME 'olcVariantPassReplication' "
+ "( OLcfgCtAt:9.1 NAME 'olcVariantPassReplication' "
"DESC 'Whether to let searches with replication control
"
"pass unmodified' "
"SYNTAX OMsBoolean "
@@ -706,7 +706,7 @@
{ "variantDN", "dn", 2, 2, 0,
ARG_DN|ARG_QUOTE|ARG_MAGIC,
variant_set_dn,
- "( OLcfgOvAt:9.2 NAME 'olcVariantEntry' "
+ "( OLcfgCtAt:9.2 NAME 'olcVariantEntry' "
"DESC 'DN of the variant entry' "
"EQUALITY distinguishedNameMatch "
"SYNTAX OMsDN "
@@ -716,7 +716,7 @@
{ "variantRegex", "regex", 2, 2, 0,
ARG_BERVAL|ARG_QUOTE|ARG_MAGIC,
variant_set_regex,
- "( OLcfgOvAt:9.6 NAME 'olcVariantEntryRegex' "
+ "( OLcfgCtAt:9.6 NAME 'olcVariantEntryRegex' "
"DESC 'Pattern for the variant entry' "
"EQUALITY caseExactMatch "
"SYNTAX OMsDirectoryString "
@@ -727,7 +727,7 @@
{ "", NULL, 2, 2, 0,
ARG_STRING|ARG_MAGIC|VARIANT_ATTR,
variant_set_attribute,
- "( OLcfgOvAt:9.3 NAME 'olcVariantVariantAttribute' "
+ "( OLcfgCtAt:9.3 NAME 'olcVariantVariantAttribute' "
"DESC 'Attribute to fill in the entry' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString "
@@ -737,7 +737,7 @@
{ "", NULL, 2, 2, 0,
ARG_STRING|ARG_MAGIC|VARIANT_ATTR_ALT,
variant_set_attribute,
- "( OLcfgOvAt:9.4 NAME 'olcVariantAlternativeAttribute' "
+ "( OLcfgCtAt:9.4 NAME 'olcVariantAlternativeAttribute' "
"DESC 'Attribute to take from the alternative entry' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString "
@@ -747,7 +747,7 @@
{ "", NULL, 2, 2, 0,
ARG_DN|ARG_QUOTE|ARG_MAGIC,
variant_set_alt_dn,
- "( OLcfgOvAt:9.5 NAME 'olcVariantAlternativeEntry' "
+ "( OLcfgCtAt:9.5 NAME 'olcVariantAlternativeEntry' "
"DESC 'DN of the alternative entry' "
"EQUALITY distinguishedNameMatch "
"SYNTAX OMsDN "
@@ -757,7 +757,7 @@
{ "", NULL, 2, 2, 0,
ARG_BERVAL|ARG_QUOTE|ARG_MAGIC,
variant_set_alt_pattern,
- "( OLcfgOvAt:9.7 NAME 'olcVariantAlternativeEntryPattern' "
+ "( OLcfgCtAt:9.7 NAME 'olcVariantAlternativeEntryPattern' "
"DESC 'Replacement pattern to locate the alternative
entry' "
"EQUALITY caseExactMatch "
"SYNTAX OMsDirectoryString "
@@ -780,13 +780,13 @@
};
static ConfigOCs variant_ocs[] = {
- { "( OLcfgOvOc:9.1 "
+ { "( OLcfgCtOc:9.1 "
"NAME 'olcVariantConfig' "
"DESC 'Variant overlay configuration' "
"SUP olcOverlayConfig "
"MAY ( olcVariantPassReplication ) )",
Cft_Overlay, variant_cfg, NULL, variant_cfadd },
- { "( OLcfgOvOc:9.2 "
+ { "( OLcfgCtOc:9.2 "
"NAME 'olcVariantVariant' "
"DESC 'Variant configuration' "
"MUST ( olcVariantEntry ) "
@@ -794,7 +794,7 @@
"SUP top "
"STRUCTURAL )",
Cft_Misc, variant_cfg, variant_ldadd },
- { "( OLcfgOvOc:9.3 "
+ { "( OLcfgCtOc:9.3 "
"NAME 'olcVariantAttribute' "
"DESC 'Variant attribute description' "
"MUST ( olcVariantVariantAttribute $ "
@@ -805,7 +805,7 @@
"SUP top "
"STRUCTURAL )",
Cft_Misc, variant_cfg, variant_attr_ldadd },
- { "( OLcfgOvOc:9.4 "
+ { "( OLcfgCtOc:9.4 "
"NAME 'olcVariantRegex' "
"DESC 'Variant configuration' "
"MUST ( olcVariantEntryRegex ) "
@@ -813,7 +813,7 @@
"SUP top "
"STRUCTURAL )",
Cft_Misc, variant_cfg, variant_regex_ldadd },
- { "( OLcfgOvOc:9.5 "
+ { "( OLcfgCtOc:9.5 "
"NAME 'olcVariantAttributePattern' "
"DESC 'Variant attribute description' "
"MUST ( olcVariantVariantAttribute $ "
diff -Nru openldap-2.6.9+dfsg/debian/changelog
openldap-2.6.10+dfsg/debian/changelog
--- openldap-2.6.9+dfsg/debian/changelog 2025-03-11 16:27:52.000000000
-0700
+++ openldap-2.6.10+dfsg/debian/changelog 2025-05-24 16:23:14.000000000
-0700
@@ -1,3 +1,9 @@
+openldap (2.6.10+dfsg-1) UNRELEASED; urgency=medium
+
+ * New upstream release.
+
+ -- Ryan Tandy <r...@nardis.ca> Sat, 24 May 2025 16:23:14 -0700
+
openldap (2.6.9+dfsg-2) unstable; urgency=medium
[ Adriano Rafael Gomes ]
diff -Nru openldap-2.6.9+dfsg/doc/guide/admin/replication.sdf
openldap-2.6.10+dfsg/doc/guide/admin/replication.sdf
--- openldap-2.6.9+dfsg/doc/guide/admin/replication.sdf 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/doc/guide/admin/replication.sdf 2025-05-22
10:56:21.000000000 -0700
@@ -347,6 +347,10 @@
bring it up to date and replication then switches back to the delta-syncrepl
mode.
+Note: partial replication is incompatible with deltasync. For deltasync to
+work, the replication user needs unrestricted read access to both the main
+database and accesslog database.
+
Note: since the database state is stored in both the changelog DB and the
main DB on the provider, it is important to backup/restore both the changelog
DB and the main DB using slapcat/slapadd when restoring a DB or copying
@@ -481,9 +485,18 @@
must first be configured in {{slapd.conf}}(5) before it can be
used. The provider has two primary configuration directives and
two secondary directives for when delta-syncrepl is being used.
+
Because the LDAP Sync search is subject to access control, proper
access control privileges should be set up for the replicated
-content.
+content. In many environments the replicas are meant to carry the
+same data as provider so the replication user needs unrestricted
+read access to the database and as such this tends to be the first
+access rule for that database:
+
+> access to * by "$REPLICATOR" read by * break
+
+However if partial replication is desired, the access rules can be
+tightened appropriately.
The two primary options to configure are the checkpoint and
sessionlog behaviors.
@@ -497,7 +510,13 @@
time has passed since the last checkpoint, a new checkpoint is
performed. Checkpointing is disabled by default.
-The session log is configured by the
+If an accesslog is maintained for this database and contains all the
+successful writes, it is the preferred way to provide the resync
+information:
+
+> syncprov-sessionlog-source <accesslog db suffix>
+
+Otherwise an in memory session session log is configured by the
> syncprov-sessionlog <ops>
@@ -535,7 +554,7 @@
>
> overlay syncprov
> syncprov-checkpoint 100 10
-> syncprov-sessionlog 100
+> syncprov-sessionlog-source cn=accesslog
H4: Set up the consumer slapd
diff -Nru openldap-2.6.9+dfsg/doc/guide/admin/slapdconf2.sdf
openldap-2.6.10+dfsg/doc/guide/admin/slapdconf2.sdf
--- openldap-2.6.9+dfsg/doc/guide/admin/slapdconf2.sdf 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/doc/guide/admin/slapdconf2.sdf 2025-05-22
10:56:21.000000000 -0700
@@ -1045,102 +1045,103 @@
E: 15. # global database parameters
E: 16. dn: olcDatabase=frontend,cn=config
E: 17. objectClass: olcDatabaseConfig
-E: 18. olcDatabase: frontend
-E: 19. olcAccess: to * by * read
-E: 20.
+E: 18. objectClass: olcFrontendConfig
+E: 19. olcDatabase: frontend
+E: 20. olcAccess: to * by * read
+E: 21.
