From 27c279ba2cbf3fd7ff471e69b001d7fdd6032caa Mon Sep 17 00:00:00 2001 From: Fabio Erculiani Date: Tue, 2 Oct 2012 20:23:36 +0000 Subject: version bump, closes #405127, #428178, #436768 Package-Manager: portage-2.2.0_alpha123/cvs/Linux x86_64 --- net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild | 202 ++++++++++++ net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild | 199 ----------- net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild | 199 ----------- net-nds/389-ds-base/ChangeLog | 11 +- net-nds/389-ds-base/Manifest | 22 +- .../files/389-ds-base-1.2.11-fix-mozldap.patch | 28 ++ .../389-ds-base-1.2.11.16-cve-2012-4450.patch | 367 +++++++++++++++++++++ 7 files changed, 618 insertions(+), 410 deletions(-) create mode 100644 net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild delete mode 100644 net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild delete mode 100644 net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild create mode 100644 net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch create mode 100644 net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch (limited to 'net-nds') diff --git a/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild b/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild new file mode 100644 index 000000000000..9dc293126a49 --- /dev/null +++ b/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild @@ -0,0 +1,202 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild,v 1.1 2012/10/02 20:23:36 lxnay Exp $ + +EAPI=2 + +WANT_AUTOMAKE="1.9" +MY_P=${P/_alpha/.a} +MY_P=${MY_P/_rc/.rc} +inherit eutils multilib flag-o-matic autotools + +DESCRIPTION="389 Directory Server (core librares and daemons )" +HOMEPAGE="http://port389.org/" +SRC_URI="http://directory.fedoraproject.org/sources/${MY_P}.tar.bz2" + +LICENSE="GPL-2-with-exceptions" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise +presence kerberos selinux" + +ALL_DEPEND="!>=sys-libs/db-5.0 + >=dev-libs/cyrus-sasl-2.1.19 + >=dev-libs/icu-3.4 + dev-libs/nss[utils] + dev-libs/nspr + dev-libs/svrcore + dev-libs/openssl + dev-libs/libpcre:3 + dev-libs/mozldap + dev-perl/perl-mozldap + >=net-analyzer/net-snmp-5.1.2 + sys-apps/tcp-wrappers + >=sys-libs/db-4.5 + sys-libs/pam + sys-libs/zlib + kerberos? ( net-nds/openldap >=app-crypt/mit-krb5-1.7-r100[openldap] ) + selinux? ( >=sys-apps/policycoreutils-1.30.30 + sec-policy/selinux-base-policy )" + +DEPEND="${ALL_DEPEND} + virtual/pkgconfig + sys-devel/libtool + doc? ( app-doc/doxygen ) + selinux? ( sys-devel/m4 >=sys-apps/checkpolicy-1.30.12 ) + sys-apps/sed" +RDEPEND="${ALL_DEPEND} + virtual/perl-Time-Local + virtual/perl-MIME-Base64" + +S="${WORKDIR}/${MY_P}" + +pkg_setup() { + enewgroup dirsrv + enewuser dirsrv -1 -1 -1 dirsrv +} + +src_prepare() { + epatch "${FILESDIR}/selinux.patch" + # Fix compilation against mozldap + epatch "${FILESDIR}/389-ds-base-1.2.11-fix-mozldap.patch" + # Upstream patch, will be in 1.2.11.16, fixes CVE-2012-4450 + epatch "${FILESDIR}/389-ds-base-1.2.11.16-cve-2012-4450.patch" + + # as per 389 documentation, when 64bit, export USE_64 + use amd64 && export USE_64=1 + + sed -i -e 's/nobody/dirsrv/g' configure.ac || die "sed failed on configure.ac" + eautoreconf + + # enable nsslapd-allow-unauthenticated-binds by default + sed -i '/^nsslapd-allow-unauthenticated-binds/ s/off/on/' "${S}"/ldap/ldif/template-dse.ldif.in || \ + die "cannot tweak default setting: nsslapd-allow-unauthenticated-binds" + +} + +src_configure() { + local myconf="" + + use auto-dn-suffix && myconf="${myconf} --enable-auto-dn-suffix" + use selinux && myconf="${myconf} --with-selinux" + + econf \ + $(use_enable debug) \ + $(use_enable pam-passthru) \ + $(use_enable ldapi) \ + $(use_enable autobind) \ + $(use_enable dna) \ + $(use_enable bitwise) \ + $(use_enable presence) \ + $(use_with kerberos) \ + --enable-maintainer-mode \ + --enable-autobind \ + --with-fhs \ + $myconf || die "econf failed" +} + +src_compile() { + append-lfs-flags + + # Use -j1 otherwise libacl-plugin.so could fail to install properly + emake -j1 || die "compile failed" + if use selinux; then + emake -f selinux/Makefile || die " build selinux policy failed" + fi +} + +src_install () { + # Use -j1 otherwise libacl-plugin.so could fail to install properly + emake -j1 DESTDIR="${D}" install || die "emake install failed" + + if use selinux;then + emake -f selinux/Makefile DESTDIR="${D}" install || die "Install selinux policy failed" + fi + + # install not installed header + insinto /usr/include/dirsrv + doins ldap/servers/slapd/slapi-plugin.h + + # for build free-ipa require winsync-plugin + doins ldap/servers/plugins/replication/winsync-plugin.h + doins ldap/servers/plugins/replication/repl-session-plugin.h + + # make sure perl scripts have a proper shebang + cd "${D}"/usr/share/dirsrv/script-templates/ + + for i in $(find ./ -iname '*.pl') ;do + sed -i -e 's/#{{PERL-EXEC}}/#\!