diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2017-12-18 15:11:02 +0000 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2017-12-18 15:11:02 +0000 |
commit | 0fb71e0215ed52863e462cccef73c01aff44d43d (patch) | |
tree | 428fc3fa92f9c69ed02878e9b6151a9fb810e651 /sys-auth/nss_ldap/files | |
parent | 9bd54251864651f49e673a08aec9ef79cfe08f04 (diff) |
gentoo resync : 18.12.2017
Diffstat (limited to 'sys-auth/nss_ldap/files')
3 files changed, 0 insertions, 333 deletions
diff --git a/sys-auth/nss_ldap/files/nss_ldap-239-tls-security-bug.patch b/sys-auth/nss_ldap/files/nss_ldap-239-tls-security-bug.patch deleted file mode 100644 index 1dbd8dc889a1..000000000000 --- a/sys-auth/nss_ldap/files/nss_ldap-239-tls-security-bug.patch +++ /dev/null @@ -1,42 +0,0 @@ ---- ldap-nss.c 2004-09-28 03:20:11.000000000 +0100 -+++ ldap-nss.c.new 2005-07-04 01:32:12.000000000 +0100 -@@ -330,6 +330,39 @@ - - timelimit = __session.ls_config->ldc_bind_timelimit; - -+#ifdef HAVE_LDAP_START_TLS_S -+ if (__session.ls_config->ldc_ssl_on == SSL_START_TLS) -+ { -+ int version; -+ -+ if (ldap_get_option -+ (__session.ls_conn, LDAP_OPT_PROTOCOL_VERSION, -+ &version) == LDAP_OPT_SUCCESS) -+ { -+ if (version < LDAP_VERSION3) -+ { -+ version = LDAP_VERSION3; -+ ldap_set_option (__session.ls_conn, LDAP_OPT_PROTOCOL_VERSION, -+ &version); -+ } -+ } -+ -+ debug ("==> start_tls"); -+ if (ldap_start_tls_s (__session.ls_conn, NULL, NULL) == LDAP_SUCCESS) -+ { -+ debug ("TLS startup succeeded"); -+ } -+ else -+ { -+ debug ("TLS startup failed"); -+ do_close (); -+ debug ("<== do_open"); -+ return NSS_UNAVAIL; -+ } -+ debug ("<== start_tls"); -+ } -+#endif /* HAVE_LDAP_START_TLS_S */ -+ - return do_bind (ld, timelimit, who, cred, with_sasl); - } - #else diff --git a/sys-auth/nss_ldap/files/nss_ldap-252-reconnect-timeouts.patch b/sys-auth/nss_ldap/files/nss_ldap-252-reconnect-timeouts.patch deleted file mode 100644 index 285a34e3df4b..000000000000 --- a/sys-auth/nss_ldap/files/nss_ldap-252-reconnect-timeouts.patch +++ /dev/null @@ -1,65 +0,0 @@ -This patch changes the default timeouts, so that they are much lower, and do -not cause major delays when booting a system. This is a workaround until the -core /etc/{passwd,group} contain all of the data needed for a system boot. - -Also add a note that 'ssl on' is broken and TLS should be used instead. - -Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> - -diff -Nuar --exclude '*~' nss_ldap-250.orig/ldap-nss.h nss_ldap-250/ldap-nss.h ---- nss_ldap-250.orig/ldap-nss.h 2006-04-26 18:19:00.000000000 -0700 -+++ nss_ldap-250/ldap-nss.h 2006-06-14 01:58:01.933005492 -0700 -@@ -96,9 +96,9 @@ - * unacceptable, in which case you may wish to adjust - * the constants below. - */ --#define LDAP_NSS_TRIES 5 /* number of sleeping reconnect attempts */ --#define LDAP_NSS_SLEEPTIME 4 /* seconds to sleep; doubled until max */ --#define LDAP_NSS_MAXSLEEPTIME 64 /* maximum seconds to sleep */ -+#define LDAP_NSS_TRIES 4 /* number of sleeping reconnect attempts */ -+#define LDAP_NSS_SLEEPTIME 1 /* seconds to sleep; doubled until max */ -+#define LDAP_NSS_MAXSLEEPTIME 16 /* maximum seconds to sleep */ - #define LDAP_NSS_MAXCONNTRIES 2 /* reconnect attempts before sleeping */ - - #if defined(HAVE_NSSWITCH_H) || defined(HAVE_IRS_H) -diff -Nuar --exclude '*~' nss_ldap-250.orig/ldap.conf nss_ldap-250/ldap.conf ---- nss_ldap-250.orig/ldap.conf 2006-04-26 18:19:00.000000000 -0700 -+++ nss_ldap-250/ldap.conf 2006-06-14 02:12:02.008444745 -0700 -@@ -283,7 +283,8 @@ - # OpenLDAP SSL mechanism - # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 - #ssl start_tls --#ssl on -+###ssl on -+# Gentoo note: Don't use 'ssl on' in 249/250. They are broken in some cases! Use start_tls instead. - - # OpenLDAP SSL options - # Require and verify server certificate (yes/no) -@@ -315,3 +316,27 @@ - # Override the default Kerberos ticket cache location. - #krb5_ccname FILE:/etc/.ldapcache - -+# Timeout behavior -+# Upstream nss_ldap hard-codes these values: -+#nss_reconnect_tries 5 # number of times to double the sleep time -+#nss_reconnect_sleeptime 4 # initial sleep value -+#nss_reconnect_maxsleeptime 64 # max sleep value to cap at -+#nss_reconnect_maxconntries 2 # how many tries before sleeping -+# This leads to a delay of 124 seconds (4+8+16+32+64=124) per lookup if the -+# server is not available. -+ -+# For Gentoo's distribution of nss_ldap, as of 250-r1, we use these values -+# (The hardwired constants in the code are changed to them as well): -+nss_reconnect_tries 4 # number of times to double the sleep time -+nss_reconnect_sleeptime 1 # initial sleep value -+nss_reconnect_maxsleeptime 16 # max sleep value to cap at -+nss_reconnect_maxconntries 2 # how many tries before sleeping -+# This leads to a delay of 15 seconds (1+2+4+8=15) -+ -+# If you are impatient, and know your LDAP server is reliable, fast or local, -+# you may wish to use these values instead: -+#nss_reconnect_tries 1 # number of times to double the sleep time -+#nss_reconnect_sleeptime 1 # initial sleep value -+#nss_reconnect_maxsleeptime 1 # max sleep value to cap at -+#nss_reconnect_maxconntries 3 # how many tries before sleeping -+# This leads to a delay of 1 second. diff --git a/sys-auth/nss_ldap/files/nss_ldap-254-nss_getgrent_skipmembers.patch b/sys-auth/nss_ldap/files/nss_ldap-254-nss_getgrent_skipmembers.patch deleted file mode 100644 index 68809bcf1b1b..000000000000 --- a/sys-auth/nss_ldap/files/nss_ldap-254-nss_getgrent_skipmembers.patch +++ /dev/null @@ -1,226 +0,0 @@ -diff -c -r nss_ldap-250/ChangeLog nss_ldap-250.1/ChangeLog -*** nss_ldap-250/ChangeLog Wed Apr 26 18:19:00 2006 ---- nss_ldap-250.1/ChangeLog Wed Aug 16 16:58:57 2006 -*************** -*** 1,6 **** ---- 1,13 ---- - $Id$ - =============================================================== - -+ 250.1 Paul B. Henson <henson@acm.org> -+ -+ * add nss_getgrent_skipmembers parameter to ldap.conf, -+ if enabled will not request member attributes for -+ group lookups, greatly increasing performance in the -+ face of large groups -+ - 250 Luke Howard <lukeh@padl.com> - - * don't use static _nss_ldap_no_members buffer, -diff -c -r nss_ldap-250/ldap-nss.c nss_ldap-250.1/ldap-nss.c -*** nss_ldap-250/ldap-nss.c Wed Apr 26 18:19:00 2006 ---- nss_ldap-250.1/ldap-nss.c Wed Aug 16 16:51:49 2006 -*************** -*** 1258,1264 **** - - cfg = __config; - -! _nss_ldap_init_attributes (cfg->ldc_attrtab); - _nss_ldap_init_filters (); - - #ifdef HAVE_LDAP_SET_OPTION ---- 1258,1264 ---- - - cfg = __config; - -! _nss_ldap_init_attributes (cfg->ldc_attrtab, cfg->ldc_getgrent_skipmembers); - _nss_ldap_init_filters (); - - #ifdef HAVE_LDAP_SET_OPTION -diff -c -r nss_ldap-250/ldap-nss.h nss_ldap-250.1/ldap-nss.h -*** nss_ldap-250/ldap-nss.h Wed Apr 26 18:19:00 2006 ---- nss_ldap-250.1/ldap-nss.h Wed Aug 16 16:51:59 2006 -*************** -*** 390,395 **** ---- 390,396 ---- - time_t ldc_mtime; - - char **ldc_initgroups_ignoreusers; -+ int ldc_getgrent_skipmembers; - }; - - typedef struct ldap_config ldap_config_t; -diff -c -r nss_ldap-250/ldap-schema.c nss_ldap-250.1/ldap-schema.c -*** nss_ldap-250/ldap-schema.c Wed Apr 26 18:19:00 2006 ---- nss_ldap-250.1/ldap-schema.c Wed Aug 16 16:54:52 2006 -*************** -*** 273,279 **** - - static void init_pwd_attributes (const char ***pwd_attrs); - static void init_sp_attributes (const char ***sp_attrs); -! static void init_grp_attributes (const char ***grp_attrs); - static void init_hosts_attributes (const char ***hosts_attrs); - static void init_services_attributes (const char ***services_attrs); - static void init_network_attributes (const char ***network_attrs); ---- 273,279 ---- - - static void init_pwd_attributes (const char ***pwd_attrs); - static void init_sp_attributes (const char ***sp_attrs); -! static void init_grp_attributes (const char ***grp_attrs, int ldc_getgrent_skipmembers); - static void init_hosts_attributes (const char ***hosts_attrs); - static void init_services_attributes (const char ***services_attrs); - static void init_network_attributes (const char ***network_attrs); -*************** -*** 289,299 **** - * attribute table initialization routines - */ - void -! _nss_ldap_init_attributes (const char ***attrtab) - { - init_pwd_attributes (&attrtab[LM_PASSWD]); - init_sp_attributes (&attrtab[LM_SHADOW]); -! init_grp_attributes (&attrtab[LM_GROUP]); - init_hosts_attributes (&attrtab[LM_HOSTS]); - init_services_attributes (&attrtab[LM_SERVICES]); - init_network_attributes (&attrtab[LM_NETWORKS]); ---- 289,299 ---- - * attribute table initialization routines - */ - void -! _nss_ldap_init_attributes (const char ***attrtab, int ldc_getgrent_skipmembers) - { - init_pwd_attributes (&attrtab[LM_PASSWD]); - init_sp_attributes (&attrtab[LM_SHADOW]); -! init_grp_attributes (&attrtab[LM_GROUP], ldc_getgrent_skipmembers); - init_hosts_attributes (&attrtab[LM_HOSTS]); - init_services_attributes (&attrtab[LM_SERVICES]); - init_network_attributes (&attrtab[LM_NETWORKS]); -*************** -*** 357,363 **** - } - - static void -! init_grp_attributes (const char ***grp_attrs) - { - int i = 0; - static const char *__grp_attrs[ATTRTAB_SIZE + 1]; ---- 357,363 ---- - } - - static void -! init_grp_attributes (const char ***grp_attrs, int ldc_getgrent_skipmembers) - { - int i = 0; - static const char *__grp_attrs[ATTRTAB_SIZE + 1]; -*************** -*** 366,374 **** - - (*grp_attrs)[i++] = (char *) ATM (LM_GROUP, cn); - (*grp_attrs)[i++] = (char *) ATM (LM_GROUP, userPassword); -! (*grp_attrs)[i++] = (char *) AT (memberUid); -! if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_RFC2307BIS)) -! (*grp_attrs)[i++] = (char *) AT (uniqueMember); - (*grp_attrs)[i++] = (char *) ATM (LM_GROUP, gidNumber); - (*grp_attrs)[i] = NULL; - } ---- 366,377 ---- - - (*grp_attrs)[i++] = (char *) ATM (LM_GROUP, cn); - (*grp_attrs)[i++] = (char *) ATM (LM_GROUP, userPassword); -! if (!ldc_getgrent_skipmembers) -! { -! (*grp_attrs)[i++] = (char *) AT (memberUid); -! if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_RFC2307BIS)) -! (*grp_attrs)[i++] = (char *) AT (uniqueMember); -! } - (*grp_attrs)[i++] = (char *) ATM (LM_GROUP, gidNumber); - (*grp_attrs)[i] = NULL; - } -diff -c -r nss_ldap-250/ldap-schema.h nss_ldap-250.1/ldap-schema.h -*** nss_ldap-250/ldap-schema.h Wed Apr 26 18:19:00 2006 ---- nss_ldap-250.1/ldap-schema.h Wed Aug 16 16:54:07 2006 -*************** -*** 30,36 **** - * function to initialize global lookup filters. - */ - void _nss_ldap_init_filters (); -! void _nss_ldap_init_attributes (const char ***attrtab); - - /** - * make filters formerly declared in ldap-*.h globally available. ---- 30,36 ---- - * function to initialize global lookup filters. - */ - void _nss_ldap_init_filters (); -! void _nss_ldap_init_attributes (const char ***attrtab, int ldc_getgrent_skipmembers); - - /** - * make filters formerly declared in ldap-*.h globally available. -diff -c -r nss_ldap-250/nss_ldap.5 nss_ldap-250.1/nss_ldap.5 -*** nss_ldap-250/nss_ldap.5 Wed Apr 26 18:19:00 2006 ---- nss_ldap-250.1/nss_ldap.5 Wed Aug 16 17:07:19 2006 -*************** -*** 445,450 **** ---- 445,458 ---- - to return NSS_STATUS_NOTFOUND if called with a listed users as - its argument. - .TP -+ .B nss_getgrent_skipmembers <yes|no> -+ Specifies whether or not to populate the members list in -+ the group structure for group lookups. If very large groups -+ are present, enabling this option will greatly increase -+ perforance, at the cost of some lost functionality. You should -+ verify no local applications rely on this information before -+ enabling this on a production system. -+ .TP - .B nss_srv_domain <domain> - This option determines the DNS domain used for performing SRV - lookups. -diff -c -r nss_ldap-250/util.c nss_ldap-250.1/util.c -*** nss_ldap-250/util.c Wed Apr 26 18:19:00 2006 ---- nss_ldap-250.1/util.c Wed Aug 16 16:52:55 2006 -*************** -*** 660,665 **** ---- 660,666 ---- - result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME; - result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES; - result->ldc_initgroups_ignoreusers = NULL; -+ result->ldc_getgrent_skipmembers = 0; - - for (i = 0; i <= LM_NONE; i++) - { -*************** -*** 1137,1142 **** ---- 1138,1156 ---- - break; - } - } -+ else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS)) -+ { -+ if (!strcasecmp (v, "on") || !strcasecmp (v, "yes") -+ || !strcasecmp (v, "true")) -+ { -+ result->ldc_getgrent_skipmembers = 1; -+ } -+ else if (!strcasecmp (v, "off") || !strcasecmp (v, "no") -+ || !strcasecmp (v, "false")) -+ { -+ result->ldc_getgrent_skipmembers = 0; -+ } -+ } - else if (!strcasecmp (k, NSS_LDAP_KEY_CONNECT_POLICY)) - { - if (!strcasecmp (v, "oneshot")) -diff -c -r nss_ldap-250/util.h nss_ldap-250.1/util.h -*** nss_ldap-250/util.h Wed Apr 26 18:19:00 2006 ---- nss_ldap-250.1/util.h Wed Aug 16 16:49:52 2006 -*************** -*** 83,88 **** ---- 83,89 ---- - #define NSS_LDAP_KEY_PAGESIZE "pagesize" - #define NSS_LDAP_KEY_INITGROUPS "nss_initgroups" - #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers" -+ #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers" - - /* more reconnect policy fine-tuning */ - #define NSS_LDAP_KEY_RECONNECT_TRIES "nss_reconnect_tries" |