Line 15 is a comment. Lines 16-18 identify this entry as the global
-database entry. Line 19 is a global access control. It applies to all
+database entry. Line 20 is a global access control. It applies to all
entries (after any applicable database-specific access controls).
-Line 20 is a blank line.
+Line 21 is a blank line.
The next entry defines the config backend.
-E: 21. # set a rootpw for the config database so we can bind.
-E: 22. # deny access to everyone else.
-E: 23. dn: olcDatabase=config,cn=config
-E: 24. objectClass: olcDatabaseConfig
-E: 25. olcDatabase: config
-E: 26. olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
-E: 27. olcAccess: to * by * none
-E: 28.
-
-Lines 21-22 are comments. Lines 23-25 identify this entry as the config
-database entry. Line 26 defines the {{super-user}} password for this
-database. (The DN defaults to {{"cn=config"}}.) Line 27 denies all access
+E: 22. # set a rootpw for the config database so we can bind.
+E: 23. # deny access to everyone else.
+E: 24. dn: olcDatabase=config,cn=config
+E: 25. objectClass: olcDatabaseConfig
+E: 26. olcDatabase: config
+E: 27. olcRootPW: {SSHA}XKYnrjvGT3wZFQrDD5040US592LxsdLy
+E: 28. olcAccess: to * by * none
+E: 29.
+
+Lines 22-23 are comments. Lines 24-26 identify this entry as the config
+database entry. Line 27 defines the {{super-user}} password for this
+database. (The DN defaults to {{"cn=config"}}.) Line 28 denies all access
to this database, so only the super-user will be able to access it. (This
is already the default access on the config database. It is just listed
here for illustration, and to reiterate that unless a means to authenticate
as the super-user is explicitly configured, the config database will be
inaccessible.)
-Line 28 is a blank line.
+Line 29 is a blank line.
The next entry defines an MDB backend that will handle queries for things
in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
for several attributes, and the {{EX:userPassword}} attribute is to be
protected from unauthorized access.
-E: 29. # MDB definition for example.com
-E: 30. dn: olcDatabase=mdb,cn=config
-E: 31. objectClass: olcDatabaseConfig
-E: 32. objectClass: olcMdbConfig
-E: 33. olcDatabase: mdb
-E: 34. olcSuffix: dc=example,dc=com
-E: 35. olcDbDirectory: /usr/local/var/openldap-data
-E: 36. olcRootDN: cn=Manager,dc=example,dc=com
-E: 37. olcRootPW: secret
-E: 38. olcDbIndex: uid pres,eq
-E: 39. olcDbIndex: cn,sn pres,eq,approx,sub
-E: 40. olcDbIndex: objectClass eq
-E: 41. olcAccess: to attrs=userPassword
-E: 42. by self write
-E: 43. by anonymous auth
-E: 44. by dn.base="cn=Admin,dc=example,dc=com" write
-E: 45. by * none
-E: 46. olcAccess: to *
-E: 47. by self write
-E: 48. by dn.base="cn=Admin,dc=example,dc=com" write
-E: 49. by * read
-E: 50.
-
-Line 29 is a comment. Lines 30-33 identify this entry as a MDB database
-configuration entry. Line 34 specifies the DN suffix
-for queries to pass to this database. Line 35 specifies the directory
+E: 30. # MDB definition for example.com
+E: 31. dn: olcDatabase=mdb,cn=config
+E: 32. objectClass: olcDatabaseConfig
+E: 33. objectClass: olcMdbConfig
+E: 34. olcDatabase: mdb
+E: 35. olcSuffix: dc=example,dc=com
+E: 36. olcDbDirectory: /usr/local/var/openldap-data
+E: 37. olcRootDN: cn=Manager,dc=example,dc=com
+E: 38. olcRootPW: secret
+E: 39. olcDbIndex: uid pres,eq
+E: 40. olcDbIndex: cn,sn pres,eq,approx,sub
+E: 41. olcDbIndex: objectClass eq
+E: 42. olcAccess: to attrs=userPassword
+E: 43. by self write
+E: 44. by anonymous auth
+E: 45. by dn.base="cn=Admin,dc=example,dc=com" write
+E: 46. by * none
+E: 47. olcAccess: to *
+E: 48. by self write
+E: 49. by dn.base="cn=Admin,dc=example,dc=com" write
+E: 50. by * read
+E: 51.
+
+Line 30 is a comment. Lines 31-34 identify this entry as a MDB database
+configuration entry. Line 35 specifies the DN suffix
+for queries to pass to this database. Line 36 specifies the directory
in which the database files will live.
-Lines 36 and 37 identify the database {{super-user}} entry and associated
+Lines 37 and 38 identify the database {{super-user}} entry and associated
password. This entry is not subject to access control or size or
time limit restrictions.
-Lines 38 through 40 indicate the indices to maintain for various
+Lines 39 through 41 indicate the indices to maintain for various
attributes.
-Lines 41 through 49 specify access control for entries in this
+Lines 42 through 50 specify access control for entries in this
database. For all applicable entries, the {{EX:userPassword}} attribute is
writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
entry, but may be read by all users (authenticated or not).
-Line 50 is a blank line, indicating the end of this entry.
+Line 51 is a blank line, indicating the end of this entry.
The next entry defines another
MDB database. This one handles queries involving the
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
-as the first database. Note that without line 60, the read access
-would be allowed due to the global access rule at line 19.
+as the first database. Note that without line 61, the read access
+would be allowed due to the global access rule at line 20.
-E: 51. # MDB definition for example.net
-E: 52. dn: olcDatabase=mdb,cn=config
-E: 53. objectClass: olcDatabaseConfig
-E: 54. objectClass: olcMdbConfig
-E: 55. olcDatabase: mdb
-E: 56. olcSuffix: dc=example,dc=net
-E: 57. olcDbDirectory: /usr/local/var/openldap-data-net
-E: 58. olcRootDN: cn=Manager,dc=example,dc=com
-E: 59. olcDbIndex: objectClass eq
-E: 60. olcAccess: to * by users read
+E: 52. # MDB definition for example.net
+E: 53. dn: olcDatabase=mdb,cn=config
+E: 54. objectClass: olcDatabaseConfig
+E: 55. objectClass: olcMdbConfig
+E: 56. olcDatabase: mdb
+E: 57. olcSuffix: dc=example,dc=net
+E: 58. olcDbDirectory: /usr/local/var/openldap-data-net
+E: 59. olcRootDN: cn=Manager,dc=example,dc=com
+E: 60. olcDbIndex: objectClass eq
+E: 61. olcAccess: to * by users read
H2: Converting old style {{slapd.conf}}(5) file to {{cn=config}} format
diff -Nru openldap-2.6.9+dfsg/doc/man/man5/ldap.conf.5
openldap-2.6.10+dfsg/doc/man/man5/ldap.conf.5
--- openldap-2.6.9+dfsg/doc/man/man5/ldap.conf.5 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/doc/man/man5/ldap.conf.5 2025-05-22
10:56:21.000000000 -0700
@@ -159,7 +159,6 @@
of the search.
.RE
.TP
-.TP
.B HOST <name[:port] ...>
Specifies the name(s) of an LDAP server(s) to which the
.I LDAP
@@ -184,15 +183,18 @@
Linux only.
.TP
.B NETWORK_TIMEOUT <integer>
-Specifies the timeout (in seconds) after which the poll(2)/select(2)
-following a connect(2) returns in case of no activity.
+Specifies the timeout (in seconds) after which the
+.BR poll (2)/ select (2)
+following a
+.BR connect (2)
+returns in case of no activity.
.TP
.B PORT <port>
Specifies the default port used when connecting to LDAP servers(s).
The port may be specified as a number.
.B PORT
is deprecated in favor of
-.BR URI.
+.BR URI .
.TP
.B REFERRALS <on/true/yes/off/false/no>
Specifies if the client should automatically follow referrals returned
@@ -295,7 +297,7 @@
description). The default is
.BR INT_MAX .
.TP
-.B maxbufsize=<factor>
+.B maxbufsize=<factor>
specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536.
.RE
@@ -338,7 +340,7 @@
be specified, separated by a semi-colon. The
.B TLS_CACERT
is always used before
-.B TLS_CACERTDIR.
+.BR TLS_CACERTDIR .
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
diff -Nru openldap-2.6.9+dfsg/doc/man/man5/slapd-config.5
openldap-2.6.10+dfsg/doc/man/man5/slapd-config.5
--- openldap-2.6.9+dfsg/doc/man/man5/slapd-config.5 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/doc/man/man5/slapd-config.5 2025-05-22
10:56:21.000000000 -0700
@@ -572,7 +572,7 @@
only go to stderr and are not recorded anywhere else.
Specifying a logfile copies messages to both stderr and the logfile.