\/usr\/bin\/perl/' $i || die + done + + # remove redhat style init script + rm -rf "${D}"/etc/rc.d || die + rm -rf "${D}"/etc/default || die + + # and install gentoo style init script + newinitd "${FILESDIR}"/389-ds.initd 389-ds + newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp + + # install Gentoo-specific start/stop scripts + rm -f "${D}"/usr/sbin/{re,}start-dirsrv || die "cannot remove 389 start/stop executables" + exeinto /usr/sbin + doexe "${FILESDIR}"/{re,}start-dirsrv + + # cope with libraries being in /usr/lib/dirsrv + dodir /etc/env.d + echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${D}"/etc/env.d/08dirsrv + + # create the directory where our log file and database + diropts -m 0755 + dodir /var/lib/dirsrv + keepdir /var/lib/dirsrv + dodir /var/lock/dirsrv + keepdir /var/lock/dirsrv + # snmp agent, required directory + keepdir /var/agentx + dodir /var/agentx + + if use doc; then + cd "${S}" + doxygen slapi.doxy || die "cannot run doxygen" + dohtml -r docs/html + fi +} + +pkg_postinst() { + if use selinux; then + if has "loadpolicy" $FEATURES; then + einfo "Inserting the following modules into the module store" + cd /usr/share/selinux/targeted # struct policy not supported + semodule -s dirsrv -i dirsrv.pp + else + elog + elog "Policy has not been loaded. It is strongly suggested" + elog "that the policy be loaded before continuing!!" + elog + elog "Automatic policy loading can be enabled by adding" + elog "\"loadpolicy\" to the FEATURES in make.conf." + elog + ebeep 4 + fi + fi + + elog + elog "If you are planning to use 389-ds-snmp (ldap-agent)," + elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf" + elog "adding proper 'server' entries, and adding the lines below to" + elog " => /etc/snmp/snmpd.conf" + elog + elog "master agentx" + elog "agentXSocket /var/agentx/master" + elog + elog + elog "To start 389 Directory Server (LDAP service) at boot:" + elog + elog " rc-update add 389-ds default" + elog + + elog "If you are upgrading from previous 1.2.6 release candidates" + elog "please see:" + elog "http://directory.fedoraproject.org/wiki/Subtree_Rename#warning:_upgrade_from_389_v1.2.6_.28a.3F.2C_rc1_.7E_rc6.29_to_v1.2.6_rc6_or_newer" + elog + +} diff --git a/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild b/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild deleted file mode 100644 index cb1c90e55a6a..000000000000 --- a/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild +++ /dev/null @@ -1,199 +0,0 @@ -# Copyright 1999-2012 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild,v 1.4 2012/05/03 04:24:37 jdhore Exp $ - -EAPI=2 - -WANT_AUTOMAKE="1.9" -MY_P=${P/_alpha/.a} -MY_P=${MY_P/_rc/.rc} -inherit eutils multilib flag-o-matic autotools - -DESCRIPTION="389 Directory Server (core librares and daemons )" -HOMEPAGE="http://port389.org/" -SRC_URI="http://directory.fedoraproject.org/sources/${MY_P}.tar.bz2" - -LICENSE="GPL-2-with-exceptions" -SLOT="0" -KEYWORDS="~amd64 ~x86" -IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise +presence kerberos selinux" - -ALL_DEPEND="!>=sys-libs/db-5.0 - dev-libs/nss[utils] - dev-libs/nspr - dev-libs/svrcore - dev-libs/mozldap - >=dev-libs/cyrus-sasl-2.1.19 - >=dev-libs/icu-3.4 - >=sys-libs/db-4.5 - >=net-analyzer/net-snmp-5.1.2 - dev-libs/openssl - sys-apps/tcp-wrappers - sys-libs/pam - sys-libs/zlib - dev-perl/perl-mozldap - dev-libs/libpcre:3 - kerberos? ( net-nds/openldap - >=app-crypt/mit-krb5-1.7-r100[openldap] ) - selinux? ( >=sys-apps/policycoreutils-1.30.30 - sec-policy/selinux-base-policy )" - -DEPEND="${ALL_DEPEND} - virtual/pkgconfig - sys-devel/libtool - doc? ( app-doc/doxygen ) - selinux? ( sys-devel/m4 >=sys-apps/checkpolicy-1.30.12 ) - sys-apps/sed" -RDEPEND="${ALL_DEPEND} - virtual/perl-Time-Local - virtual/perl-MIME-Base64" - -S="${WORKDIR}/${MY_P}" - -pkg_setup() { - enewgroup dirsrv - enewuser dirsrv -1 -1 -1 dirsrv -} - -src_prepare() { - epatch "${FILESDIR}/selinux.patch" - - # as per 389 documentation, when 64bit, export USE_64 - use amd64 && export USE_64=1 - - sed -i -e 's/nobody/dirsrv/g' configure.ac || die "sed failed on configure.ac" - eautoreconf - - # enable nsslapd-allow-unauthenticated-binds by default - sed -i '/^nsslapd-allow-unauthenticated-binds/ s/off/on/' "${S}"/ldap/ldif/template-dse.ldif.in || \ - die "cannot tweak default setting: nsslapd-allow-unauthenticated-binds" - -} - -src_configure() { - local myconf="" - - use auto-dn-suffix && myconf="${myconf} --enable-auto-dn-suffix" - use selinux && myconf="${myconf} --with-selinux" - - econf \ - $(use_enable debug) \ - $(use_enable pam-passthru) \ - $(use_enable ldapi) \ - $(use_enable autobind) \ - $(use_enable dna) \ - $(use_enable bitwise) \ - $(use_enable presence) \ - $(use_with kerberos) \ - --enable-maintainer-mode \ - --enable-autobind \ - --with-fhs \ - $myconf || die "econf failed" -} - -src_compile() { - append-lfs-flags - - # Use -j1 otherwise libacl-plugin.so could fail to install properly - emake -j1 || die "compile failed" - if use selinux; then - emake -f selinux/Makefile || die " build selinux policy failed" - fi -} - -src_install () { - # Use -j1 otherwise libacl-plugin.so could fail to install properly - emake -j1 DESTDIR="${D}" install || die "emake install failed" - - if use selinux;then - emake -f selinux/Makefile DESTDIR="${D}" install || die "Install selinux policy failed" - fi - - # install not installed header - insinto /usr/include/dirsrv - doins ldap/servers/slapd/slapi-plugin.h - - # for build free-ipa require winsync-plugin - doins ldap/servers/plugins/replication/winsync-plugin.h - doins ldap/servers/plugins/replication/repl-session-plugin.h - - # make sure perl scripts have a proper shebang - cd "${D}"/usr/share/dirsrv/script-templates/ - - for i in $(find ./ -iname '*.pl') ;do - sed -i -e 's/#{{PERL-EXEC}}/#\!\/usr\/bin\/perl/' $i || die - done - - # remove redhat style init script - rm -rf "${D}"/etc/rc.d || die - rm -rf "${D}"/etc/default || die - - # and install gentoo style init script - newinitd "${FILESDIR}"/389-ds.initd 389-ds - newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp - - # install Gentoo-specific start/stop scripts - rm -f "${D}"/usr/sbin/{re,}start-dirsrv || die "cannot remove 389 start/stop executables" - exeinto /usr/sbin - doexe "${FILESDIR}"/{re,}start-dirsrv - - # cope with libraries being in /usr/lib/dirsrv - dodir /etc/env.d - echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${D}"/etc/env.d/08dirsrv - - # create the directory where our log file and database - diropts -m 0755 - dodir /var/lib/dirsrv - keepdir /var/lib/dirsrv - dodir /var/lock/dirsrv - keepdir /var/lock/dirsrv - # snmp agent, required directory - keepdir /var/agentx - dodir /var/agentx - - if use doc; then - cd "${S}" - doxygen slapi.doxy || die "cannot run doxygen" - dohtml -r docs/html - fi -} - -pkg_postinst() { - if use selinux; then - if has "loadpolicy" $FEATURES; then - einfo "Inserting the following modules into the module store" - cd /usr/share/selinux/targeted # struct policy not supported - semodule -s dirsrv -i dirsrv.pp - else - elog - elog "Policy has not been loaded. It is strongly suggested" - elog "that the policy be loaded before continuing!!" - elog - elog "Automatic policy loading can be enabled by adding" - elog "\"loadpolicy\" to the FEATURES in make.conf." - elog - ebeep 4 - fi - fi - - elog - elog "If you are planning to use 389-ds-snmp (ldap-agent)," - elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf" - elog "adding proper 'server' entries, and adding the lines below to" - elog " => /etc/snmp/snmpd.conf" - elog - elog "master agentx" - elog "agentXSocket /var/agentx/master" - elog - elog - elog "To start 389 Directory Server (LDAP service) at boot:" - elog - elog " rc-update add 389-ds default" - elog - - elog "If you are upgrading from previous 1.2.6 release candidates" - elog "please see:" - elog "http://directory.fedoraproject.org/wiki/Subtree_Rename#warning:_upgrade_from_389_v1.2.6_.28a.3F.2C_rc1_.7E_rc6.29_to_v1.2.6_rc6_or_newer" - elog - -} diff --git a/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild b/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild deleted file mode 100644 index b6bb8ac18d08..000000000000 --- a/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild +++ /dev/null @@ -1,199 +0,0 @@ -# Copyright 1999-2012 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild,v 1.2 2012/05/03 04:24:37 jdhore Exp $ - -EAPI=2 - -WANT_AUTOMAKE="1.9" -MY_P=${P/_alpha/.a} -MY_P=${MY_P/_rc/.rc} -inherit eutils multilib flag-o-matic autotools - -DESCRIPTION="389 Directory Server (core librares and daemons )" -HOMEPAGE="http://port389.org/" -SRC_URI="http://directory.fedoraproject.org/sources/${MY_P}.tar.bz2" - -LICENSE="GPL-2-with-exceptions" -SLOT="0" -KEYWORDS="~amd64 ~x86" -IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise +presence kerberos selinux" - -ALL_DEPEND="!>=sys-libs/db-5.0 - dev-libs/nss[utils] - dev-libs/nspr - dev-libs/svrcore - dev-libs/mozldap - >=dev-libs/cyrus-sasl-2.1.19 - >=dev-libs/icu-3.4 - >=sys-libs/db-4.5 - >=net-analyzer/net-snmp-5.1.2 - dev-libs/openssl - sys-apps/tcp-wrappers - sys-libs/pam - sys-libs/zlib - dev-perl/perl-mozldap - dev-libs/libpcre:3 - kerberos? ( net-nds/openldap - >=app-crypt/mit-krb5-1.7-r100[openldap] ) - selinux? ( >=sys-apps/policycoreutils-1.30.30 - sec-policy/selinux-base-policy )" - -DEPEND="${ALL_DEPEND} - virtual/pkgconfig - sys-devel/libtool - doc? ( app-doc/doxygen ) - selinux? ( sys-devel/m4 >=sys-apps/checkpolicy-1.30.12 ) - sys-apps/sed" -RDEPEND="${ALL_DEPEND} - virtual/perl-Time-Local - virtual/perl-MIME-Base64" - -S="${WORKDIR}/${MY_P}" - -pkg_setup() { - enewgroup