--- a/components/samba/samba/patches/mozldap.patch Tue Oct 04 09:03:46 2016 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,400 +0,0 @@
---- a/source3/param/loadparm.c 2013-03-18 01:59:37.000000000 -0700
-+++ b/source3/param/loadparm.c 2013-05-10 23:59:37.528279300 +0200
-@@ -278,6 +278,9 @@
- int ldap_follow_referral;
- char *szLdapSuffix;
- char *szLdapAdminDn;
-+ char *szLdapCertDBdir;
-+ char *szLdapKeyDBdir;
-+ bool ldap_privkey_open;
- int ldap_debug_level;
- int ldap_debug_threshold;
- int iAclCompat;
-@@ -3701,6 +3704,33 @@
- .flags = FLAG_ADVANCED,
- },
- {
-+ .label = "ldap certdb dir",
-+ .type = P_STRING,
-+ .p_class = P_GLOBAL,
-+ .ptr = &Globals.szLdapCertDBdir,
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-+ {
-+ .label = "ldap keydb dir",
-+ .type = P_STRING,
-+ .p_class = P_GLOBAL,
-+ .ptr = &Globals.szLdapKeyDBdir,
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-+ {
-+ .label = "ldap privkey open",
-+ .type = P_BOOL,
-+ .p_class = P_GLOBAL,
-+ .ptr = &Globals.ldap_privkey_open,
-+ .special = NULL,
-+ .enum_list = NULL,
-+ .flags = FLAG_ADVANCED,
-+ },
-+ {
- .label = "ldap delete dn",
- .type = P_BOOL,
- .p_class = P_GLOBAL,
-@@ -5366,6 +5396,9 @@
- string_set(&Globals.szLdapIdmapSuffix, "");
-
- string_set(&Globals.szLdapAdminDn, "");
-+ string_set(&Globals.szLdapCertDBdir, get_dyn_PRIVATE_DIR());
-+ string_set(&Globals.szLdapKeyDBdir, get_dyn_PRIVATE_DIR());
-+ Globals.ldap_privkey_open = False;
- Globals.ldap_ssl = LDAP_SSL_START_TLS;
- Globals.ldap_ssl_ads = False;
- Globals.ldap_deref = -1;
-@@ -5747,6 +5780,9 @@
-
- FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)
- FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
-+FN_GLOBAL_STRING(lp_ldap_certdb_dir, &Globals.szLdapCertDBdir)
-+FN_GLOBAL_STRING(lp_ldap_keydb_dir, &Globals.szLdapKeyDBdir)
-+FN_GLOBAL_BOOL(lp_ldap_privkey_open, &Globals.ldap_privkey_open)
- FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
- FN_GLOBAL_BOOL(lp_ldap_ssl_ads, &Globals.ldap_ssl_ads)
- FN_GLOBAL_INTEGER(lp_ldap_deref, &Globals.ldap_deref)
---- a/source3/include/proto.h 2013-03-18 01:59:37.000000000 -0700
-+++ b/source3/include/proto.h 2013-05-11 00:04:26.565521200 +0200
-@@ -1429,6 +1429,9 @@
- bool lp_passdb_expand_explicit(void);
- char *lp_ldap_suffix(void);
- char *lp_ldap_admin_dn(void);
-+char *lp_ldap_certdb_dir(void);
-+char *lp_ldap_keydb_dir(void);
-+bool lp_ldap_privkey_open(void);
- int lp_ldap_ssl(void);
- bool lp_ldap_ssl_ads(void);
- int lp_ldap_deref(void);
---- a/source3/include/smb_ldap.h 2013-03-18 01:59:37.000000000 -0700
-+++ b/source3/include/smb_ldap.h 2013-04-29 13:33:34.602541500 -0700
-@@ -63,6 +63,10 @@
-
- #endif /* HAVE_LDAP_H */
-
-+#if HAVE_LDAP_SSL_H
-+#include <ldap_ssl.h>
-+#endif /* HAVE_LDAP_SSL_H */
-+
- #ifndef HAVE_LDAP
- #define LDAP void
- #define LDAPMessage void
---- a/source3/lib/smbldap.c 2013-05-08 10:16:26.000000000 +0200
-+++ b/source3/lib/smbldap.c 2013-07-03 09:00:28.482477500 +0200
-@@ -780,7 +780,7 @@
-
- int smb_ldap_start_tls(LDAP *ldap_struct, int version)
- {
--#ifdef LDAP_OPT_X_TLS
-+#ifdef HAVE_LDAP_START_TLS_S
- int rc;
- #endif
-
-@@ -788,12 +788,24 @@
- return LDAP_SUCCESS;
- }
-
--#ifdef LDAP_OPT_X_TLS
-+#ifdef HAVE_LDAP_START_TLS_S
- if (version != LDAP_VERSION3) {
- DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
- return LDAP_OPERATIONS_ERROR;
- }
-
-+#ifdef HAVE_LDAPSSL_INIT /* Netscape */
-+ rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL,
-+ lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL);
-+ if (rc != LDAP_SUCCESS) {
-+ DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, "
-+ "%s key db, failed: %s\n",
-+ lp_ldap_certdb_dir(), lp_ldap_keydb_dir(),
-+ ldap_err2string(rc)));
-+ return rc;
-+ }
-+#endif /* HAVE_LDAPSSL_INIT */
-+
- if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) {
- DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
- ldap_err2string(rc)));
-@@ -802,12 +814,14 @@
-
- DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
- return LDAP_SUCCESS;
--#else
-+
-+#else /* ! HAVE_LDAP_START_TLS_S */
- DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
- return LDAP_OPERATIONS_ERROR;
--#endif
-+#endif /* HAVE_LDAP_START_TLS_S */
- }
-
-+
- /********************************************************************
- setup a connection to the LDAP server based on a uri
- *******************************************************************/
-@@ -815,8 +829,24 @@
- static int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri)
- {
- int rc;
-+#ifdef LDAP_OPT_TIMELIMIT
-+ int ot = lp_ldap_timeout();
-+#endif
-+#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
-+ int ct = lp_ldap_connection_timeout() * 1000;
-+#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
-+ struct timeval ct;
-+#endif
-+#ifndef HAVE_LDAP_INITIALIZE
-+ int port = 0;
-+ fstring protocol;
-+ fstring host;
-+ /* Following symbols are only available if Mozldap */
-+ /* is compiled with LDAP_DEBUG on */
-+ /* extern int lber_debug, ldap_debug; */
-+#endif
-
-- DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
-+ DEBUG(10, ("smb_ldap_setup_conn: %s\n", uri));
-
- #ifdef HAVE_LDAP_INITIALIZE
-
-@@ -837,74 +867,105 @@
- return LDAP_SUCCESS;
- #else
-
-+ /* lber_debug = 255 ; */
-+ /* ldap_debug = 1023 | 0x4000 ; */
-+
- /* Parse the string manually */
-
-- {
-- int port = 0;
-- fstring protocol;
-- fstring host;
-- SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
-+ SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
-
-
-- /* skip leading "URL:" (if any) */
-- if ( strnequal( uri, "URL:", 4 ) ) {
-- uri += 4;
-- }
-+ /* skip leading "URL:" (if any) */
-+ if ( strnequal( uri, "URL:", 4 ) ) {
-+ uri += 4;
-+ }
-
-- sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
-+ sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
-
-- if (port == 0) {
-- if (strequal(protocol, "ldap")) {
-- port = LDAP_PORT;
-- } else if (strequal(protocol, "ldaps")) {
-- port = LDAPS_PORT;
-- } else {
-- DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
-- }
-+ if (port == 0) {
-+ if (strequal(protocol, "ldap")) {
-+ port = LDAP_PORT;
-+ } else if (strequal(protocol, "ldaps")) {
-+ port = LDAPS_PORT;
-+ } else {
-+ DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
-+ return LDAP_OPERATIONS_ERROR;
- }
-+ }
-
-+ if (strequal(protocol, "ldap")) {
- if ((*ldap_struct = ldap_init(host, port)) == NULL) {
- DEBUG(0, ("ldap_init failed !\n"));
- return LDAP_OPERATIONS_ERROR;
- }
--
-- if (strequal(protocol, "ldaps")) {
-+ } else if (strequal(protocol, "ldaps")) {
