Hello community, here is the log from the commit of package yast2-auth-server for openSUSE:Factory checked in at 2016-04-16 22:07:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-auth-server (Old) and /work/SRC/openSUSE:Factory/.yast2-auth-server.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "yast2-auth-server" Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-auth-server/yast2-auth-server.changes 2015-07-28 11:42:00.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.yast2-auth-server.new/yast2-auth-server.changes 2016-04-16 22:07:20.000000000 +0200 @@ -1,0 +2,8 @@ +Fri Apr 8 12:12:45 UTC 2016 - hguo@suse.com + +- The recent OpenLDAP upgrade in Tumbleweed no longer loads DB + drivers and essential modules by default, hence adapting to that + by explicitly loading them. Bump version to 3.1.16. + Address bsc#959760 bsc#964924. + +------------------------------------------------------------------- Old: ---- yast2-auth-server-3.1.15.tar.bz2 New: ---- yast2-auth-server-3.1.16.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-auth-server.spec ++++++ --- /var/tmp/diff_new_pack.w1wwyF/_old 2016-04-16 22:07:21.000000000 +0200 +++ /var/tmp/diff_new_pack.w1wwyF/_new 2016-04-16 22:07:21.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package yast2-auth-server # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: yast2-auth-server -Version: 3.1.15 +Version: 3.1.16 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-auth-server-3.1.15.tar.bz2 -> yast2-auth-server-3.1.16.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.15/agent/SlapdConfigAgent.cc new/yast2-auth-server-3.1.16/agent/SlapdConfigAgent.cc --- old/yast2-auth-server-3.1.15/agent/SlapdConfigAgent.cc 2015-07-24 11:06:22.000000000 +0200 +++ new/yast2-auth-server-3.1.16/agent/SlapdConfigAgent.cc 2016-04-12 09:53:24.000000000 +0200 @@ -1,4 +1,6 @@ #include "SlapdConfigAgent.h" +#include <sys/types.h> +#include <sys/stat.h> #include <LDAPConnection.h> #include <LDAPException.h> #include <LdifReader.h> @@ -75,6 +77,46 @@ } } +// If system is tumbleweed, return /usr/lib(64)/openldap. Otherwise return empty string. +const std::string SlapdConfigAgent::getOlcModuleLoadPath() +{ + /* + * In late January 2016, OpenLDAP on Tumbleweed was updated to exclude + * DB and syncprov overlay drivers from the main executable. They will have + * to be dynamically loaded from modules' directory. + * This function helps to determine location of the directory, depending + * on /etc/os-release. + * SLES and Leap are not affected. + */ + ifstream osRelease("/etc/os-release"); + if (!osRelease.is_open()) + { + y2error("Failed to open /etc/os-release"); + throw std::runtime_error("Failed to open /etc/os-release"); + } + bool isTumbleweed; + string osrLine; + while (getline(osRelease, osrLine)) + { + if (osrLine.find("Tumbleweed") != std::string::npos) + { + isTumbleweed = true; + break; + } + } + osRelease.close(); + if (!isTumbleweed) + { + return ""; + } + struct stat testExistence; + if (stat("/usr/lib64/openldap", &testExistence) == 0) + { + return "/usr/lib64/openldap"; + } + return "/usr/lib/openldap"; +} + YCPValue SlapdConfigAgent::Read( const YCPPath &path, const YCPValue &arg, const YCPValue &opt) @@ -372,6 +414,17 @@ olc.updateEntry(**j); } deleteableSchema.clear(); + // If module should be loaded for database drivers, make sure that the module list covers all databases. + std::string moduleLoadPath = getOlcModuleLoadPath(); + if (moduleLoadPath != "") + { + OlcModuleListEntry