.TP
-.B olcLogFileFormat: debug | syslog-utc | syslog-localtime
+.B olcLogFileFormat: debug|syslog-utc|syslog-localtime|rfc3339-utc
Specify the prefix format for messages written to the logfile. The debug
format is the normal format used for slapd debug messages, with a timestamp
in hexadecimal, followed by a thread ID. The other options are to
@@ -953,6 +953,13 @@
locations will be used. Multiple directories may be specified,
separated by a semi-colon.
.TP
+.B olcTLSCACertificate: <CA cert>
+Stores a single CA certificate that will be trusted by the server, in DER
format.
+If this option is set, the \fBolcTLSCACertificateFile\fP and
+\fBolcTLSCACertificatePath\fP options are ignored. If multiple
+CA certificates are required, the \fBolcTLSCACertificateFile\fP
+or \fBolcTLSCACertificatePath\fP options must be used instead of this option.
+.TP
.B olcTLSCertificateFile: <filename>
Specifies the file that contains the
.B slapd
@@ -961,17 +968,24 @@
When using OpenSSL that file may also contain any number of intermediate
certificates after the server certificate.
.TP
+.B olcTLSCertificate: <cert>
+Stores a single certificate for the server, in DER format. If this option is
+used, the \fBolcTLSCertificateFile\fP option is ignored.
+.TP
.B olcTLSCertificateKeyFile: <filename>
Specifies the file that contains the
.B slapd
-server private key that matches the certificate stored in the
-.B olcTLSCertificateFile
-file. If the private key is protected with a password, the password must
+server private key that matches the specified server certificate.
+If the private key file is protected with a password, the password must
be manually typed in when slapd starts. Usually the private key is not
protected with a password, to allow slapd to start without manual
intervention, so
it is of critical importance that the file is protected carefully.
.TP
+.B olcTLSCertificateKey <key>
+Stores the private key that matches the server certificate. If this option is
+used, the \fBolcTLSCertificateKeyFile\fP option is ignored.
+.TP
.B olcTLSDHParamFile: <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
diff -Nru openldap-2.6.9+dfsg/doc/man/man5/slapd.conf.5
openldap-2.6.10+dfsg/doc/man/man5/slapd.conf.5
--- openldap-2.6.9+dfsg/doc/man/man5/slapd.conf.5 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/doc/man/man5/slapd.conf.5 2025-05-22
10:56:21.000000000 -0700
@@ -626,7 +626,7 @@
only go to stderr and are not recorded anywhere else.
Specifying a logfile copies messages to both stderr and the logfile.
.TP
-.B logfile-format debug | syslog-utc | syslog-localtime
+.B logfile-format debug|syslog-utc|syslog-localtime|rfc3339-utc
Specify the prefix format for messages written to the logfile. The debug
format is the normal format used for slapd debug messages, with a timestamp
in hexadecimal, followed by a thread ID. The other options are to
diff -Nru openldap-2.6.9+dfsg/doc/man/man5/slapo-dynlist.5
openldap-2.6.10+dfsg/doc/man/man5/slapo-dynlist.5
--- openldap-2.6.9+dfsg/doc/man/man5/slapo-dynlist.5 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/doc/man/man5/slapo-dynlist.5 2025-05-22
10:56:21.000000000 -0700
@@ -128,6 +128,9 @@
.B static-oc
objectClass is also specified, then the memberOf attribute will also be
populated with the DNs of the static groups that an entry is a member of.
+Note that using the same
+.B static-oc
+objectClass in more than one dynamic group configuration is not supported.
If the optional
.B *
character is also specified, then the member and memberOf values will be
diff -Nru openldap-2.6.9+dfsg/doc/man/man8/slapacl.8
openldap-2.6.10+dfsg/doc/man/man8/slapacl.8
--- openldap-2.6.9+dfsg/doc/man/man8/slapacl.8 2024-11-26 09:11:04.000000000
-0800
+++ openldap-2.6.10+dfsg/doc/man/man8/slapacl.8 2025-05-22 10:56:21.000000000
-0700
@@ -131,15 +131,15 @@
for details.
.RE
.TP
-.BI \-u
-do not fetch the entry from the database.
-In this case, if the entry does not exist, a fake entry with the
+.B \-u
+enable dry-run mode. Do not fetch any entries from the database.
+In this case, a fake entry with the
.I DN
given with the
.B \-b
option is used, with no attributes.
As a consequence, those rules that depend on the contents
-of the target object will not behave as with the real object.
+of the target object or any other database objects will not behave as with the
real object.
The
.I DN
given with the
diff -Nru openldap-2.6.9+dfsg/libraries/libldap/error.c
openldap-2.6.10+dfsg/libraries/libldap/error.c
--- openldap-2.6.9+dfsg/libraries/libldap/error.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/libraries/libldap/error.c 2025-05-22
10:56:21.000000000 -0700
@@ -261,6 +261,25 @@
LDAP_MUTEX_LOCK( &ld->ld_res_mutex );
/* Find the result, last msg in chain... */
lm = r->lm_chain_tail;
+ if ( r->lm_msgid != lm->lm_msgid ) {
+ /*
+ * ITS#10229: Returned with LDAP_MSG_ALL+LDAP_MSG_RECEIVED.
People who
+ * do that aren't expected to call ldap_parse_result not least
because
+ * they have no idea what the msgid of the result would be.
Just do our
+ * best.
+ *
+ * We could also return LDAP_NO_RESULTS_RETURNED if there isn't
a
+ * result for r's operation.
+ */
+ lm = r;
+ for ( lm = r; lm; lm = lm->lm_chain ) {
+ if ( lm->lm_msgtype != LDAP_RES_SEARCH_ENTRY &&
+ lm->lm_msgtype !=
LDAP_RES_SEARCH_REFERENCE &&
+ lm->lm_msgtype != LDAP_RES_INTERMEDIATE
)
+ break;
+ }
+ }
+
/* FIXME: either this is not possible (assert?)
* or it should be handled */
if ( lm != NULL ) {
diff -Nru openldap-2.6.9+dfsg/libraries/libldap/result.c
openldap-2.6.10+dfsg/libraries/libldap/result.c
--- openldap-2.6.9+dfsg/libraries/libldap/result.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/libraries/libldap/result.c 2025-05-22
10:56:21.000000000 -0700
@@ -146,8 +146,32 @@
"ldap_chkResponseList ld %p msgid %d all %d\n",
(void *)ld, msgid, all );
+ lm = ld->ld_responses;
+ if ( lm && msgid == LDAP_RES_ANY && all == LDAP_MSG_RECEIVED ) {
+ /*
+ * ITS#10229: asked to return all messages received so far,
+ * draft-ietf-ldapext-ldap-c-api which defines
LDAP_MSG_RECEIVED lets
+ * us mix different msgids in what we return
+ *
+ * We have two choices in *how* we return the messages:
+ * - we link all chains together
+ * - we keep the chains intact and use lm_next
+ *
+ * The former will make life harder for ldap_parse_result
finding a
+ * result message, the latter affects routines that iterate over
+ * messages. This take does the former.
+ */
+ ld->ld_responses = NULL;
+ while ( lm->lm_next ) {
+ lm->lm_chain_tail->lm_chain = lm->lm_next;
+ lm->lm_chain_tail = lm->lm_next->lm_chain_tail;
+ lm->lm_next = lm->lm_next->lm_next;
+ }
+ return lm;
+ }
+
lastlm = &ld->ld_responses;
- for ( lm = ld->ld_responses; lm != NULL; lm = nextlm ) {
+ for ( ; lm != NULL; lm = nextlm ) {
nextlm = lm->lm_next;
++cnt;
@@ -387,6 +411,37 @@
LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex );
}
+ if ( all == LDAP_MSG_RECEIVED ) {
+ /*
+ * ITS#10229: we looped over all ready connections
accumulating
+ * messages in ld_responses, check if we have something
to return
+ * right now.