- #ifdef LDAP_OPT_X_TLS
-- int tls = LDAP_OPT_X_TLS_HARD;
-- if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
-- {
-- DEBUG(0, ("Failed to setup a TLS session\n"));
-+ int tls = LDAP_OPT_X_TLS_HARD;
-+ if ((*ldap_struct = ldap_init(host, port)) == NULL) {
-+ DEBUG(0, ("ldap_init failed !\n"));
-+ return LDAP_OPERATIONS_ERROR;
-+ }
-+ if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) {
-+ DEBUG(0, ("Failed to setup a TLS session\n"));
-+ }
-+
-+ DEBUG(3,("LDAPS option set...!\n"));
-+
-+#elif defined(HAVE_LDAPSSL_INIT) /* Netscape */
-+ if (*ldap_struct != NULL) {
-+ rc = ldap_unbind_s(*ldap_struct);
-+ if (rc == LDAP_SUCCESS) {
-+ DEBUG(10, ("LDAP already bound... unbound.\n"));
-+ } else {
-+ DEBUG(10, ("ldap_unbind_s failed: %s\n",
-+ ldap_err2string(rc)));
- }
-+ *ldap_struct = NULL;
-+ }
-+ rc = ldapssl_clientauth_init(lp_ldap_certdb_dir(), NULL,
-+ lp_ldap_privkey_open(), lp_ldap_keydb_dir(), NULL);
-+ if (rc != LDAP_SUCCESS) {
-+ DEBUG(0,("ldapssl_clientauth_init with '%s' cert db, "
-+ "%s key db, failed: %s\n",
-+ lp_ldap_certdb_dir(), lp_ldap_keydb_dir(),
-+ ldap_err2string(rc)));
-+ return rc;
-+ }
-
-- DEBUG(3,("LDAPS option set...!\n"));
-+ if ((*ldap_struct = ldapssl_init(host, port, True)) == NULL) {
-+ DEBUG(0, ("ldapssl_init to %s:%d failed!\n", host,
-+ port));
-+ return LDAP_OPERATIONS_ERROR;
-+ }
- #else
-- DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
-+ DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
- return LDAP_OPERATIONS_ERROR;
- #endif /* LDAP_OPT_X_TLS */
-- }
- }
- #endif /* HAVE_LDAP_INITIALIZE */
-
-+#ifdef LDAP_OPT_TIMELIMIT
-+ rc = ldap_set_option(*ldap_struct, LDAP_OPT_TIMELIMIT, &ot);
-+ if (rc != LDAP_SUCCESS) {
-+ DEBUG(0,("Failed to setup a ldap operation timeout %d: %s\n",
-+ ot, ldap_err2string(rc)));
-+ }
-+#endif
-+
- /* now set connection timeout */
- #ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
-- {
-- int ct = lp_ldap_connection_timeout()*1000;
-- rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
-- if (rc != LDAP_SUCCESS) {
-- DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
-- ct, ldap_err2string(rc)));
-- }
-+ rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
-+ if (rc != LDAP_SUCCESS) {
-+ DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
-+ ct, ldap_err2string(rc)));
- }
- #elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
-- {
-- struct timeval ct;
-- ct.tv_usec = 0;
-- ct.tv_sec = lp_ldap_connection_timeout();
-- rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
-- if (rc != LDAP_SUCCESS) {
-- DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
-- (int)ct.tv_sec, ldap_err2string(rc)));
-- }
-+ ct.tv_usec = 0;
-+ ct.tv_sec = lp_ldap_connection_timeout();
-+ rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
-+ if (rc != LDAP_SUCCESS) {
-+ DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
-+ (int)ct.tv_sec, ldap_err2string(rc)));
- }
- #endif
-
-@@ -1094,7 +1155,7 @@
- * our credentials. At least *try* to secure the connection - Guenther */
-
- smb_ldap_upgrade_conn(ldap_struct, &version);
-- smb_ldap_start_tls(ldap_struct, version);
-+ /* smb_ldap_start_tls(ldap_struct, version); */
-
- /** @TODO Should we be doing something to check what servers we rebind to?