dirsrv - enewuser dirsrv -1 -1 -1 dirsrv -} - -src_prepare() { - epatch "${FILESDIR}/selinux.patch" - - # as per 389 documentation, when 64bit, export USE_64 - use amd64 && export USE_64=1 - - sed -i -e 's/nobody/dirsrv/g' configure.ac || die "sed failed on configure.ac" - eautoreconf - - # enable nsslapd-allow-unauthenticated-binds by default - sed -i '/^nsslapd-allow-unauthenticated-binds/ s/off/on/' "${S}"/ldap/ldif/template-dse.ldif.in || \ - die "cannot tweak default setting: nsslapd-allow-unauthenticated-binds" - -} - -src_configure() { - local myconf="" - - use auto-dn-suffix && myconf="${myconf} --enable-auto-dn-suffix" - use selinux && myconf="${myconf} --with-selinux" - - econf \ - $(use_enable debug) \ - $(use_enable pam-passthru) \ - $(use_enable ldapi) \ - $(use_enable autobind) \ - $(use_enable dna) \ - $(use_enable bitwise) \ - $(use_enable presence) \ - $(use_with kerberos) \ - --enable-maintainer-mode \ - --enable-autobind \ - --with-fhs \ - $myconf || die "econf failed" -} - -src_compile() { - append-lfs-flags - - # Use -j1 otherwise libacl-plugin.so could fail to install properly - emake -j1 || die "compile failed" - if use selinux; then - emake -f selinux/Makefile || die " build selinux policy failed" - fi -} - -src_install () { - # Use -j1 otherwise libacl-plugin.so could fail to install properly - emake -j1 DESTDIR="${D}" install || die "emake install failed" - - if use selinux;then - emake -f selinux/Makefile DESTDIR="${D}" install || die "Install selinux policy failed" - fi - - # install not installed header - insinto /usr/include/dirsrv - doins ldap/servers/slapd/slapi-plugin.h - - # for build free-ipa require winsync-plugin - doins ldap/servers/plugins/replication/winsync-plugin.h - doins ldap/servers/plugins/replication/repl-session-plugin.h - - # make sure perl scripts have a proper shebang - cd "${D}"/usr/share/dirsrv/script-templates/ - - for i in $(find ./ -iname '*.pl') ;do - sed -i -e 's/#{{PERL-EXEC}}/#\!\/usr\/bin\/perl/' $i || die - done - - # remove redhat style init script - rm -rf "${D}"/etc/rc.d || die - rm -rf "${D}"/etc/default || die - - # and install gentoo style init script - newinitd "${FILESDIR}"/389-ds.initd 389-ds - newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp - - # install Gentoo-specific start/stop scripts - rm -f "${D}"/usr/sbin/{re,}start-dirsrv || die "cannot remove 389 start/stop executables" - exeinto /usr/sbin - doexe "${FILESDIR}"/{re,}start-dirsrv - - # cope with libraries being in /usr/lib/dirsrv - dodir /etc/env.d - echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${D}"/etc/env.d/08dirsrv - - # create the directory where our log file and database - diropts -m 0755 - dodir /var/lib/dirsrv - keepdir /var/lib/dirsrv - dodir /var/lock/dirsrv - keepdir /var/lock/dirsrv - # snmp agent, required directory - keepdir /var/agentx - dodir /var/agentx - - if use doc; then - cd "${S}" - doxygen slapi.doxy || die "cannot run doxygen" - dohtml -r docs/html - fi -} - -pkg_postinst() { - if use selinux; then - if has "loadpolicy" $FEATURES; then - einfo "Inserting the following modules into the module store" - cd /usr/share/selinux/targeted # struct policy not supported - semodule -s dirsrv -i dirsrv.pp - else - elog - elog "Policy has not been loaded. It is strongly suggested" - elog "that the policy be loaded before continuing!!" - elog - elog "Automatic policy loading can be enabled by adding" - elog "\"loadpolicy\" to the FEATURES in make.conf." - elog - ebeep 4 - fi - fi - - elog - elog "If you are planning to use 389-ds-snmp (ldap-agent)," - elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf" - elog "adding proper 'server' entries, and adding the lines below to" - elog " => /etc/snmp/snmpd.conf" - elog - elog "master agentx" - elog "agentXSocket /var/agentx/master" - elog - elog - elog "To start 389 Directory Server (LDAP service) at boot:" - elog - elog " rc-update add 389-ds default" - elog - - elog "If you are upgrading from previous 1.2.6 release candidates" - elog "please see:" - elog "http://directory.fedoraproject.org/wiki/Subtree_Rename#warning:_upgrade_from_389_v1.2.6_.28a.3F.2C_rc1_.7E_rc6.29_to_v1.2.6_rc6_or_newer" - elog - -} diff --git a/net-nds/389-ds-base/ChangeLog b/net-nds/389-ds-base/ChangeLog index a9822c80cca0..fe906aed3134 100644 --- a/net-nds/389-ds-base/ChangeLog +++ b/net-nds/389-ds-base/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for net-nds/389-ds-base # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/ChangeLog,v 1.21 2012/05/03 04:24:37 jdhore Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/ChangeLog,v 1.22 2012/10/02 20:23:36 lxnay Exp $ + +*389-ds-base-1.2.11.15 (02 Oct 2012) + + 02 Oct 2012; Fabio Erculiani + +389-ds-base-1.2.11.15.ebuild, + +files/389-ds-base-1.2.11.16-cve-2012-4450.patch, + +files/389-ds-base-1.2.11-fix-mozldap.patch, -389-ds-base-1.2.8.3.ebuild, + -389-ds-base-1.2.9.6.ebuild: + version bump, closes #405127, #428178, #436768 03 May 2012; Jeff Horelick 389-ds-base-1.2.8.3.ebuild, 389-ds-base-1.2.9.6.ebuild: diff --git a/net-nds/389-ds-base/Manifest b/net-nds/389-ds-base/Manifest index 210119bc4157..3351b3b228b9 100644 --- a/net-nds/389-ds-base/Manifest +++ b/net-nds/389-ds-base/Manifest @@ -1,11 +1,11 @@ -AUX 389-ds-snmp.initd 1076 RMD160 7a3be7745e7e7a6de675b40b56556bfacef76a9a SHA1 8d8cbaa5c288d7d2a4ec25a2d85b406336c37073 SHA256 0dccceef42e29b5f696fc241cccdb3641eca3d8e300aef13b13ba1a40f8382e1 -AUX 389-ds.initd 1995 RMD160 1c6140438e874b5e75bc13533fb493780675a2ff SHA1 a3c567584ce949317a741f2a8410f758d507f9b5 SHA256 722f0c18f21ccb60054433e62748008ffd908d026220be4f705dcf46e9322a92 -AUX restart-dirsrv 581 RMD160 8812d099f1da6bcbefc0d09fe719f340f3c6d534 SHA1 0db36dd8f0379f1cd4bcc10da4f6cfe6dc37eacd SHA256 fd0dfbce5d74b065fc1bef6e11527d56c7fc4f16ae55383841c05d35d03173b2 -AUX selinux.patch 280 RMD160 f20b93a31f0e2435b95f3e927c99c719811b9bd7 SHA1 00391f15331ec22e3b43e098230ad154c150edfb SHA256 0600d46c02987c69c3c77a2f8f90dd4c31edea983911268227aa708230cdb6f9 -AUX start-dirsrv 303 RMD160 92d3d03931614f9a85345feec5a070c7a664996f SHA1 b2b92fc7d6aaec16d9ed31ff4fb5a596f9ce32f7 SHA256 d29272f92d2c4420da8aad7919861ab667c8f224bde560491f1626957418d361 -DIST 389-ds-base-1.2.8.3.tar.bz2 2881255 RMD160 39442a5eaa2e5c05be6db6f3ee76cf051d5a70e5 SHA1 87f1f8ec0044f4b1766b2b65b34f4e14d9d0d41d SHA256 956d15947ed91d1564c539d6932b6bca28b1209dd43ff19594ceb4e41a40cf1f -DIST 389-ds-base-1.2.9.6.tar.bz2 2886557 RMD160 5b10daf260340009bc14b29fa4dd130d1c47d34a SHA1 f6ce44a8fc61faab96ead8172be45507efb49a4c SHA256 f89ae29db5da6e72e7a5e49a4cef56a0405838673720a2cf5993f42f058a2635 -EBUILD 389-ds-base-1.2.8.3.ebuild 5530 RMD160 f2a2f4e9f7e90bfdf76f6d7ff3b14abd2a7aff89 SHA1 18328858b680fb56c2cb6fefb61f79575f38cf81 SHA256 a71eb328d4f309602a4034225b6ac0fda374ad1185e64fee2a0a1e56d4b9b9c0 -EBUILD 389-ds-base-1.2.9.6.ebuild 5530 RMD160 43d01d5ff93e6e7d10f9a6354227e8f3c572b44c SHA1 3df70b942a49bd8edeeff2922daa9b24860a3190 SHA256 036d350ea55335f44433ef098620e58f963e4dd3e6fd006149fce045523d8d64 -MISC ChangeLog 4326 RMD160 1e13f0710b2ecbc6fe50e678428f3fd03b3d4473 SHA1 e7ed99e98def89c2dd8a9fe4bf8ce9eaedbd92d6 SHA256 0fb341c0698caad1b7802a8e0d3841b6dbece520be04a03b1456c0a098122c0f -MISC metadata.xml 1048 RMD160 01ba603cae70b0ab5d1e075cdf4a4abe1bb9df80 SHA1 cc0e421e0eeca73585cd591daf6eac215197d35c SHA256 a57ddcbe9aa68a7d05cda7de1dba219fc1a81070899df2d564af33f9d89f5c32 +AUX 389-ds-base-1.2.11-fix-mozldap.patch 789 SHA256 55e33e366ad13c22a00a8255ea34fb84786f2d3308ba1cab74b92684897bbdc5 SHA512 30e3fe84d8d5d380e80ccb19cebd73271b540caef61770514f43c3097e34d133cefdbb5abec3ccd25ad7a46df380719c0ce8fa7b10185091f236f622850ebfa4 WHIRLPOOL 271a2f16a52bc599391d167499aad0f2f9658def2becf35e6364b9125cd9c8d2cd33a8bb41c4c7b16ea3a48dec0de786f0059950f1b3a6a172b6cd4881a784d5 +AUX 389-ds-base-1.2.11.16-cve-2012-4450.patch 12046 SHA256 248f9df6bdae5dd24a0c67168a057fd73d9aeb7a5afb288587680678b27d651c SHA512 90378d2cd8347e32952450e8c648951cd8bcf774fcc6536c7f85a870ffd964d3541ebf7a2f44c76ba71514e1151ced1d43cf7de7f85bfe69b997d2c642180b47 WHIRLPOOL db70f8537f0091f172c396f90fb18361cb29c14b475557dab904a0613563efb5d7742fa2db20a7db62686a80a4ab469f8347082d456df76a1771e83aba876e11 +AUX 389-ds-snmp.initd 1076 SHA256 0dccceef42e29b5f696fc241cccdb3641eca3d8e300aef13b13ba1a40f8382e1 SHA512 0e2a6a8519a82d25cc96c0f5b26e9a53e7a56ddd9b842ff830535628d5f55a3eb662cf4d1c93d49fa66176249866a1ed21461ccd7e920869a95297ca5197db8c WHIRLPOOL dcc8efb767eb7d4044424967b26b93d88b827f652146eaabcc5c105ea373ae02d1a89ab0e61057496eec220e8c0111599099ec711d28e61f61e19008dfe775bb +AUX 389-ds.initd 1995 SHA256 722f0c18f21ccb60054433e62748008ffd908d026220be4f705dcf46e9322a92 SHA512 185704cc96d5238532ba8f3ee7578587b58c76ae864cb2a1d35fd5361edfe2c504286b7ad738d6530661393461447ca2948af4807f58420c5bb83a0fee7d9054 WHIRLPOOL ad55cccb4ddec7c6c98c467e68359c2f2bab7c11b52ad333687600bf5f4b43c1f9f2da6e317759c4b7b1e68c2d1bf106675bfd7d0a752206a0300b627777efe2 +AUX restart-dirsrv 581 SHA256 fd0dfbce5d74b065fc1bef6e11527d56c7fc4f16ae55383841c05d35d03173b2 SHA512 c8b2168977a1884baa35f78ba9a065bf3900413afcd5c38eba0f3695af6b4900785430ec61e34479a22b6888334a46e6c3796e15866a37969497033a9cbdee6e WHIRLPOOL 81ace8c577aeb931d2bda9bacd1ff9b9389c9d6d0ccdbd53867686d0fd3e3bd9bc4bf1965231dcb7803a16fa6e3f438daf54bb569e7a81062f84fc71e3e278f3 +AUX selinux.patch 280 SHA256 0600d46c02987c69c3c77a2f8f90dd4c31edea983911268227aa708230cdb6f9 SHA512 333aae269ab806057c2e6eb5b6b657bbbbd12334254b7b7a07f46cb89d7a78d6fd573a987bfe3a0cb74df27e01009b68d8510b47a13ac7ab8e7e4c7301842d6e WHIRLPOOL 3f4c9d1ea8907dda7e236f17355a4710dad6a162395999688173c1a818c48505ea47a8cfa43116981a0a978764f7a27d771fd26e551bb0b3e5e123ba7b8e5121 +AUX start-dirsrv 303 SHA256 