CHANGES

 OpenLDAP 2.4 Change Log
 
+OpenLDAP 2.4.47 Release (2018/12/19)
+	Added slapd-sock DN qualifier for subtrees to be processed (ITS#8051)
+	Added slapd-sock ability to send extended operations to external listeners (ITS#8714)
+	Fixed liblber to avoid incremental access to user-supplied bv in dupbv (ITS#8752)
+	Fixed libldap dn to domain parsing with bad input (ITS#8842)
+	Fixed slapd slapcat to correctly honor -g option (ITS#8667)
+	Fixed slapd to correctly handle NO_SUCH_OBJECT with dynamic groups (ITS#8923)
+	Fixed slapd to check status of rdnNormalize (ITS#8932)
+	Fixed slapd cn=config when modifying slapo-syncprov config (ITS#8616)
+	Fixed slapd sasl authz-policy "all" behavior (ITS#8909)
+	Fixed slapd sasl minor typo (ITS#8918)
+	Fixed slapd to correctly hide hidden DBs in the rootDSE (ITS#8912)
+	Fixed slapd domainScope control to match Microsoft specification (ITS#8840)
+	Fixed slapd-bdb/hdb/mdb to not convert certain IDLs to ranges (ITS#8868)
+	Fixed slapo-accesslog deadlock during cleanup (ITS#8752)
+	Fixed slapo-memberof cn=config modifications (ITS#8663)
+	Fixed slapo-ppolicy with multimaster replication (ITS#8927)
+	Fixed slapo-syncprov with NULL modlist (ITS#8843)
+	Build Environment
+		Added slapd reproducible build support (ITS#8928)
+		Fixed missing includes with OpenSSL 1.0.2 (ITS#8809)
+	Contrib
+		Fixed slapo-pbkdf2 hash generation (ITS#8878)
+	Documentation
+		admin24 fixed minor typo (ITS#8887)
+
 OpenLDAP 2.4.46 Release (2018/03/22)
 	Fixed libldap connection delete callbacks when TLS fails to start (ITS#8717)
 	Fixed libldap to not reuse tls_session if TLS hostname check fails (ITS#7373)
@@ -85,6 +111,8 @@ OpenLDAP 2.4.45 Release (2017/06/01)
 		admin24 fixed information about the limits option (ITS#7700)
 		admin24 fixed missing options for syncrepl configuration (ITS#7700)
 		admin24 fixed accesslog documentation to note it should not be replicated (ITS#8344)
+		admin24 fix typos (ITS#8562)
+		admin24 fix replication sections to include back-mdb (ITS#8563)
 		Fixed ldap.conf(5) missing information on SASL_NOCANON option (ITS#7177)
 		Fixed ldapsearch(1) information on the V[V] flag behavior (ITS#7177, ITS#6339)
 		Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS#8538)
@@ -785,8 +813,6 @@ OpenLDAP 2.4.26 Release (2011/06/30)
 		admin24 update that cn=config is preferred (ITS#6905)
 		admin24 update information about indexes (ITS#6906)
 		admin24 fix --enable-wrappers option (ITS#6971)
-		admin24 fix typos (ITS#8562)
-		admin24 fix replication sections to include back-mdb (ITS#8563)
 
 OpenLDAP 2.4.25 Release (2011/03/26)
 	Fixed ldapsearch pagedresults loop (ITS#6755)

build/mkversion

@@ -50,7 +50,12 @@ if test $# != 1 ; then
 fi
 
 APPLICATION=$1
-WHOWHERE="$USER@`uname -n`:`pwd`"
+# Reproducible builds set SOURCE_DATE_EPOCH, want constant strings
+if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+   WHOWHERE="openldap"
+else
+   WHOWHERE="$USER@$(uname -n):$(pwd)"
+fi
 
 cat << __EOF__
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.

build/version.var

@@ -15,9 +15,9 @@
 ol_package=OpenLDAP
 ol_major=2
 ol_minor=4
-ol_patch=46
-ol_api_inc=20446
+ol_patch=47
+ol_api_inc=20447
 ol_api_current=12
-ol_api_revision=9
+ol_api_revision=10
 ol_api_age=10
-ol_release_date="2018/03/22"
+ol_release_date="2018/12/19"

contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c

@@ -59,15 +59,14 @@ const struct berval pbkdf2_sha512_scheme = BER_BVC("{PBKDF2-SHA512}");
 static int b64_to_ab64(char *str)
 {
 	char *p = str;
-	while(*p++){
+	do {
 		if(*p == '+'){
 			*p = '.';
 		}
 		if(*p == '='){
 			*p = '\0';
-			break;
-		}
 		}
+	} while(*p++);
 	return 0;
 }
 

doc/guide/admin/backends.sdf

@@ -444,7 +444,7 @@ a new Perl object that handles all the requests for that particular instance of
 
 The Shell backend to {{slapd}}(8) executes external programs to implement 
 operations, and is designed to make it easy to tie an existing database to the 
-slapd front-end. This backend is is primarily intended to be used in prototypes.
+slapd front-end. This backend is primarily intended to be used in prototypes.
 