- Could we get a referral to a machine that we don't want to give our
---- a/source3/configure.in 2013-04-26 03:05:37.000000000 -0700
-+++ b/source3/configure.in 2013-05-09 13:54:35.613605329 -0700
-@@ -3485,6 +3485,14 @@
- fi
-
- ##################################################################
-+ # check for ldap_ssl.h (Mozldap)
-+ AC_CHECK_HEADERS([ldap_ssl.h], [], [],
-+ [[#if HAVE_LDAP_H
-+ #include <ldap.h>
-+ #endif
-+ ]])
-+
-+ ##################################################################
- # HP/UX does not have ber_tag_t in lber.h - it must be configured as
- # unsigned int in include/includes.h
- case $host_os in
-@@ -3551,6 +3562,14 @@
- AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init)
-
- ########################################################
-+ # check for Netscape mozldap SSL API
-+ AC_CHECK_FUNC_EXT(ldapssl_init,$LDAP_LIBS)
-+
-+ ########################################################
-+ # check for StartTLS on API
-+ AC_CHECK_FUNC_EXT(ldap_start_tls_s,$LDAP_LIBS)
-+
-+ ########################################################
- # If we have LDAP, does it's rebind procedure take 2 or 3 arguments?
- # Check found in pam_ldap 145.
- AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS)
-@@ -3627,33 +3646,17 @@
- # Check to see whether there is enough LDAP functionality to be able
- # to build AD support.
-
--# HPUX only has ldap_init; ok, we take care of this in smbldap.c
--case "$host_os" in
-- *hpux*)
-- AC_CHECK_FUNC_EXT(ldap_init,$LDAP_LIBS)
-+ # URL-open support is added into smbldap.c so ldap_init is enough
-+ AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init)
-
-- if test x"$ac_cv_func_ext_ldap_init" != x"yes"; then
-+ if test x"$ac_cv_lib_ext_ldap_ldap_init" != x"yes"; then
- if test x"$with_ads_support" = x"yes"; then
-- AC_MSG_ERROR(Active Directory support on HPUX requires ldap_init)
-+ AC_MSG_ERROR(Active Directory support requires ldap_init)
- elif test x"$with_ads_support" = x"auto"; then
-- AC_MSG_WARN(Disabling Active Directory support (requires ldap_init on HPUX))
-+ AC_MSG_WARN(Disabling Active Directory support (requires ldap_init))
- with_ads_support=no
- fi
- fi
-- ;;
-- *)
-- AC_CHECK_FUNC_EXT(ldap_initialize,$LDAP_LIBS)
--
-- if test x"$ac_cv_func_ext_ldap_initialize" != x"yes"; then
-- if test x"$with_ads_support" = x"yes"; then
-- AC_MSG_ERROR(Active Directory support requires ldap_initialize)
-- elif test x"$with_ads_support" = x"auto"; then
-- AC_MSG_WARN(Disabling Active Directory support (requires ldap_initialize))
-- with_ads_support=no
-- fi
-- fi
-- ;;
--esac
-
-
- AC_CHECK_FUNC_EXT(ldap_add_result_entry,$LDAP_LIBS)