d29272f92d2c4420da8aad7919861ab667c8f224bde560491f1626957418d361 SHA512 0a150045099e367ed54a3bf9319f3a608ea9b967f13e6f29aac7d3f6ca2e39edc2d8f843bab9a2c7cb93d8d175a8a34e6c0ad1a0dd1a586cf4141a1dcd3d37d6 WHIRLPOOL 936fc295e75ab18e5207eb2fe2eea42eef3807321f3ff526bbc4f4d8d4ef79b0ff8a09b676d7a993c76efb6da8fab3365b085f682d1a0e615092b8bd0b67a6c5 +DIST 389-ds-base-1.2.11.15.tar.bz2 2983709 SHA256 de193bf5e38e1c7e1b9af0e1eebab70c8b62c2b0daeaa0a33e737add90bcbce0 SHA512 ed41fa07ac57c749ae48270a980173b9c63588748e5b45bb7fa0009aeb9c28c2c62e717f68ce764afca9aae4931443b5544343ab02b484654006829e98c5da7c WHIRLPOOL adebfeaf453de8bcfd46ddbb262e471b7bdb63e2858fbf53f192e58ed5b6be90e9e34ef512cf0322e98448a9a51bee90bc569edd6039b241208085c4f55af9e2 +EBUILD 389-ds-base-1.2.11.15.ebuild 5748 SHA256 b366b88c41095e0d1b5a1de96ecab350ded96ecc19e34a6640128f3a50fc23e0 SHA512 9246420eeb82ae6566c157a79b71c67551389e3ae9a81622b53df4e2ddc51b26c72dcb8cdf7a3524b004693e11aa2ed1d1a95494509ad2e3d6f7db6d9d451ed7 WHIRLPOOL a7d278044c5719c0770dd88ec4143cfd2b37cc4024e53d3d4f42cdd17075db4a5238d349cb74bfbc2edabb20401deb49a053766f153a0dcd943ed63c45191968 +MISC ChangeLog 4655 SHA256 5283908ce2c8d0b92ca49c318b0ecfc6aa17eac88e409c6a3a4449f1ee00f30d SHA512 aa5c90900d5e6236c7d411af901d16be9f0619e87fc848bdaf1ff9a60234ddaa02fa661743e999c77439646a3884f8de3526eab5bc0e3e7f5581f090cb3d7674 WHIRLPOOL ac96c29f2a0eff6ba3dbb746b0e2a0283c63539c8b2610ee8105483f5d9ddf3b40d5582f1cedf76a84332f9a92faa7848d876b4ebe798fc4873495b968da2012 +MISC metadata.xml 1048 SHA256 a57ddcbe9aa68a7d05cda7de1dba219fc1a81070899df2d564af33f9d89f5c32 SHA512 0ec15db03c6526ebc7404ac4d674695764d820fad63e6ce3c7fb9e015f1d9a0157cb3507356f074502d0186d18bc1b5fa26d9d1d2fbc622bb426a8054f34dd49 WHIRLPOOL 1dbbc21809873987acde2013a7cc4a3a31bf122b65d04576f7ec6c33df1725e86b778611a2c7dff91f236db7692e87f2d9456918e1c9f0d5f84efd675021a0f0 diff --git a/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch b/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch new file mode 100644 index 000000000000..7c99085e3d3b --- /dev/null +++ b/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch @@ -0,0 +1,28 @@ +commit f5bd0ed47523b39aedb6bcc1f9c0754371159a77 +Author: Rich Megginson +Date: Fri Sep 14 09:20:18 2012 -0600 + + Ticket #461 - fix build problem with mozldap c sdk + + https://fedorahosted.org/389/ticket/461 + Reviewed by: rmeggins + Fixed by: cgrzemba + Branch: master + Fix Description: mozldap does not define LDAP_MOD_OP so define it + Platforms tested: RHEL6 x86_64 + Flag Day: no + Doc impact: no + +diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c +index bfd48b1..4736e82 100644 +--- a/ldap/servers/slapd/pw.c ++++ b/ldap/servers/slapd/pw.c +@@ -61,6 +61,9 @@ + #if defined( _WIN32 ) + #undef LDAPDebug + #endif /* _WIN32 */ ++#if defined( USE_MOZLDAP ) ++#define LDAP_MOD_OP (0x0007) ++#endif /* USE_MOZLDAP */ + + #include "slap.h" diff --git a/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch b/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch new file mode 100644 index 000000000000..54d9b1b975d7 --- /dev/null +++ b/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch @@ -0,0 +1,367 @@ +From 5beb93d42efb807838c09c5fab898876876f8d09 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Fri, 21 Sep 2012 19:35:18 +0000 +Subject: Trac Ticket #340 - Change on SLAPI_MODRDN_NEWSUPERIOR is not + + evaluated in acl + +https://fedorahosted.org/389/ticket/340 + +Bug Description: When modrdn operation was executed, only newrdn +change was passed to the acl plugin. Also, the change was used +only for the acl search, but not for the acl target in the items +in the acl cache. + +Fix Description: This patch also passes the newsuperior update +to the acl plugin. And the modrdn updates are applied to the +acl target in the acl cache. +--- +diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c +index 15e474e..3389404 100644 +--- a/ldap/servers/plugins/acl/acl.c ++++ b/ldap/servers/plugins/acl/acl.c +@@ -170,9 +170,9 @@ acl_access_allowed_modrdn( + * Test if have access to make the first rdn of dn in entry e. + */ + +-static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn, +- int access) { +- ++static int ++check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn, int access) ++{ + char **dns; + char **rdns; + int retCode = LDAP_INSUFFICIENT_ACCESS; +@@ -655,7 +655,8 @@ cleanup_and_ret: + + } + +-static void print_access_control_summary( char *source, int ret_val, char *clientDn, ++static void ++print_access_control_summary( char *source, int ret_val, char *clientDn, + struct acl_pblock *aclpb, + char *right, + char *attr, +@@ -1524,11 +1525,12 @@ acl_check_mods( + * + **************************************************************************/ + extern void +-acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) ++acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change) + { + struct