21577683 Incorrect TLS_CIPHER_SUITE string value in ldap.conf and slapd.conf
16538104 Starting svc:/network/ldap/server:openldap_24 fails
--- a/components/openldap/Solaris/ldap-olslapd Thu Jul 30 04:08:24 2015 -0700
+++ b/components/openldap/Solaris/ldap-olslapd Fri Aug 07 15:29:52 2015 -0700
@@ -21,13 +21,13 @@
# CDDL HEADER END
#
-# Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
#
source /lib/svc/share/smf_include.sh
typeset -r LDAPUSR=openldap
typeset -r LDAPGRP=openldap
-typeset -r VARRUNDIR=/var/run/openldap
+typeset -r VARRUNDIR=/var/openldap/run
typeset -r PIDFILE=${VARRUNDIR}/slapd.pid
typeset -r CONF_FILE=/etc/openldap/slapd.conf
typeset -r SLAPD="/usr/lib/slapd -u ${LDAPUSR} -g ${LDAPGRP} -f ${CONF_FILE}"
@@ -38,7 +38,7 @@
case "$1" in
start)
if [[ ! -d ${VARRUNDIR} ]] ; then
- /usr/bin/mkdir -m 755 ${VARRUNDIR} || exit $SMF_EXIT_ERR_CONFIG
+ /usr/bin/mkdir -m 700 ${VARRUNDIR} || exit $SMF_EXIT_ERR_CONFIG
/usr/bin/chown ${LDAPUSR}:${LDAPGRP} ${VARRUNDIR}
else
/bin/rm -f ${PIDFILE}
--- a/components/openldap/openldap.p5m Thu Jul 30 04:08:24 2015 -0700
+++ b/components/openldap/openldap.p5m Fri Aug 07 15:29:52 2015 -0700
@@ -20,7 +20,7 @@
#
#
-# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability committed>
@@ -81,9 +81,11 @@
dir path=usr/share/man/man5oldap
dir path=usr/share/man/man8oldap
dir path=var
-dir path=var/openldap
-dir path=var/openldap/openldap-data
-dir path=var/openldap/run
+dir path=var/openldap owner=openldap group=openldap
+dir path=var/openldap/openldap-data owner=openldap group=openldap mode=700
+file var/openldap/openldap-data/DB_CONFIG.example \
+ path=var/openldap/openldap-data/DB_CONFIG overlay=allow preserve=true
+dir path=var/openldap/run owner=openldap group=openldap mode=700
file path=etc/openldap/DB_CONFIG.example
file path=etc/openldap/ldap.conf mode=0644 owner=root group=openldap preserve=true overlay=allow
file path=etc/openldap/ldap.conf.default
--- a/components/openldap/patches/01-no-ssl3.patch Thu Jul 30 04:08:24 2015 -0700
+++ b/components/openldap/patches/01-no-ssl3.patch Fri Aug 07 15:29:52 2015 -0700
@@ -13,7 +13,7 @@
#DEREF never
+
+TLS_PROTOCOL_MIN 3.2
-+TLS_CIPHER_SUITE -ALL:+TLSv1.2:+TLSv1.1
++TLS_CIPHER_SUITE TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
--- openldap-2.4.30/servers/slapd/slapd.conf.old Mon Jun 1 16:47:47 2015
+++ openldap-2.4.30/servers/slapd/slapd.conf Mon Jun 1 16:47:59 2015
@@ -22,10 +22,12 @@
@@ -22,8 +22,8 @@
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
-+TLSProtocolMin 3.2
-+TLSCipherSuite -ALL:+TLSv1.2:+TLSv1.1
++TLSProtocolMin 770
++TLSCipherSuite TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
# Sample access control policy:
# Root DSE: allow anyone to read it