+ */
+ LDAPMessage **lp, *lm = ld->ld_responses;
+
+ if ( lm && msgid == LDAP_RES_ANY ) {
+ *result = lm;
+
+ ld->ld_responses = NULL;
+ while ( lm->lm_next ) {
+ lm->lm_chain_tail->lm_chain =
lm->lm_next;
+ lm->lm_chain_tail =
lm->lm_next->lm_chain_tail;
+ lm->lm_next = lm->lm_next->lm_next;
+ }
+ rc = lm->lm_msgtype;
+ break;
+ }
+
+ for ( lp = &ld->ld_responses; lm; lp = &lm->lm_next, lm
= *lp ) {
+ if ( msgid == lm->lm_msgid ) break;
+ }
+ if ( lm ) {
+ *lp = lm->lm_next;
+ *result = lm;
+ rc = lm->lm_msgtype;
+ }
+ }
+
if ( rc == LDAP_MSG_X_KEEP_LOOKING && tvp != NULL ) {
struct timeval curr_time_tv = { 0 },
delta_time_tv = { 0 };
@@ -1096,7 +1151,10 @@
/* is this the one we're looking for? */
if ( msgid == LDAP_RES_ANY || id == msgid ) {
- if ( all == LDAP_MSG_ONE
+ if ( msgid == LDAP_RES_ANY && all == LDAP_MSG_RECEIVED ) {
+ /* ITS#10229: We want to keep going so long as there's
anything to
+ * read. */
+ } else if ( all == LDAP_MSG_ONE
|| ( newmsg->lm_msgtype != LDAP_RES_SEARCH_RESULT
&& newmsg->lm_msgtype != LDAP_RES_SEARCH_ENTRY
&& newmsg->lm_msgtype != LDAP_RES_INTERMEDIATE
diff -Nru openldap-2.6.9+dfsg/libraries/librewrite/subst.c
openldap-2.6.10+dfsg/libraries/librewrite/subst.c
--- openldap-2.6.9+dfsg/libraries/librewrite/subst.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/libraries/librewrite/subst.c 2025-05-22
10:56:21.000000000 -0700
@@ -131,6 +131,7 @@
map = rewrite_xmap_parse( info,
p + 3, (const char **)&begin );
if ( map == NULL ) {
+ nsub++; /* make sure subs[nsub] is
freed */
goto cleanup;
}
submatch[ nsub ].ls_map = map;
@@ -146,6 +147,7 @@
map = rewrite_map_parse( info, p + 2,
(const char **)&begin );
if ( map == NULL ) {
+ nsub++; /* make sure subs[nsub] is freed */
goto cleanup;
}
p = begin - 1;
@@ -165,6 +167,7 @@
continue;
} else {
+ nsub++; /* make sure subs[nsub] is freed */
goto cleanup;
}
@@ -176,10 +179,6 @@
*/
tmps = (struct berval * )realloc( subs, sizeof( struct berval )*( nsub
+ 1 ) );
if ( tmps == NULL ) {
- /*
- * XXX need to free the value subst stuff!
- */
- free( subs );
goto cleanup;
}
subs = tmps;
@@ -200,6 +199,7 @@
s = calloc( sizeof( struct rewrite_subst ), 1 );
if ( s == NULL ) {
+ nsub++; /* make sure last elements are freed */
goto cleanup;
}
@@ -213,13 +213,13 @@
cleanup:;
if ( subs ) {
for ( l=0; l<nsub; l++ ) {
- free( subs[nsub].bv_val );
+ free( subs[l].bv_val );
}
free( subs );
}
if ( submatch ) {
for ( l=0; l<nsub; l++ ) {
- free( submatch[nsub].ls_map );
+ free( submatch[l].ls_map );
}
free( submatch );
}
diff -Nru openldap-2.6.9+dfsg/servers/lloadd/config.c
openldap-2.6.10+dfsg/servers/lloadd/config.c
--- openldap-2.6.9+dfsg/servers/lloadd/config.c 2024-11-26 09:11:04.000000000
-0800
+++ openldap-2.6.10+dfsg/servers/lloadd/config.c 2025-05-22
10:56:21.000000000 -0700
@@ -3767,6 +3767,10 @@
}
#endif /* ! HAVE_TLS */
b->b_tls_conf = tlskey[i].mask;
+ if ( b->b_tls != LLOAD_LDAPS ) {
+ b->b_tls = b->b_tls_conf;
+ flag = LLOAD_BACKEND_MOD_OTHER;
+ }
} break;
case CFG_WEIGHT:
b->b_weight = c->value_uint;
diff -Nru openldap-2.6.9+dfsg/servers/slapd/back-ldif/ldif.c
openldap-2.6.10+dfsg/servers/slapd/back-ldif/ldif.c
--- openldap-2.6.9+dfsg/servers/slapd/back-ldif/ldif.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/back-ldif/ldif.c 2025-05-22
10:56:21.000000000 -0700
@@ -1576,28 +1576,6 @@
goto done;
}
- rc = ndn2path( op, &op->o_req_ndn, &path, 0 );
- if ( rc != LDAP_SUCCESS ) {
- goto done;
- }
-
- ldif2dir_len( path );
- ldif2dir_name( path );
- if ( rmdir( path.bv_val ) < 0 ) {
- switch ( errno ) {
- case ENOTEMPTY:
- rc = LDAP_NOT_ALLOWED_ON_NONLEAF;
- break;
- case ENOENT:
- /* is leaf, go on */
- break;
- default:
- rc = LDAP_OTHER;
- rs->sr_text = "internal error (cannot delete subtree
directory)";
- break;
- }
- }
-
/* pre-read */
if ( op->o_preread ) {
Entry *e = NULL;
@@ -1620,6 +1598,29 @@
}
}
entry_free( e );
+ } else {
+ rc = ndn2path( op, &op->o_req_ndn, &path, 0 );
+ }
+
+ if ( rc != LDAP_SUCCESS ) {
+ goto done;
+ }
+
+ ldif2dir_len( path );
+ ldif2dir_name( path );
+ if ( rmdir( path.bv_val ) < 0 ) {
+ switch ( errno ) {
+ case ENOTEMPTY:
+ rc = LDAP_NOT_ALLOWED_ON_NONLEAF;
+ break;
+ case ENOENT:
+ /* is leaf, go on */
+ break;
+ default:
+ rc = LDAP_OTHER;
+ rs->sr_text = "internal error (cannot delete subtree
directory)";
+ break;
+ }
}
if ( rc == LDAP_SUCCESS ) {
@@ -1742,12 +1743,39 @@
char textbuf[SLAP_TEXT_BUFLEN];
int rc, same_ndn;
+ LDAPControl **preread_ctrl = NULL;
+ LDAPControl **postread_ctrl = NULL;
+ LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS];
+ int num_ctrls = 0;
+
+ ctrls[num_ctrls] = NULL;
+
slap_mods_opattrs( op, &op->orr_modlist, 1 );
ldap_pvt_thread_mutex_lock( &li->li_modop_mutex );
rc = get_entry( op, &entry, &old_path, &rs->sr_text );
if ( rc == LDAP_SUCCESS ) {
+ if ( op->o_preread ) {
+ if ( preread_ctrl == NULL ) {
+ preread_ctrl = &ctrls[num_ctrls++];
+ ctrls[num_ctrls] = NULL;
+ }
+ if ( slap_read_controls( op, rs, entry,
+ &slap_pre_read_bv, preread_ctrl ) )
+ {
+ Debug( LDAP_DEBUG_ANY, "ldif_back_modify: "
+ "pre-read failed \"%s\"\n",
+ entry->e_name.bv_val );
+ if ( op->o_preread & SLAP_CONTROL_CRITICAL ) {
+ /* FIXME: is it correct to abort
+ * operation if control fails? */
+ rc = rs->sr_err;
+ goto done;
+ }
+ }
+ }
+
same_ndn = !ber_bvcmp( &entry->e_nname, &op->orr_nnewDN );
ber_bvreplace( &entry->e_name, &op->orr_newDN );
ber_bvreplace( &entry->e_nname, &op->orr_nnewDN );
@@ -1758,11 +1786,32 @@
rc = ldif_move_entry( op, entry, same_ndn, &old_path,
&rs->sr_text );
+ if ( rc == LDAP_SUCCESS && op->o_postread ) {
+ if ( postread_ctrl == NULL ) {
+ postread_ctrl = &ctrls[num_ctrls++];
+ ctrls[num_ctrls] = NULL;
+ }
+ if ( slap_read_controls( op, rs, entry,
+ &slap_post_read_bv, postread_ctrl ) )
+ {