berval **bvalue; + char **value; + int rv=0; /* returned value */ ++ const char* n_dn; + char* new_RDN; + char* parent_DN; + char* new_DN; +@@ -1537,10 +1539,12 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) + int j; + Slapi_Attr *attr = NULL; + Slapi_Entry *e = NULL; +- Slapi_DN *e_sdn; + aclUserGroup *ugroup = NULL; + +- e_sdn = slapi_sdn_new_normdn_byval ( n_dn ); ++ if (NULL == e_sdn) { ++ return; ++ } ++ n_dn = slapi_sdn_get_dn(e_sdn); + /* Before we proceed, Let's first check if we are changing any groups. + ** If we are, then we need to change the signature + */ +@@ -1768,45 +1772,64 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) + } + + break; +- }/* case op is modify*/ ++ }/* case op is modify*/ + +- case SLAPI_OPERATION_MODRDN: +- +- new_RDN = (char*) change; +- slapi_log_error (SLAPI_LOG_ACL, plugin_name, +- "acl_modified (MODRDN %s => \"%s\"\n", +- n_dn, new_RDN); ++ case SLAPI_OPERATION_MODRDN: ++ { ++ char **rdn_parent; ++ rdn_parent = (char **)change; ++ new_RDN = rdn_parent[0]; ++ parent_DN = rdn_parent[1]; + + /* compute new_DN: */ +- parent_DN = slapi_dn_parent (n_dn); +- if (parent_DN == NULL) { +- new_DN = new_RDN; ++ if (NULL == parent_DN) { ++ parent_DN = slapi_dn_parent(n_dn); ++ } ++ if (NULL == parent_DN) { ++ if (NULL == new_RDN) { ++ slapi_log_error (SLAPI_LOG_ACL, plugin_name, ++ "acl_modified (MODRDN %s => \"no change\"\n", ++ n_dn); ++ break; ++ } else { ++ new_DN = new_RDN; ++ } + } else { +- new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN); ++ if (NULL == new_RDN) { ++ Slapi_RDN *rdn= slapi_rdn_new(); ++ slapi_sdn_get_rdn(e_sdn, rdn); ++ new_DN = slapi_create_dn_string("%s,%s", slapi_rdn_get_rdn(rdn), ++ parent_DN); ++ slapi_rdn_free(&rdn); ++ } else { ++ new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN); ++ } + } ++ slapi_log_error (SLAPI_LOG_ACL, plugin_name, ++ "acl_modified (MODRDN %s => \"%s\"\n", n_dn, new_RDN); + + /* Change the acls */ +- acllist_acicache_WRITE_LOCK(); ++ acllist_acicache_WRITE_LOCK(); + /* acllist_moddn_aci_needsLock expects normalized new_DN, + * which is no need to be case-ignored */ + acllist_moddn_aci_needsLock ( e_sdn, new_DN ); + acllist_acicache_WRITE_UNLOCK(); + + /* deallocat the parent_DN */ +- if (parent_DN != NULL) { +- slapi_ch_free ( (void **) &new_DN ); +- slapi_ch_free ( (void **) &parent_DN ); ++ if (parent_DN != NULL) { ++ slapi_ch_free_string(&new_DN); ++ if (parent_DN != rdn_parent[1]) { ++ slapi_ch_free_string(&parent_DN); ++ } + } + break; +- +- default: ++ } /* case op is modrdn */ ++ default: + /* print ERROR */ + break; + } /*optype switch */ +- +- slapi_sdn_free ( &e_sdn ); +- + } ++ + /*************************************************************************** + * + * acl__scan_for_acis +diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h +index 4fa3e3f..28c38e7 100644 +--- a/ldap/servers/plugins/acl/acl.h ++++ b/ldap/servers/plugins/acl/acl.h +@@ -796,7 +796,8 @@ int acl_read_access_allowed_on_attr ( Slapi_PBlock *pb, Slapi_Entry *e, char + struct berval *val, int access); + void acl_set_acllist (Slapi_PBlock *pb, int scope, char *base); + void acl_gen_err_msg(int access, char *edn, char *attr, char **errbuf); +-void acl_modified ( Slapi_PBlock *pb, int optype, char *dn, void *change); ++void acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change); ++ + int acl_access_allowed_disjoint_resource( Slapi_PBlock *pb, Slapi_Entry *e, + char *attr, struct berval *val, int access ); + int acl_access_allowed_main ( Slapi_PBlock *pb, Slapi_Entry *e, char **attrs, +@@ -866,7 +867,7 @@ void acllist_print_tree ( Avlnode *root, int *depth, char *start, char *side); + AciContainer *acllist_get_aciContainer_new ( ); + void acllist_done_aciContainer ( AciContainer *); + +-aclUserGroup* aclg_find_userGroup (char *n_dn); ++aclUserGroup* aclg_find_userGroup (const char *n_dn); + void aclg_regen_ugroup_signature( aclUserGroup *ugroup); + void aclg_markUgroupForRemoval ( aclUserGroup *u_group ); + void aclg_reader_incr_ugroup_refcnt(aclUserGroup* u_group); +diff --git a/ldap/servers/plugins/acl/aclgroup.c b/ldap/servers/plugins/acl/aclgroup.c +index c694293..2231304 100644 +--- a/ldap/servers/plugins/acl/aclgroup.c ++++ b/ldap/servers/plugins/acl/aclgroup.c +@@ -213,7 +213,7 @@ aclg_reset_userGroup ( struct acl_pblock *aclpb ) + */ + + aclUserGroup* +-aclg_find_userGroup(char *n_dn) ++aclg_find_userGroup(const char *n_dn) + { + aclUserGroup *u_group = NULL; + int i; +diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c +index 9b5363a..e8198af 100644 +--- a/ldap/servers/plugins/acl/acllist.c ++++ b/ldap/servers/plugins/acl/acllist.c +@@ -600,7 +600,6 @@ void + acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base) + { + Acl_PBlock *aclpb; +- int i; + AciContainer *root; + char *basedn = NULL; + int index; +@@ -671,11 +670,6 