moduleListEntry = olc.getModuleListEntry(); + moduleListEntry.setLoadPath(moduleLoadPath); + moduleListEntry.addEssentialModules(); + y2milestone("olcModuleList: %s", moduleListEntry.toLdif().c_str()); + olc.updateEntry(moduleListEntry); + } + // Continue adding new databases and modifying existing databases OlcDatabaseList::iterator i; for ( i = databases.begin(); i != databases.end() ; i++ ) { @@ -422,11 +475,38 @@ attrs.add("contextCSN"); LDAPSearchResults *sr = m_lc->search( "cn=config", LDAPConnection::SEARCH_SUB, "objectclass=*", attrs ); + std::vector<LDAPEntry> searchResult; + while (LDAPEntry *e = sr->getNext()) + { + searchResult.push_back(LDAPEntry(*e)); + } + OlcModuleListEntry moduleListEntry; + std::string moduleLoadPath = getOlcModuleLoadPath(); + if (moduleLoadPath != "") + { + // Modify olcModuleLoadPath to load DB drivers and syncprov.so + for (std::vector<LDAPEntry>::iterator it = searchResult.begin(); it < searchResult.end(); it++) + { + if ((*it).getDN() == OlcModuleListEntry::DN) + { + moduleListEntry = OlcModuleListEntry(*it); + it = searchResult.erase(it); + } + } + moduleListEntry.addEssentialModules(); + moduleListEntry.setLoadPath(moduleLoadPath); + } + // Convert LDAP entries into one LDIF string std::ostringstream ldifStream; - LdifWriter ldif(ldifStream); - while ( LDAPEntry *e = sr->getNext() ) + LdifWriter entryToLdif(ldifStream); + for (std::vector<LDAPEntry>::iterator it = searchResult.begin(); it < searchResult.end(); it++) { - ldif.writeRecord( *e ); + // Place OlcModuleList above config database, per OpenLDAP convention. + if (moduleLoadPath != "" && (*it).getDN() == "olcDatabase={0}config,cn=config") + { + ldifStream << std::endl << moduleListEntry.toLdif() << std::endl; + } + entryToLdif.writeRecord(*it); } return YCPString( ldifStream.str() ); } catch ( LDAPException e ) { @@ -2147,33 +2227,45 @@ YCPString SlapdConfigAgent::ConfigToLdif() const { y2milestone("ConfigToLdif"); - std::ostringstream ldif; + std::ostringstream allLdif, globalLdif, moduleLdif, dbLdif; if ( ! globals ) { throw std::runtime_error("Configuration not initialized. Can't create LDIF dump." ); } - ldif << globals->toLdif() << std::endl; + // Global LDIF consists of daemon/authorization settings and schema definitions + globalLdif << globals->toLdif() << std::endl; if ( schemaBase ) { - ldif << schemaBase->toLdif() << std::endl; + globalLdif << schemaBase->toLdif() << std::endl; OlcSchemaList::const_iterator j; for ( j = schema.begin(); j != schema.end() ; j++ ) { - ldif << (*j)->toLdif() << std::endl; + globalLdif << (*j)->toLdif() << std::endl; } } - OlcDatabaseList::const_iterator i = databases.begin(); + // Database LDIF consits of database type and index configuration + OlcDatabaseList::const_iterator i = databases.cbegin(); for ( ; i != databases.end(); i++ ) { - ldif << (*i)->toLdif() << std::endl; + dbLdif << (*i)->toLdif() << std::endl; OlcOverlayList overlays = (*i)->getOverlays(); OlcOverlayList::iterator k; for ( k = overlays.begin(); k != overlays.end(); k++ ) { - ldif << (*k)->toLdif() << std::endl; + dbLdif << (*k)->toLdif() << std::endl; } } - return YCPString(ldif.str()); + // Module LDIF loads database drivers in case they are not built into slapd executable + std::string moduleLoadPath = getOlcModuleLoadPath(); + if (moduleLoadPath != "") + { + OlcModuleListEntry moduleEntry; + moduleEntry.setLoadPath(moduleLoadPath); + moduleEntry.addEssentialModules(); + moduleLdif << moduleEntry.toLdif(); + } + allLdif << globalLdif.str() << std::endl << moduleLdif.str() << std::endl << dbLdif.str() << std::endl; + return YCPString(allLdif.str()); } static void initLdapParameters( const YCPValue &arg, std::string &targetUrl, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.15/agent/SlapdConfigAgent.h new/yast2-auth-server-3.1.16/agent/SlapdConfigAgent.h --- old/yast2-auth-server-3.1.15/agent/SlapdConfigAgent.h 2015-07-24 11:06:22.000000000 +0200 +++ new/yast2-auth-server-3.1.16/agent/SlapdConfigAgent.h 2016-04-12 09:53:24.000000000 +0200 @@ -89,6 +89,7 @@ std::list<std::string> deleteableSchema; boost::shared_ptr<OlcGlobalConfig> globals; boost::shared_ptr<OlcSchemaConfig> schemaBase; + static const std::string getOlcModuleLoadPath(); }; #endif /* _SlapdConfigAgent_h */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.15/lib/slapd-config.cpp new/yast2-auth-server-3.1.16/lib/slapd-config.cpp --- old/yast2-auth-server-3.1.15/lib/slapd-config.cpp 2015-07-24 11:06:22.000000000 +0200 +++ new/yast2-auth-server-3.1.16/lib/slapd-config.cpp 2016-04-12 09:53:24.000000000 +0200 @@ -140,6 +140,23 @@ } } +// Return the LDAP entry with index number stripped. +std::string OlcConfigEntry::stripIndexFromLdapValue(const std::string& ldapValue) +{ + size_t closingBracket = ldapValue.find_last_of('}'); + if (closingBracket == std::string::npos) + { + // The value does not contain index, return as-is. + return ldapValue; + } + else + { + // The value looks like {1234}mydb + // Strip index number from value + return ldapValue.substr(closingBracket + 1); + } +} + void OlcConfigEntry::setIndex( int index, bool origEntry ) { this->entryIndex = index; @@ -1651,6 +1668,15 @@ return false; } +/* + * Return the type (frontent, config, hdb, bdb, mdb) of this database. + */ +std::string OlcDatabase::getDatabaseType() +{ + std::string attr = getStringValue("olcDatabase"); + return stripIndexFromLdapValue(attr); +} + OlcDatabase* OlcDatabase::createFromLdapEntry( const LDAPEntry& e) { if ( OlcDatabase::isBdbDatabase( e ) ) @@ -2429,6 +2455,22 @@ return res; } +OlcModuleListEntry OlcConfig::getModuleListEntry() +{ + if ( ! m_lc ) + { + throw std::runtime_error("LDAP Connection not initialized"); + } + try { + LDAPSearchResults *sr = m_lc->search("cn=config", LDAPConnection::SEARCH_ONE, "objectclass=" + OlcModuleListEntry::OBJECT_CLASS); + LDAPEntry *moduleList = sr->getNext(); + return moduleList ? OlcModuleListEntry(*moduleList) : OlcModuleListEntry(); + } catch (LDAPException e) { + log_it(SLAPD_LOG_INFO, e.getResultMsg() + " " + e.getServerMsg() ); + throw; + } +} + OlcSchemaList OlcConfig::getSchemaNames() { OlcSchemaList res; @@ -2468,3 +2510,44 @@ SlapdConfigLogCallback *OlcConfig::logCallback = defaultLogCallback; +const std::string OlcModuleListEntry::DN = "cn=module{0},cn=config"; +const std::string OlcModuleListEntry::CN = "module{0}"; +const std::string OlcModuleListEntry::OBJECT_CLASS = "olcModuleList"; + +OlcModuleListEntry::OlcModuleListEntry() +{ + // olcModuleLoad entry has predefined CN + m_dbEntryChanged.setDN(DN); + m_dbEntryChanged.addAttribute(LDAPAttribute("objectClass", OBJECT_CLASS)); + m_dbEntryChanged.addAttribute(LDAPAttribute("cn", CN)); +} + +// Set the search path for modules. +void OlcModuleListEntry::setLoadPath(const std::string& absPath) +{ + setStringValue("olcModulePath", absPath); +} + +// Add an olcModuleLoad entry. Will not repeat an entry if it already exists. +void OlcModuleListEntry::addLoadModule(const std::string& moduleFileName) +{ + // Avoid adding a module if the file name is already present + StringList alreadyLoaded = getStringValues("olcModuleLoad"); + for (StringList::const_iterator fileName = alreadyLoaded.begin(); fileName != alreadyLoaded.end(); fileName++) + { + if (stripIndexFromLdapValue(*fileName) == moduleFileName) + { + return; + } + } + addStringValue("olcModuleLoad", moduleFileName); +} + +// Add hdb, mdb, bdb, and synproc into module list (for Tumbleweed since January 2016). +void OlcModuleListEntry::addEssentialModules() +{ + addLoadModule("back_bdb.so"); + addLoadModule("back_mdb.so"); + addLoadModule("back_hdb.so"); + addLoadModule("syncprov.so"); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.15/lib/slapd-config.h new/yast2-auth-server-3.1.16/lib/slapd-config.h --- old/yast2-auth-server-3.1.15/lib/slapd-config.h 2015-07-24 11:06:22.000000000 +0200 +++ new/yast2-auth-server-3.1.16/lib/slapd-config.h 2016-04-12 09:53:24.000000000 +0200 @@ -38,6 +38,7 @@ static bool isScheamEntry( const LDAPEntry& le); static bool isOverlayEntry( const LDAPEntry& le); static bool isGlobalEntry( const LDAPEntry& le); + static std::string stripIndexFromLdapValue(const std::string& ldapValue); inline OlcConfigEntry() : m_dbEntry(), m_dbEntryChanged() {} inline OlcConfigEntry(const LDAPEntry& le) : m_dbEntry(le), m_dbEntryChanged(le) {} @@ -96,6 +97,18 @@ static const std::list<std::string> orderedAttrs; }; +// OpenLDAP's mechanism to implement dynamic module loading, useful for loading LDAP database drivers. +class OlcModuleListEntry: public OlcConfigEntry +{ +public: + static const std::string DN, CN, OBJECT_CLASS; + OlcModuleListEntry(); + OlcModuleListEntry(const LDAPEntry& le): OlcConfigEntry(le) {}; + void setLoadPath(const std::string& absPath); + void addEssentialModules(); + void addLoadModule(const std::string& moduleFileName); +}; + enum IndexType { Default, Present, @@ -398,6 +411,7 @@ void addOverlay(boost::shared_ptr<OlcOverlay> overlay); OlcOverlayList& getOverlays() ; + std::string getDatabaseType(); protected: virtual void resetMemberAttrs(); @@ -526,6 +540,7 @@ boost::shared_ptr<OlcGlobalConfig> getGlobals(); OlcDatabaseList getDatabases(); OlcSchemaList getSchemaNames(); + OlcModuleListEntry getModuleListEntry(); void setGlobals( OlcGlobalConfig &olcg); void updateEntry( OlcConfigEntry &oce ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.15/package/yast2-auth-server.changes new/yast2-auth-server-3.1.16/package/yast2-auth-server.changes --- old/yast2-auth-server-3.1.15/package/yast2-auth-server.changes 2015-07-24 11:06:22.000000000 +0200 +++ new/yast2-auth-server-3.1.16/package/yast2-auth-server.changes 2016-04-12 09:53:24.000000000 +0200 @@ -1,4 +1,12 @@ ------------------------------------------------------------------- +Fri Apr 8 12:12:45 UTC 2016 - hguo@suse.com + +- The recent OpenLDAP upgrade in Tumbleweed no longer loads DB + drivers and essential modules by default, hence adapting to that + by explicitly loading them. Bump version to 3.1.16. + Address bsc#959760 bsc#964924. + +------------------------------------------------------------------- Tue Jun 30 05:46:47 UTC 2015 - mfilka@suse.com - bnc#923990 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.15/package/yast2-auth-server.spec new/yast2-auth-server-3.1.16/package/yast2-auth-server.spec --- old/yast2-auth-server-3.1.15/package/yast2-auth-server.spec 2015-07-24 11:06:22.000000000 +0200 +++ new/yast2-auth-server-3.1.16/package/yast2-auth-server.spec 2016-04-12 09:53:24.000000000 +0200 @@ -17,7 +17,7 @@ Name: yast2-auth-server -Version: 3.1.15 +Version: 3.1.16 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.15/src/modules/AuthServer.pm new/yast2-auth-server-3.1.16/src/modules/AuthServer.pm --- old/yast2-auth-server-3.1.15/src/modules/AuthServer.pm 2015-07-24 11:06:22.000000000 +0200 +++ new/yast2-auth-server-3.1.16/src/modules/AuthServer.pm 2016-04-12 09:53:24.000000000 +0200 @@ -1909,7 +1909,7 @@ Progress->set($progress_orig); Progress->NextStage(); - if( ! SCR->Execute('.ldapserver.commitChanges' ) ) + if( ! SCR->Execute('.ldapserver.commitChanges') ) { my $err = SCR->Error(".ldapserver"); y2error($err->{'summary'}." ".$err->{'description'}); @@ -2089,7 +2089,7 @@ $defaultIndexes = $defIdxBak; $defaultDbAcls = $defAclBak; - my $ldif = SCR->Read('.ldapserver.configAsLdif' ); + my $ldif = SCR->Read('.ldapserver.configAsLdif'); y2debug($ldif); return 1; } @@ -3863,7 +3863,7 @@ SCR->Write(".ldapserver.database.{".$i."}.mirrormode", YaST::YCP::Boolean(0) ); } } - SCR->Execute(".ldapserver.commitChanges" ); + SCR->Execute(".ldapserver.commitChanges"); return YaST::YCP::Boolean(1); } @@ -4707,8 +4707,8 @@ } } y2milestone("Updating remote configuration"); - SCR->Execute(".ldapserver.commitChanges" ); - $masterldif = SCR->Execute(".ldapserver.dumpConfDb" ); + SCR->Execute(".ldapserver.commitChanges"); + $masterldif = SCR->Execute(".ldapserver.dumpConfDb"); SCR->Execute(".ldapserver.reset" ); $globals_initialized = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.15/src/modules/LdapDatabase.rb new/yast2-auth-server-3.1.16/src/modules/LdapDatabase.rb --- old/yast2-auth-server-3.1.15/src/modules/LdapDatabase.rb 2015-07-24 11:06:22.000000000 +0200 +++ new/yast2-auth-server-3.1.16/src/modules/LdapDatabase.rb 2016-04-12 09:53:24.000000000 +0200 @@ -615,12 +615,6 @@ if Ops.greater_than(Builtins.size(ppolicy), 0) ppolicyEntry = Ops.get_map(ppolicy, "ppolicy", {}) elsif Ops.greater_than(dbindex, 0) # try to read the ppolicy from the server - Ldap.Import( - { - "ldap_server" => "localhost", - "bind_dn" => Ops.get_string(db, "rootdn", "") - } - ) Ldap.LDAPInit pw = "" authinfo = AuthServer.ReadAuthInfo(Ops.get_string(db, "suffix", "")) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.15/tools/ldap-server-ssl-check.cpp new/yast2-auth-server-3.1.16/tools/ldap-server-ssl-check.cpp --- old/yast2-auth-server-3.1.15/tools/ldap-server-ssl-check.cpp 2015-07-24 11:06:22.000000000 +0200 +++ new/yast2-auth-server-3.1.16/tools/ldap-server-ssl-check.cpp 2016-04-12 09:53:24.000000000 +0200 @@ -2,23 +2,31 @@ #include <stdlib.h> int main(int argc, char** argv) { - if ( argc != 3 ) - { - std::cerr << "usage: " << argv[0] << " <ldap-uri> <path-to-ca-cert>" << std::endl; - exit(-1); - } - std::string uri(argv[1]); - setenv("LDAPTLS_REQCERT", "hard", 1); - setenv("LDAPTLS_CACERT", argv[2], 1); - try - { - LDAPConnection lc( uri ); - lc.start_tls(); - } - catch ( LDAPException e ) - { - std::cerr << e << std::endl; - exit(-1); - } - exit(0); + if ( argc != 3 ) + { + std::cerr << "usage: " << argv[0] << " <ldap-uri> <path-to-ca-cert>" << std::endl; + exit(-1); + } + std::string uri(argv[1]); + setenv("LDAPTLS_REQCERT", "hard", 1); + setenv("LDAPTLS_CACERT", argv[2], 1); + try + { + LDAPConnection lc( uri ); + try { + lc.bind(); + exit(0); + } catch (LDAPException e) { + if (e.getResultCode() == 49) { + exit(0); + } + } + lc.start_tls(); + } + catch ( LDAPException e ) + { + std::cerr << e << std::endl; + exit(-1); + } + exit(0); }