+ Debug( LDAP_DEBUG_ANY, "ldif_back_modify: "
+ "post-read failed \"%s\"\n",
+ entry->e_name.bv_val );
+ if ( op->o_postread & SLAP_CONTROL_CRITICAL ) {
+ /* FIXME: is it correct to abort
+ * operation if control fails? */
+ rc = rs->sr_err;
+ }
+ }
+ }
+
entry_free( entry );
SLAP_FREE( old_path.bv_val );
}
+done:
ldap_pvt_thread_mutex_unlock( &li->li_modop_mutex );
+ if ( num_ctrls ) rs->sr_ctrls = ctrls;
rs->sr_err = rc;
send_ldap_result( op, rs );
slap_graduate_commit_csn( op );
diff -Nru openldap-2.6.9+dfsg/servers/slapd/back-mdb/attr.c
openldap-2.6.10+dfsg/servers/slapd/back-mdb/attr.c
--- openldap-2.6.9+dfsg/servers/slapd/back-mdb/attr.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/back-mdb/attr.c 2025-05-22
10:56:21.000000000 -0700
@@ -98,6 +98,9 @@
int i, flags;
int rc;
+ if ( !mdb->mi_nattrs )
+ return 0;
+
txn = tx0;
if ( txn == NULL ) {
rc = mdb_txn_begin( mdb->mi_dbenv, NULL, 0, &txn );
diff -Nru openldap-2.6.9+dfsg/servers/slapd/back-mdb/config.c
openldap-2.6.10+dfsg/servers/slapd/back-mdb/config.c
--- openldap-2.6.9+dfsg/servers/slapd/back-mdb/config.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/back-mdb/config.c 2025-05-22
10:56:21.000000000 -0700
@@ -371,6 +371,9 @@
int i, rc, changed = 0;
unsigned short s;
+ if ( !mdb->mi_nattrs )
+ return 0;
+
rc = mdb_txn_begin( mdb->mi_dbenv, NULL, 0, &txn );
if ( rc )
return rc;
diff -Nru openldap-2.6.9+dfsg/servers/slapd/back-mdb/delete.c
openldap-2.6.10+dfsg/servers/slapd/back-mdb/delete.c
--- openldap-2.6.9+dfsg/servers/slapd/back-mdb/delete.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/back-mdb/delete.c 2025-05-22
10:56:21.000000000 -0700
@@ -148,17 +148,18 @@
"<=- " LDAP_XSTRING(mdb_delete) ": no such object %s\n",
op->o_req_dn.bv_val );
- rs->sr_matched = ch_strdup( e->e_dn );
- if ( is_entry_referral( e )) {
- BerVarray ref = get_entry_referrals( op, e );
- rs->sr_ref = referral_rewrite( ref, &e->e_name,
- &op->o_req_dn, LDAP_SCOPE_DEFAULT );
- ber_bvarray_free( ref );
- } else {
- rs->sr_ref = NULL;
+ rs->sr_ref = NULL;
+ if ( e ) {
+ rs->sr_matched = ch_strdup( e->e_dn );
+ if ( is_entry_referral( e )) {
+ BerVarray ref = get_entry_referrals( op, e );
+ rs->sr_ref = referral_rewrite( ref, &e->e_name,
+ &op->o_req_dn, LDAP_SCOPE_DEFAULT );
+ ber_bvarray_free( ref );
+ }
+ mdb_entry_return( op, e );
+ e = NULL;
}
- mdb_entry_return( op, e );
- e = NULL;
rs->sr_err = LDAP_REFERRAL;
rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED;
diff -Nru openldap-2.6.9+dfsg/servers/slapd/back-mdb/tools.c
openldap-2.6.10+dfsg/servers/slapd/back-mdb/tools.c
--- openldap-2.6.9+dfsg/servers/slapd/back-mdb/tools.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/back-mdb/tools.c 2025-05-22
10:56:21.000000000 -0700
@@ -1051,7 +1051,7 @@
op.o_tmpmfuncs = &ch_mfuncs;
/* id2entry index */
- rc = mdb_id2entry_update( &op, mdb_tool_txn, NULL, e );
+ rc = mdb_id2entry_update( &op, mdb_tool_txn, idcursor, e );
if( rc != 0 ) {
snprintf( text->bv_val, text->bv_len,
"id2entry_update failed: err=%d", rc );
@@ -1086,6 +1086,7 @@
e->e_id = NOID;
}
mdb_tool_txn = NULL;
+ idcursor = NULL;
return e->e_id;
}
diff -Nru openldap-2.6.9+dfsg/servers/slapd/bconfig.c
openldap-2.6.10+dfsg/servers/slapd/bconfig.c
--- openldap-2.6.9+dfsg/servers/slapd/bconfig.c 2024-11-26 09:11:04.000000000
-0800
+++ openldap-2.6.10+dfsg/servers/slapd/bconfig.c 2025-05-22
10:56:21.000000000 -0700
@@ -1112,6 +1112,26 @@
return LDAP_SUCCESS;
}
+static int
+config_copy_controls( Operation *op, SlapReply *rs )
+{
+ /* Accumulate response controls so we can return them to client */
+ if ( rs->sr_ctrls ) {
+ LDAPControl **prepared = op->o_callback->sc_private,
+ **received = rs->sr_ctrls;
+ slap_mask_t oldflags = rs->sr_flags;
+
+ rs->sr_ctrls = prepared;
+ rs->sr_flags |= REP_CTRLS_MUSTBEFREED;
+ slap_add_ctrls( op, rs, received );
+ op->o_callback->sc_private = rs->sr_ctrls;
+
+ rs->sr_ctrls = received;
+ rs->sr_flags = oldflags;
+ }
+ return 0;
+}
+
#define GOT_CONFIG 1
#define GOT_FRONTEND 2
static int
@@ -2952,13 +2972,16 @@
}
if ( c->argc == 2 ) {
- if ( strcasecmp( c->argv[1], "advertise" ) == 0 ) {
+ if ( strcasecmp( c->argv[1], "FALSE" ) == 0 ) {
+ rc = 0;
+ break;
+ } else if ( strcasecmp( c->argv[1], "advertise" ) == 0
) {
advertise = 1;
} else if ( strcasecmp( c->argv[1], "TRUE" ) != 0 ) {
/* log error */
snprintf( c->cr_msg, sizeof( c->cr_msg),
- "subordinate must be \"TRUE\" or
\"advertise\"" );
+ "subordinate must be \"TRUE\",
\"FALSE\" or \"advertise\"" );
Debug( LDAP_DEBUG_ANY,
"%s: suffix \"%s\": %s.\n",
c->log, c->be->be_suffix[0].bv_val,
c->cr_msg );
@@ -4821,7 +4844,7 @@
if ( use_ldif ) {
CfBackInfo *cfb = (CfBackInfo *)op->o_bd->be_private;
BackendDB *be = op->o_bd;
- slap_callback sc = { NULL, slap_null_cb, NULL, NULL }, *scp;
+ slap_callback sc = { NULL, config_copy_controls, NULL,
rs->sr_ctrls }, *scp;
struct berval dn, ndn, xdn, xndn;
op->o_bd = &cfb->cb_db;
@@ -4838,6 +4861,8 @@
scp = op->o_callback;
op->o_callback = ≻
+ rs->sr_ctrls = NULL;
+
op->orr_newrdn = *newrdn;
op->orr_nnewrdn = *nnewrdn;
op->orr_newSup = NULL;
@@ -4857,6 +4882,9 @@
op->o_ndn = ndn;
op->o_req_dn = xdn;
op->o_req_ndn = xndn;
+
+ rs->sr_ctrls = sc.sc_private;
+ rs->sr_flags |= REP_CTRLS_MUSTBEFREED;
}
free( odn.bv_val );
free( ondn.bv_val );
@@ -5648,6 +5676,7 @@
CfEntryInfo *ce2, *ce3, *cetmp = NULL, *cerem = NULL;
ConfigType etype = ce->ce_type;
int count = 0, rc = 0;
+ char preread = op->o_preread, postread = op->o_postread;
/* Reverse ce list */
for (ce2 = ce->ce_sibs;ce2;ce2 = ce3) {
@@ -5665,6 +5694,9 @@
}
}
+ /* Suppress control generation for internal ops */
+ op->o_postread = SLAP_CONTROL_NONE;
+
/* Move original to a temp name until increments are done */
if ( rebase ) {
ce->ce_entry->e_private = NULL;
@@ -5672,6 +5704,8 @@
