PSARC/2016/225 OpenLDAP Update to 2.4.44
22159934 Update OpenLDAP 2.4.30 to OpenLDAP 2.4.44
15793387 Does slapd really belong in pkg:/library/openldap?
15811938 libldap_r-2.4.so.2.8.3`ldap_parse_sasl_bind_result+0x18d memory leaks
17937475 CVE-2013-4449: openldap: segfault on certain queries with rwm overlay
21837740 problem in SERVICE/OPENLDAP
21645415 OpenLDAP core dumps if listener-threads is set to 2
19597840 libldap_r-2.4.so.2.8.3`ldap_new_connection+0x192 causes SIGSEGV
20866611 TLS_PROTOCOL_MIN functional but undocumented in ldap.conf(5oldap)
21614972 ldapmodify doesn't operate as expected due to solaris renaming
21247153 openldap account should be password=NP not default to locked
21232554 binary is named openldapsearch, man page is ldapsearch
21630074 openldap calling fopen() without F
15826440 svc:/network/ldap/server:openldap_24 needs properties for slapd options
21607640 openldap server needs to support ldaps by default
18230501 OpenLDAP should ship with lint libraries
21772464 svc:/network/ldap/server:openldap_24 needs management authorizations
22959761 Need to set proper privileges in the method_credential in OpenLDAP manifest
23057730 pkg mediator should be used for OpenLDAP installation
Fixes problem with setting the TLS client protocol version and ciphersuite
in the NSSWITCH LDAP library in Solaris.
Patch was developed in-house; it is Solaris specific and
will not be contributed upstream.
--- openldap-2.4.44/libraries/libldap/ldap.conf.old Thu Nov 5 10:11:14 2015
+++ openldap-2.4.44/libraries/libldap/ldap.conf Thu Nov 5 10:16:44 2015
@@ -9,5 +9,8 @@
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
+
+TLS_PROTOCOL_MIN 3.2
+TLS_CIPHER_SUITE TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
--- openldap-2.4.44/servers/slapd/slapd.conf.old Thu Nov 5 10:11:25 2015
+++ openldap-2.4.44/servers/slapd/slapd.conf Thu Nov 5 10:16:24 2015
@@ -23,6 +23,8 @@
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
+TLSProtocolMin 3.2
+TLSCipherSuite TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
# Sample access control policy:
# Root DSE: allow anyone to read it