# HG changeset patch # User zihao.zhu@oracle.com # Date 1438986592 25200 # Node ID e3d379372d78aefb0a5d117a8832881bbc35ff56 # Parent 707aa310c1ab62eaffdb24ee787dc5abbffe01c9 21577683 Incorrect TLS_CIPHER_SUITE string value in ldap.conf and slapd.conf 16538104 Starting svc:/network/ldap/server:openldap_24 fails diff -r 707aa310c1ab -r e3d379372d78 components/openldap/Solaris/ldap-olslapd --- a/components/openldap/Solaris/ldap-olslapd Thu Jul 30 04:08:51 2015 -0700 +++ b/components/openldap/Solaris/ldap-olslapd Fri Aug 07 15:29:52 2015 -0700 @@ -21,13 +21,13 @@ # CDDL HEADER END # -# Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved. # source /lib/svc/share/smf_include.sh typeset -r LDAPUSR=openldap typeset -r LDAPGRP=openldap -typeset -r VARRUNDIR=/var/run/openldap +typeset -r VARRUNDIR=/var/openldap/run typeset -r PIDFILE=${VARRUNDIR}/slapd.pid typeset -r CONF_FILE=/etc/openldap/slapd.conf typeset -r SLAPD="/usr/lib/slapd -u ${LDAPUSR} -g ${LDAPGRP} -f ${CONF_FILE}" @@ -38,7 +38,7 @@ case "$1" in start) if [[ ! -d ${VARRUNDIR} ]] ; then - /usr/bin/mkdir -m 755 ${VARRUNDIR} || exit $SMF_EXIT_ERR_CONFIG + /usr/bin/mkdir -m 700 ${VARRUNDIR} || exit $SMF_EXIT_ERR_CONFIG /usr/bin/chown ${LDAPUSR}:${LDAPGRP} ${VARRUNDIR} else /bin/rm -f ${PIDFILE} diff -r 707aa310c1ab -r e3d379372d78 components/openldap/openldap.p5m --- a/components/openldap/openldap.p5m Thu Jul 30 04:08:51 2015 -0700 +++ b/components/openldap/openldap.p5m Fri Aug 07 15:29:52 2015 -0700 @@ -20,7 +20,7 @@ # # -# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability committed> @@ -81,9 +81,11 @@ dir path=usr/share/man/man5oldap dir path=usr/share/man/man8oldap dir path=var -dir path=var/openldap -dir path=var/openldap/openldap-data -dir path=var/openldap/run +dir path=var/openldap owner=openldap group=openldap +dir path=var/openldap/openldap-data owner=openldap group=openldap mode=700 +file var/openldap/openldap-data/DB_CONFIG.example \ + path=var/openldap/openldap-data/DB_CONFIG overlay=allow preserve=true +dir path=var/openldap/run owner=openldap group=openldap mode=700 file path=etc/openldap/DB_CONFIG.example file path=etc/openldap/ldap.conf mode=0644 owner=root group=openldap preserve=true overlay=allow file path=etc/openldap/ldap.conf.default diff -r 707aa310c1ab -r e3d379372d78 components/openldap/patches/01-no-ssl3.patch --- a/components/openldap/patches/01-no-ssl3.patch Thu Jul 30 04:08:51 2015 -0700 +++ b/components/openldap/patches/01-no-ssl3.patch Fri Aug 07 15:29:52 2015 -0700 @@ -13,7 +13,7 @@ #DEREF never + +TLS_PROTOCOL_MIN 3.2 -+TLS_CIPHER_SUITE -ALL:+TLSv1.2:+TLSv1.1 ++TLS_CIPHER_SUITE TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA --- openldap-2.4.30/servers/slapd/slapd.conf.old Mon Jun 1 16:47:47 2015 +++ openldap-2.4.30/servers/slapd/slapd.conf Mon Jun 1 16:47:59 2015 @@ -22,10 +22,12 @@ @@ -22,8 +22,8 @@ # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 -+TLSProtocolMin 3.2 -+TLSCipherSuite -ALL:+TLSv1.2:+TLSv1.1 ++TLSProtocolMin 770 ++TLSCipherSuite TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA # Sample access control policy: # Root DSE: allow anyone to read it