base+BIGTMP, 0, use_ldif );
ce->ce_entry->e_private = ce;
}
+ op->o_preread = SLAP_CONTROL_NONE;
+
/* start incrementing */
for (ce2=cetmp; ce2; ce2=ce3) {
ce3 = ce2->ce_sibs;
@@ -5682,9 +5716,12 @@
count+base, 0, use_ldif );
count--;
}
+
+ op->o_postread = postread;
if ( rebase )
rc = config_renumber_one( op, rs, ce->ce_parent, ce->ce_entry,
base, 0, use_ldif );
+ op->o_preread = preread;
return rc;
}
@@ -5692,7 +5729,11 @@
config_rename_del( Operation *op, SlapReply *rs, CfEntryInfo *ce,
CfEntryInfo *ce2, int old, int use_ldif )
{
- int count = 0;
+ int rc, count = 0;
+ char preread = op->o_preread, postread = op->o_postread;
+
+ /* Suppress control generation for internal ops */
+ op->o_postread = SLAP_CONTROL_NONE;
/* Renumber original to a temp value */
ce->ce_entry->e_private = NULL;
@@ -5700,14 +5741,20 @@
old+BIGTMP, 0, use_ldif );
ce->ce_entry->e_private = ce;
+ op->o_preread = SLAP_CONTROL_NONE;
+
/* start decrementing */
for (; ce2 != ce; ce2=ce2->ce_sibs) {
config_renumber_one( op, rs, ce2->ce_parent, ce2->ce_entry,
count+old, 0, use_ldif );
count++;
}
- return config_renumber_one( op, rs, ce->ce_parent, ce->ce_entry,
+
+ op->o_postread = postread;
+ rc = config_renumber_one( op, rs, ce->ce_parent, ce->ce_entry,
count+old, 0, use_ldif );
+ op->o_preread = preread;
+ return rc;
}
/* Parse an LDAP entry into config directives, then store in underlying
@@ -5723,7 +5770,9 @@
LDAPControl **postread_ctrl = NULL;
LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS];
int num_ctrls = 0;
+ char postread = op->o_postread;
+ op->o_postread = SLAP_CONTROL_NONE;
ctrls[num_ctrls] = NULL;
if ( !access_allowed( op, op->ora_e, slap_schema.si_ad_entry,
@@ -5805,7 +5854,7 @@
if ( cfb->cb_use_ldif ) {
BackendDB *be = op->o_bd;
- slap_callback sc = { NULL, slap_null_cb, NULL, NULL }, *scp;
+ slap_callback sc = { NULL, config_copy_controls, NULL,
rs->sr_ctrls }, *scp;
struct berval dn, ndn;
op->o_bd = &cfb->cb_db;
@@ -5818,12 +5867,18 @@
scp = op->o_callback;
op->o_callback = ≻
+ op->o_postread = postread;
+ rs->sr_ctrls = NULL;
+
op->o_bd->be_add( op, rs );
op->o_bd = be;
op->o_callback = scp;
op->o_dn = dn;
op->o_ndn = ndn;
- } else if ( op->o_postread ) {
+
+ rs->sr_ctrls = sc.sc_private;
+ rs->sr_flags |= REP_CTRLS_MUSTBEFREED;
+ } else if ( postread ) {
if ( postread_ctrl == NULL ) {
postread_ctrl = &ctrls[num_ctrls++];
ctrls[num_ctrls] = NULL;
@@ -6277,7 +6332,7 @@
config_back_modify( Operation *op, SlapReply *rs )
{
CfBackInfo *cfb;
- CfEntryInfo *ce, *last;
+ CfEntryInfo *ce, *last = NULL;
Modifications *ml;
ConfigArgs ca = {0};
struct berval rdn;
@@ -6389,7 +6444,7 @@
rs->sr_text = ca.cr_msg;
} else if ( cfb->cb_use_ldif ) {
BackendDB *be = op->o_bd;
- slap_callback sc = { NULL, slap_null_cb, NULL, NULL }, *scp;
+ slap_callback sc = { NULL, config_copy_controls, NULL,
rs->sr_ctrls }, *scp;
struct berval dn, ndn;
op->o_bd = &cfb->cb_db;
@@ -6401,11 +6456,16 @@
scp = op->o_callback;
op->o_callback = ≻
+ rs->sr_ctrls = NULL;
+
op->o_bd->be_modify( op, rs );
op->o_bd = be;
op->o_callback = scp;
op->o_dn = dn;
op->o_ndn = ndn;
+
+ rs->sr_ctrls = sc.sc_private;
+ rs->sr_flags |= REP_CTRLS_MUSTBEFREED;
} else if ( op->o_postread ) {
if ( postread_ctrl == NULL ) {
postread_ctrl = &ctrls[num_ctrls++];
@@ -6435,7 +6495,7 @@
config_back_modrdn( Operation *op, SlapReply *rs )
{
CfBackInfo *cfb;
- CfEntryInfo *ce, *last;
+ CfEntryInfo *ce, *last = NULL;
struct berval rdn;
int ixold, ixnew, dopause = 1;
@@ -6443,8 +6503,10 @@
LDAPControl **postread_ctrl = NULL;
LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS];
int num_ctrls = 0;
+ char preread = op->o_preread, postread = op->o_postread;
ctrls[num_ctrls] = NULL;
+ op->o_preread = op->o_postread = SLAP_CONTROL_NONE;
cfb = (CfBackInfo *)op->o_bd->be_private;
@@ -6563,7 +6625,7 @@
}
/* If we have a backend, it will handle the control */
- if ( !cfb->cb_use_ldif && op->o_preread ) {
+ if ( !cfb->cb_use_ldif && preread > SLAP_CONTROL_IGNORED ) {
if ( preread_ctrl == NULL ) {
preread_ctrl = &ctrls[num_ctrls++];
ctrls[num_ctrls] = NULL;
@@ -6606,6 +6668,8 @@
Attribute *a;
rs->sr_err = config_rename_attr( rs, ce->ce_entry, &rdn, &a );
if ( rs->sr_err == LDAP_SUCCESS ) {
+ op->o_preread = preread;
+ op->o_postread = postread;
rs->sr_err = config_rename_one( op, rs, ce->ce_entry,
ce->ce_parent, a, &op->orr_newrdn,
&op->orr_nnewrdn,
cfb->cb_use_ldif );
@@ -6653,7 +6717,9 @@
backend_db_move( ce->ce_be, ixnew );
else if ( ce->ce_type == Cft_Overlay )
overlay_move( ce->ce_be, (slap_overinst *)ce->ce_bi,
ixnew );
-
+
+ op->o_preread = preread;
+ op->o_postread = postread;
if ( ixold < ixnew ) {
rs->sr_err = config_rename_del( op, rs, ce, ceold,
ixold,
cfb->cb_use_ldif );
@@ -6664,7 +6730,8 @@
op->oq_modrdn = modr;
}
- if ( rs->sr_err == LDAP_SUCCESS && !cfb->cb_use_ldif && op->o_postread
) {
+ if ( rs->sr_err == LDAP_SUCCESS && !cfb->cb_use_ldif &&
+ postread > SLAP_CONTROL_IGNORED ) {
if ( postread_ctrl == NULL ) {
postread_ctrl = &ctrls[num_ctrls++];
ctrls[num_ctrls] = NULL;
@@ -6694,20 +6761,23 @@
{
#ifdef SLAP_CONFIG_DELETE
CfBackInfo *cfb;
- CfEntryInfo *ce, *last, *ce2;
+ CfEntryInfo *ce, *ce2, *last = NULL;
int dopause = 1;
LDAPControl **preread_ctrl = NULL;
LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS];
int num_ctrls = 0;
+ char preread = op->o_preread;
+
ctrls[num_ctrls] = NULL;
+ op->o_preread = SLAP_CONTROL_NONE;
cfb = (CfBackInfo *)op->o_bd->be_private;
/* If we have a backend, it will handle the control */
ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last, op );
- if ( ce && !cfb->cb_use_ldif && op->o_preread ) {
+ if ( ce && !cfb->cb_use_ldif && preread ) {
if ( preread_ctrl == NULL ) {
preread_ctrl = &ctrls[num_ctrls++];
ctrls[num_ctrls] = NULL;
@@ -6718,7 +6788,7 @@