 H3: back-perl/back-shell Configuration
 

doc/guide/admin/guide.html

@@ -23,7 +23,7 @@
 <DIV CLASS="title">
 <H1 CLASS="doc-title">OpenLDAP Software 2.4 Administrator's Guide</H1>
 <ADDRESS CLASS="doc-author">The OpenLDAP Project &lt;<A HREF="http://www.openldap.org/">http://www.openldap.org/</A>&gt;</ADDRESS>
-<ADDRESS CLASS="doc-modified">22 March 2018</ADDRESS>
+<ADDRESS CLASS="doc-modified">19 December 2018</ADDRESS>
 <BR CLEAR="All">
 </DIV>
 <DIV CLASS="contents">
@@ -4932,7 +4932,7 @@ Members of a group
 <H2><A NAME="Perl/Shell">11.9. Perl/Shell</A></H2>
 <H3><A NAME="Overview">11.9.1. Overview</A></H3>
 <P>The Perl backend to <EM>slapd</EM>(8) works by embedding a <EM>perl</EM>(1) interpreter into <EM>slapd</EM>(8). Any perl database section of the configuration file <EM>slapd.conf</EM>(5) must then specify what Perl module to use. Slapd then creates a new Perl object that handles all the requests for that particular instance of the backend.</P>
-<P>The Shell backend to <EM>slapd</EM>(8) executes external programs to implement operations, and is designed to make it easy to tie an existing database to the slapd front-end. This backend is is primarily intended to be used in prototypes.</P>
+<P>The Shell backend to <EM>slapd</EM>(8) executes external programs to implement operations, and is designed to make it easy to tie an existing database to the slapd front-end. This backend is primarily intended to be used in prototypes.</P>
 <H3><A NAME="back-perl/back-shell Configuration">11.9.2. back-perl/back-shell Configuration</A></H3>
 <P>LATER</P>
 <H3><A NAME="Further Information">11.9.3. Further Information</A></H3>

doc/man/man5/ldap.conf.5

@@ -85,7 +85,7 @@ For example,
 	# Right - DN syntax needs quoting for Example, Inc:
 	BASE    ou=IT staff,o="Example, Inc",c=US
 	# or:
-	BASE    ou=IT staff,o=Example2C Inc,c=US
+	BASE    ou=IT staff,o=Example\\2C Inc,c=US
 
 	# Wrong - comment on same line as option:
 	DEREF   never           # Never follow aliases

doc/man/man5/slapd-sock.5

@@ -49,7 +49,7 @@ be sent and from which replies are received.
 
 When used as an overlay, these additional directives are defined:
 .TP
-.B sockops	[ bind | unbind | search | compare | modify | modrdn | add | delete ]*
+.B sockops	[ bind | unbind | search | compare | modify | modrdn | add | delete | extended ]*
 Specify which request types to send to the external program. The default is
 empty (no requests are sent).
 .TP
@@ -58,6 +58,11 @@ Specify which response types to send to the external program. "result"
 sends just the results of an operation. "search" sends all entries that
 the database returned for a search request. The default is empty
 (no responses are sent).
+.TP
+.B sockdnpat	<regexp>
+Specify DN patterns for which the overlay will act. Only operations on
+DNs matching the specified regular expression will be processed. The default
+is empty (all DNs are processed).
 
 .SH PROTOCOL
 The protocol is essentially the same as
@@ -110,6 +115,17 @@ dn: <DN>
 .PP
 .RS
 .nf
+EXTENDED
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+oid: <OID>
+value: <base64-value>
+<blank line>
+.fi
+.RE
+.PP
+.RS
+.nf
 MODIFY
 msgid: <message id>
 <repeat { "suffix:" <database suffix DN> }>
@@ -208,6 +224,11 @@ msgid: <message id>
 .fi
 .RE
 
+.SH KNOWN LIMITATIONS
+The
+.B sock
+backend does not process extended operation results from an external program.
+
 .SH ACCESS CONTROL
 The
 .B sock
@@ -287,6 +308,11 @@ access to the
 pseudo_attribute of the searchBase;
 .B search (=s)
 access to the attributes and values used in the filter is not checked.
+.LP
+The
+.B extended
+operation does not require any access special rights.
+The external program has to implement any sort of access control.
 