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base) + aclpb->aclpb_state &= ~ACLPB_SEARCH_BASED_ON_LIST ; + + acllist_acicache_READ_UNLOCK(); +- +- i = 0; +- while ( i < aclpb_max_selected_acls && aclpb->aclpb_base_handles_index[i] != -1 ) { +- i++; +- } + } + + /* +@@ -893,34 +887,50 @@ acllist_acicache_WRITE_LOCK( ) + int + acllist_moddn_aci_needsLock ( Slapi_DN *oldsdn, char *newdn ) + { +- +- + AciContainer *aciListHead; + AciContainer *head; ++ aci_t *acip; ++ const char *oldndn; + + /* first get the container */ + + aciListHead = acllist_get_aciContainer_new ( ); + slapi_sdn_free(&aciListHead->acic_sdn); +- aciListHead->acic_sdn = oldsdn; +- ++ aciListHead->acic_sdn = oldsdn; + + if ( NULL == (head = (AciContainer *) avl_find( acllistRoot, aciListHead, +- (IFP) __acllist_aciContainer_node_cmp ) ) ) { ++ (IFP) __acllist_aciContainer_node_cmp ) ) ) { + + slapi_log_error ( SLAPI_PLUGIN_ACL, plugin_name, +- "Can't find the acl in the tree for moddn operation:olddn%s\n", +- slapi_sdn_get_ndn ( oldsdn )); ++ "Can't find the acl in the tree for moddn operation:olddn%s\n", ++ slapi_sdn_get_ndn ( oldsdn )); + aciListHead->acic_sdn = NULL; + __acllist_free_aciContainer ( &aciListHead ); +- return 1; ++ return 1; + } + +- +- /* Now set the new DN */ +- slapi_sdn_done ( head->acic_sdn ); +- slapi_sdn_set_normdn_byval ( head->acic_sdn, newdn ); +- ++ /* Now set the new DN */ ++ slapi_sdn_set_normdn_byval(head->acic_sdn, newdn); ++ ++ /* If necessary, reset the target DNs, as well. */ ++ oldndn = slapi_sdn_get_ndn(oldsdn); ++ for (acip = head->acic_list; acip; acip = acip->aci_next) { ++ const char *ndn = slapi_sdn_get_ndn(acip->aci_sdn); ++ char *p = PL_strstr(ndn, oldndn); ++ if (p) { ++ if (p == ndn) { ++ /* target dn is identical, replace it with new DN*/ ++ slapi_sdn_set_normdn_byval(acip->aci_sdn, newdn); ++ } else { ++ /* target dn is a descendent of olddn, merge it with new DN*/ ++ char *mynewdn; ++ *p = '\0'; ++ mynewdn = slapi_ch_smprintf("%s%s", ndn, newdn); ++ slapi_sdn_set_normdn_passin(acip->aci_sdn, mynewdn); ++ } ++ } ++ } ++ + aciListHead->acic_sdn = NULL; + __acllist_free_aciContainer ( &aciListHead ); + +diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c +index 11e56a9..b79d0f2 100644 +--- a/ldap/servers/slapd/dn.c ++++ b/ldap/servers/slapd/dn.c +@@ -2097,7 +2097,7 @@ slapi_sdn_set_normdn_byval(Slapi_DN *sdn, const char *normdn) + slapi_sdn_done(sdn); + sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN); + if(normdn == NULL) { +- sdn->dn = slapi_ch_strdup(normdn); ++ sdn->dn = NULL; + sdn->ndn_len = 0; + } else { + sdn->dn = slapi_ch_strdup(normdn); +diff --git a/ldap/servers/slapd/plugin_acl.c b/ldap/servers/slapd/plugin_acl.c +index b878156..3bc3f21 100644 +--- a/ldap/servers/slapd/plugin_acl.c ++++ b/ldap/servers/slapd/plugin_acl.c +@@ -134,11 +134,10 @@ int + plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) + { + struct slapdplugin *p; +- char *dn; + int rc = 0; +- void *change = NULL; +- Slapi_Entry *te = NULL; +- Slapi_DN *sdn = NULL; ++ void *change = NULL; ++ Slapi_Entry *te = NULL; ++ Slapi_DN *sdn = NULL; + Operation *operation; + + slapi_pblock_get (pb, SLAPI_OPERATION, &operation); +@@ -146,7 +145,7 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) + (void)slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn ); + + switch ( optype ) { +- case SLAPI_OPERATION_MODIFY: ++ case SLAPI_OPERATION_MODIFY: + (void)slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &change ); + break; + case SLAPI_OPERATION_ADD: +@@ -158,11 +157,27 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) + } + break; + case SLAPI_OPERATION_MODRDN: ++ { ++ void *mychange[2]; ++ char *newrdn = NULL; ++ Slapi_DN *psdn = NULL; ++ char *pdn = NULL; ++ + /* newrdn: "change" is normalized but not case-ignored */ + /* The acl plugin expects normalized newrdn, but no need to be case- + * ignored. */ +- (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change ); ++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn ); ++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &psdn ); ++ if (psdn) { ++ pdn = (char *)slapi_sdn_get_dn(psdn); ++ } else { ++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &pdn ); ++ } ++ mychange[0] = newrdn; ++ mychange[1] = pdn; ++ change = mychange; + break; ++ } + } + + if (NULL == sdn) { +@@ -172,10 +187,9 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) + } + + /* call the global plugins first and then the backend specific */ +- dn = (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */ + for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) { + if (plugin_invoke_plugin_sdn(p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, sdn)){ +- rc = (*p->plg_acl_mods_update)(pb, optype, dn, change ); ++ rc = (*p->plg_acl_mods_update)(pb, optype, sdn, change ); + if ( rc != LDAP_SUCCESS ) break; + } + } +-- +cgit v0.9.0.2 -- cgit v1.2.3-65-gdbad