Debug( LDAP_DEBUG_ANY, "config_back_delete: "
"pre-read failed \"%s\"\n",
ce->ce_entry->e_name.bv_val );
- if ( op->o_preread & SLAP_CONTROL_CRITICAL ) {
+ if ( preread & SLAP_CONTROL_CRITICAL ) {
/* FIXME: is it correct to abort
* operation if control fails? */
goto out;
@@ -6816,7 +6886,7 @@
/* remove from underlying database */
if ( cfb->cb_use_ldif ) {
BackendDB *be = op->o_bd;
- slap_callback sc = { NULL, slap_null_cb, NULL, NULL },
*scp;
+ slap_callback sc = { NULL, config_copy_controls, NULL,
rs->sr_ctrls }, *scp;
struct berval dn, ndn, req_dn, req_ndn;
op->o_bd = &cfb->cb_db;
@@ -6833,6 +6903,9 @@
scp = op->o_callback;
op->o_callback = ≻
+ op->o_preread = preread;
+ rs->sr_ctrls = NULL;
+
op->o_bd->be_delete( op, rs );
op->o_bd = be;
op->o_callback = scp;
@@ -6840,7 +6913,11 @@
op->o_ndn = ndn;
op->o_req_dn = req_dn;
op->o_req_ndn = req_ndn;
+
+ rs->sr_ctrls = sc.sc_private;
+ rs->sr_flags |= REP_CTRLS_MUSTBEFREED;
}
+ op->o_preread = SLAP_CONTROL_NONE;
/* renumber siblings */
iptr = ber_bvchr( &op->o_req_ndn, '{' ) + 1;
@@ -6873,12 +6950,19 @@
config_back_search( Operation *op, SlapReply *rs )
{
CfBackInfo *cfb;
- CfEntryInfo *ce, *last;
+ CfEntryInfo *ce, *last = NULL;
slap_mask_t mask;
+ int paused = 0;
cfb = (CfBackInfo *)op->o_bd->be_private;
- ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock );
+ if ( ldap_pvt_thread_pool_query( &connection_pool,
+ LDAP_PVT_THREAD_POOL_PARAM_PAUSED, &paused ) ) {
+ return -1;
+ }
+ if ( !paused ) {
+ ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock );
+ }
ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last, op );
if ( !ce ) {
if ( last )
@@ -6913,7 +6997,8 @@
}
out:
- ldap_pvt_thread_rdwr_runlock( &cfb->cb_rwlock );
+ if ( !paused )
+ ldap_pvt_thread_rdwr_runlock( &cfb->cb_rwlock );
send_ldap_result( op, rs );
return rs->sr_err;
}
@@ -6954,7 +7039,7 @@
Entry **ent )
{
CfBackInfo *cfb;
- CfEntryInfo *ce, *last;
+ CfEntryInfo *ce, *last = NULL;
Entry *e = NULL;
int paused = 0, rc = LDAP_NO_SUCH_OBJECT;
@@ -7266,7 +7351,7 @@
{
struct berval schema_dn = BER_BVC(SCHEMA_RDN "," CONFIG_RDN);
ConfigArgs c = {0};
- CfEntryInfo *ce, *last;
+ CfEntryInfo *ce, *last = NULL;
Entry *e;
/* If there's no root entry, we must be in the midst of converting */
@@ -7974,7 +8059,7 @@
{
CfBackInfo *cfb = be->be_private;
BackendInfo *bi = cfb->cb_db.bd_info;
- CfEntryInfo *ce, *last;
+ CfEntryInfo *ce, *last = NULL;
ce = config_find_base( cfb->cb_root, &e->e_nname, &last, NULL );
@@ -7989,7 +8074,7 @@
{
CfBackInfo *cfb = be->be_private;
BackendInfo *bi = cfb->cb_db.bd_info;
- CfEntryInfo *ce, *last;
+ CfEntryInfo *ce, *last = NULL;
ce = config_find_base( cfb->cb_root, ndn, &last, NULL );
diff -Nru openldap-2.6.9+dfsg/servers/slapd/logging.c
openldap-2.6.10+dfsg/servers/slapd/logging.c
--- openldap-2.6.9+dfsg/servers/slapd/logging.c 2024-11-26 09:11:04.000000000
-0800
+++ openldap-2.6.10+dfsg/servers/slapd/logging.c 2025-05-22
10:56:21.000000000 -0700
@@ -46,14 +46,21 @@
static int splen;
static int logfile_rotfail, logfile_openfail;
-typedef enum { LFMT_DEFAULT, LFMT_DEBUG, LFMT_SYSLOG_UTC, LFMT_SYSLOG_LOCAL }
LogFormat;
+typedef enum { LFMT_DEBUG, LFMT_SYSLOG, LFMT_RFC3339 } LogFormat;
static LogFormat logfile_format;
+#define LFMT_LOCALTIME 0x80
+#define LFMT_DEFAULT LFMT_DEBUG
+#define LFMT_SYSLOG_LOCAL (LFMT_SYSLOG|LFMT_LOCALTIME)
+#define LFMT_SYSLOG_UTC (LFMT_SYSLOG)
+#define LFMT_RFC3339_UTC (LFMT_RFC3339)
+
static slap_verbmasks logformat_key[] = {
{ BER_BVC("default"), LFMT_DEFAULT },
{ BER_BVC("debug"), LFMT_DEBUG },
{ BER_BVC("syslog-utc"), LFMT_SYSLOG_UTC },
{ BER_BVC("syslog-localtime"), LFMT_SYSLOG_LOCAL },
+ { BER_BVC("rfc3339-utc"), LFMT_RFC3339_UTC },
{ BER_BVNULL, 0 }
};
@@ -69,6 +76,13 @@
static int logpathlen;
#define SYSLOG_STAMP "Mmm dd hh:mm:ss"
+#ifdef HAVE_CLOCK_GETTIME
+#define RFC3339_FRAC ".fffffffffZ"
+#else
+#define RFC3339_FRAC ".ffffffZ"
+#endif
+#define RFC3339_BASE "YYYY-mm-ddTHH:MM:SS"
+#define RFC3339_STAMP RFC3339_BASE RFC3339_FRAC
void
slap_debug_print( const char *data )
@@ -84,11 +98,13 @@
#ifdef HAVE_CLOCK_GETTIME
struct timespec tv;
#define TS "%08x"
+#define TSf ".%09ldZ"
#define Tfrac tv.tv_nsec
#define gettime(tv) clock_gettime( CLOCK_REALTIME, tv )
#else
struct timeval tv;
#define TS "%05x"
+#define TSf ".%06ldZ"
#define Tfrac tv.tv_usec
#define gettime(tv) gettimeofday( tv, NULL )
#endif
@@ -171,7 +187,7 @@
if ( logfile_format > LFMT_DEBUG ) {
struct tm tm;
- if ( logfile_format == LFMT_SYSLOG_UTC )
+ if ( !( logfile_format & LFMT_LOCALTIME ) )
ldap_pvt_gmtime( &tv.tv_sec, &tm );
else
ldap_pvt_localtime( &tv.tv_sec, &tm );
@@ -182,9 +198,15 @@
#else
ptr = syslog_prefix;
#endif
- strftime( ptr, sizeof( SYSLOG_STAMP ),
- "%b %d %H:%M:%S", &tm );
- ptr[ sizeof( SYSLOG_STAMP )-1 ] = ' ';
+ if ( logfile_format & LFMT_SYSLOG ) {
+ ptr += strftime( ptr, sizeof( SYSLOG_STAMP ),
+ "%b %d %H:%M:%S", &tm );
+ } else {
+ ptr += strftime( ptr, sizeof( RFC3339_BASE ),
+ "%Y-%m-%dT%H:%M:%S", &tm );
+ ptr += snprintf( ptr, sizeof( RFC3339_FRAC ),
TSf, Tfrac );
+ }
+ *ptr = ' ';
#ifdef _WIN32
len = datalen + splen;
#else
@@ -814,11 +836,12 @@
}
if ( syslog_prefix )
ch_free( syslog_prefix );
- len = strlen( global_host ) + 1 + strlen( serverName )
+ 1 + sizeof("[123456789]:") +
- sizeof( SYSLOG_STAMP );
- syslog_prefix = ch_malloc( len );
- splen = sprintf( syslog_prefix, SYSLOG_STAMP " %s
%s[%d]: ", global_host, serverName, getpid() );
logfile_format = logformat_key[i].mask;
+ len = strlen( global_host ) + 1 + strlen( serverName )
+ 1 + sizeof(("[123456789]:")) +
+ (( logfile_format & LFMT_RFC3339) ? sizeof(
RFC3339_STAMP ) : sizeof( SYSLOG_STAMP ));
+ syslog_prefix = ch_malloc( len );
+ splen = sprintf( syslog_prefix, "%s %s %s[%d]: ", (
logfile_format & LFMT_RFC3339 ) ?
+ RFC3339_STAMP : SYSLOG_STAMP, global_host,
serverName, getpid() );
}
break;
diff -Nru openldap-2.6.9+dfsg/servers/slapd/overlays/autoca.c
openldap-2.6.10+dfsg/servers/slapd/overlays/autoca.c
--- openldap-2.6.9+dfsg/servers/slapd/overlays/autoca.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/overlays/autoca.c 2025-05-22
10:56:21.000000000 -0700
@@ -670,6 +670,7 @@
else
rc = 1;
}
+ break;
case ACA_USRKEYBITS:
if ( c->value_int < MIN_KEYBITS )
rc = 1;
diff -Nru openldap-2.6.9+dfsg/servers/slapd/overlays/memberof.c
openldap-2.6.10+dfsg/servers/slapd/overlays/memberof.c
--- openldap-2.6.9+dfsg/servers/slapd/overlays/memberof.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/overlays/memberof.c 2025-05-22
10:56:21.000000000 -0700
@@ -1301,10 +1301,8 @@
if ( save_member ) {
op->o_dn = op->o_bd->be_rootdn;
op->o_ndn = op->o_bd->be_rootndn;
- op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = backend_attribute( op, NULL, &op->o_req_ndn,
mo->mo_ad_member, &mci->member, ACL_READ );
- op->o_bd->bd_info = (BackendInfo *)on;
}
sc->sc_next = op->o_callback;
@@ -1503,10 +1501,8 @@
case LDAP_MOD_REPLACE:
/* delete all ... */
- op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = backend_attribute( op, NULL, &op->o_req_ndn,
mo->mo_ad_memberof, &vals, ACL_READ );
- op->o_bd->bd_info = (BackendInfo *)on;
if ( rc == LDAP_SUCCESS ) {
for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ )
{
memberof_value_modify( op,
@@ -1641,10 +1637,8 @@
}
if ( mci->what & MEMBEROF_IS_GROUP ) {
- op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = backend_attribute( op, NULL, &op->orr_nnewDN,
mo->mo_ad_member, &vals, ACL_READ );
- op->o_bd->bd_info = (BackendInfo *)on;
if ( rc == LDAP_SUCCESS ) {
for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
@@ -1658,10 +1652,8 @@
}
if ( MEMBEROF_REFINT( mo ) && ( mci->what & MEMBEROF_IS_MEMBER ) ) {
- op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = backend_attribute( op, NULL, &op->orr_nnewDN,
mo->mo_ad_memberof, &vals, ACL_READ );
- op->o_bd->bd_info = (BackendInfo *)on;
if ( rc == LDAP_SUCCESS ) {
for ( i = 0; !BER_BVISNULL( &vals[ i ] ); i++ ) {
@@ -2159,6 +2151,15 @@
case MO_ADDCHECK:
if ( c->value_int ) {
+ if ( SLAP_ISGLOBALOVERLAY( c->be ) ) {
+ snprintf( c->cr_msg, sizeof( c->cr_msg
),
+ "addcheck functionality not
supported "
+ "when memberof is a global
overlay",
+ c->argv[ 1 ] );
+ Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
+ c->log, c->cr_msg );
+ return 1;
+ }
mo->mo_flags |= MEMBEROF_FADDCHECK;
} else {
diff -Nru openldap-2.6.9+dfsg/servers/slapd/overlays/pcache.c
openldap-2.6.10+dfsg/servers/slapd/overlays/pcache.c
--- openldap-2.6.9+dfsg/servers/slapd/overlays/pcache.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/overlays/pcache.c 2025-05-22
10:56:21.000000000 -0700
@@ -749,7 +749,7 @@
}
}
- if ( got != GOT_ALL ) {
+ if ( (got & GOT_ALL) != GOT_ALL) {
rc = 1;
goto error;
}
@@ -802,7 +802,11 @@
goto error;
}
- cq = add_query( op, qm, &query, qt, PC_POSITIVE, 0 );
+ if (BER_BVISNULL( &uuid )) {
+ cq = add_query( op, qm, &query, qt, PC_NEGATIVE, 0 );
+ } else {
+ cq = add_query( op, qm, &query, qt, PC_POSITIVE, 0 );
+ }
if ( cq != NULL ) {
cq->expiry_time = expiry_time;
cq->refresh_time = refresh_time;
@@ -1580,6 +1584,8 @@
case PC_NEGATIVE:
ttl = templ->negttl;
+ if ( templ->ttr )
+ ttr = now + templ->ttr;
break;
case PC_SIZELIMIT:
diff -Nru openldap-2.6.9+dfsg/servers/slapd/slapacl.c
openldap-2.6.10+dfsg/servers/slapd/slapacl.c
--- openldap-2.6.9+dfsg/servers/slapd/slapacl.c 2024-11-26 09:11:04.000000000
-0800
+++ openldap-2.6.10+dfsg/servers/slapd/slapacl.c 2025-05-22
10:56:21.000000000 -0700
@@ -60,6 +60,18 @@
return rc;
}
+static int
+slapacl_entry_get(
+ Operation *op,
+ struct berval *dn,
+ ObjectClass *oc,
+ AttributeDescription *ad,
+ int rw,
+ Entry **e )
+{
+ return LDAP_UNWILLING_TO_PERFORM;
+}
+
int
slapacl( int argc, char **argv )
{
@@ -293,6 +305,8 @@
}
}
}
+ } else {
+ op->o_bd->be_fetch = slapacl_entry_get;
}
for ( ; argc--; argv++ ) {
diff -Nru openldap-2.6.9+dfsg/servers/slapd/slapcommon.c
openldap-2.6.10+dfsg/servers/slapd/slapcommon.c
--- openldap-2.6.9+dfsg/servers/slapd/slapcommon.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/slapcommon.c 2025-05-22
10:56:21.000000000 -0700
@@ -423,27 +423,42 @@
rc = ldap_url_parse_ext( optarg, &ludp,
LDAP_PVT_URL_PARSE_NOEMPTY_HOST |
LDAP_PVT_URL_PARSE_NOEMPTY_DN );
if ( rc != LDAP_URL_SUCCESS ) {
+ fprintf( stderr, "Cannot parse '%s' as LDAP
URI.\n", optarg );
usage( tool, progname );
}
/* don't accept host, port, attrs, extensions */
if ( ldap_pvt_url_scheme2proto( ludp->lud_scheme ) !=
LDAP_PROTO_TCP ) {
+ fprintf( stderr, "%s URIs need to use ldap://
scheme.\n",
+ progname );
usage( tool, progname );
}
if ( ludp->lud_host != NULL ) {
+ fprintf( stderr, "%s URIs cannot carry a host. "
+ "Only base, scope and filter
are accepted\n",
+ progname );
usage( tool, progname );
}
if ( ludp->lud_port != 0 ) {
+ fprintf( stderr, "%s URIs cannot carry a port. "
+ "Only base, scope and filter
are accepted\n",
+ progname );
usage( tool, progname );
}
if ( ludp->lud_attrs != NULL ) {
+ fprintf( stderr, "%s URIs cannot carry an
attribute specification. "
+ "Only base, scope and filter
are accepted\n",
+ progname );
usage( tool, progname );
}
if ( ludp->lud_exts != NULL ) {
+ fprintf( stderr, "%s URIs cannot carry an
extension specification. "
+ "Only base, scope and filter
are accepted\n",
+ progname );
usage( tool, progname );
}
@@ -465,6 +480,7 @@
case 'j': /* jump to linenumber */
if ( lutil_atoul( &jumpline, optarg ) ) {
+ fprintf( stderr, "Invalid line number '%s'\n",
optarg );
usage( tool, progname );
}
break;
@@ -479,6 +495,7 @@
case 'N':
if ( dn_mode && dn_mode != SLAP_TOOL_LDAPDN_NORMAL ) {
+ fputs( "Invalid combination of -N/-P
provided\n", stderr );
usage( tool, progname );
}
dn_mode = SLAP_TOOL_LDAPDN_NORMAL;
@@ -486,6 +503,7 @@
case 'n': /* which config file db to index */
if ( lutil_atoi( &dbnum, optarg ) || dbnum < 0 ) {
+ fputs( "Invalid database index provided\n",
stderr );
usage( tool, progname );
}
break;
@@ -498,6 +516,7 @@
case 'P':
if ( dn_mode && dn_mode != SLAP_TOOL_LDAPDN_PRETTY ) {
+ fputs( "Invalid combination of -N/-P
provided\n", stderr );
usage( tool, progname );
}
dn_mode = SLAP_TOOL_LDAPDN_PRETTY;
@@ -520,6 +539,7 @@
if ( lutil_atou( &csnsid, optarg )
|| csnsid > SLAP_SYNC_SID_MAX )
{
+ fputs( "Invalid serverid provided\n", stderr );
usage( tool, progname );
}
break;
diff -Nru openldap-2.6.9+dfsg/servers/slapd/syncrepl.c
openldap-2.6.10+dfsg/servers/slapd/syncrepl.c
--- openldap-2.6.9+dfsg/servers/slapd/syncrepl.c 2024-11-26
09:11:04.000000000 -0800
+++ openldap-2.6.10+dfsg/servers/slapd/syncrepl.c 2025-05-22
10:56:21.000000000 -0700
@@ -2793,7 +2793,6 @@
typedef struct modify_ctxt {
Modifications *mx_orig;
- Modifications *mx_free;
Entry *mx_entry;
} modify_ctxt;
@@ -2805,11 +2804,8 @@
Modifications *ml;
op->orm_no_opattrs = 0;
+ slap_mods_free( op->orm_modlist, 0 );
op->orm_modlist = mx->mx_orig;
- for ( ml = mx->mx_free; ml; ml = mx->mx_free ) {
- mx->mx_free = ml->sml_next;
- op->o_tmpfree( ml, op->o_tmpmemctx );
- }
if ( mx->mx_entry ) {
entry_free( mx->mx_entry );
}
@@ -2997,10 +2993,10 @@
sc->sc_next = op->o_callback;
sc->sc_cleanup = NULL;
sc->sc_writewait = NULL;
- op->o_callback = sc;
+ overlay_callback_after_backover( op, sc, 1 );
+
op->orm_no_opattrs = 1;
mx->mx_orig = op->orm_modlist;
- mx->mx_free = newlist;
mx->mx_entry = e_dup;
for ( ml = newlist; ml; ml=ml->sml_next ) {
if ( ml->sml_flags == SLAP_MOD_INTERNAL ) {