 .SH EXAMPLE
 There is an example script in the slapd/back\-sock/ directory

doc/man/man5/slapo-unique.5

@@ -8,7 +8,7 @@ slapo\-unique \- Attribute Uniqueness overlay to slapd
 ETCDIR/slapd.conf
 .SH DESCRIPTION
 The Attribute Uniqueness overlay can be used with a backend database such as
-.BR slapd\-bdb (5)
+.BR slapd\-mdb (5)
 to enforce the uniqueness of some or all attributes within a
 scope. This subtree defaults to all objects within the subtree of the
 database for which the Uniqueness overlay is configured.

libraries/liblber/memory.c

@@ -482,7 +482,7 @@ struct berval *
 ber_dupbv_x(
 	struct berval *dst, struct berval *src, void *ctx )
 {
-	struct berval *new;
+	struct berval *new, tmp;
 
 	if( src == NULL ) {
 		ber_errno = LBER_ERROR_PARAM;
@@ -490,7 +490,7 @@ ber_dupbv_x(
 	}
 
 	if ( dst ) {
-		new = dst;
+		new = &tmp;
 	} else {
 		if(( new = ber_memalloc_x( sizeof(struct berval), ctx )) == NULL ) {
 			return NULL;
@@ -500,8 +500,7 @@ ber_dupbv_x(
 	if ( src->bv_val == NULL ) {
 		new->bv_val = NULL;
 		new->bv_len = 0;
-		return new;
-	}
+	} else {
 
 		if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) {
 			if ( !dst )
@@ -512,6 +511,12 @@ ber_dupbv_x(
 		AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
 		new->bv_val[src->bv_len] = '\0';
 		new->bv_len = src->bv_len;
+	}
+
+	if ( dst ) {
+		*dst = *new;
+		new = dst;
+	}
 
 	return new;
 }

libraries/libldap/getdn.c

@@ -27,6 +27,7 @@
 
 #include "ldap-int.h"
 #include "ldap_schema.h"
+#include "ldif.h"
 
 /* extension to UFN that turns trailing "dc=value" rdns in DNS style,
  * e.g. "ou=People,dc=openldap,dc=org" => "People, openldap.org" */
@@ -2478,6 +2479,11 @@ dn2domain( LDAPDN dn, struct berval *bv, int pos, int *iRDN )
 			break;
 		}
 
+		if ( ldif_is_not_printable( ava->la_value.bv_val, ava->la_value.bv_len ) ) {
+			domain = 0;
+			break;
+		}
+
 		domain = 1;
 		
 		if ( first ) {

libraries/libldap/tls_g.c

@@ -358,9 +358,7 @@ tlsg_session_accept( tls_session *session )
 	tlsg_session *s = (tlsg_session *)session;
 	int rc;
 
-	for ( rc = gnutls_handshake ( s->session );
-	      rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN;
-	      rc = gnutls_handshake ( s->session ) );
+	rc = gnutls_handshake( s->session );
 	if ( rc == 0 && s->ctx->reqcert != LDAP_OPT_X_TLS_NEVER ) {
 		const gnutls_datum_t *peer_cert_list;
 		unsigned int list_size;

libraries/libldap/tls_o.c

@@ -43,6 +43,9 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/safestack.h>
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dh.h>
 #elif defined( HAVE_SSL_H )
 #include <ssl.h>
 #endif

libraries/liblmdb/CHANGES

 LMDB 0.9 Change Log
 
-LMDB 0.9.22 Release (2018-03-22)
+LMDB 0.9.23 Release (2018/12/19)
+	ITS#8756 Fix loose pages in dirty list
+	ITS#8831 Fix mdb_load flag init
+	ITS#8844 Fix mdb_env_close in forked process
+	Documentation
+		ITS#8857 mdb_cursor_del doesn't invalidate cursor
+		ITS#8908 GET_MULTIPLE etc don't change passed in key
+
+LMDB 0.9.22 Release (2018/03/22)
 	Fix MDB_DUPSORT alignment bug (ITS#8819)
 	Fix regression with new db from 0.9.19 (ITS#8760)
 	Fix liblmdb to build on Solaris (ITS#8612)

libraries/liblmdb/lmdb.h

@@ -200,7 +200,7 @@ typedef int mdb_filehandle_t;
 /** Library minor version */
 #define MDB_VERSION_MINOR	9
 /** Library patch version */
-#define MDB_VERSION_PATCH	22
+#define MDB_VERSION_PATCH	23
 
 /** Combine args a,b,c into a single integer for easy version comparisons */
 #define MDB_VERINT(a,b,c)	(((a) << 24) | ((b) << 16) | (c))
@@ -210,7 +210,7 @@ typedef int mdb_filehandle_t;
 	MDB_VERINT(MDB_VERSION_MAJOR,MDB_VERSION_MINOR,MDB_VERSION_PATCH)
 
 /** The release date of this library version */
-#define MDB_VERSION_DATE	"March 21, 2018"
+#define MDB_VERSION_DATE	"December 19, 2018"
 
 /** A stringifier for the version info */
 #define MDB_VERSTR(a,b,c,d)	"LMDB " #a "." #b "." #c ": (" d ")"
@@ -370,7 +370,7 @@ typedef enum MDB_cursor_op {
 	MDB_GET_BOTH,			/**< Position at key/data pair. Only for #MDB_DUPSORT */
 	MDB_GET_BOTH_RANGE,		/**< position at key, nearest data. Only for #MDB_DUPSORT */
 	MDB_GET_CURRENT,		/**< Return key/data at current cursor position */
-	MDB_GET_MULTIPLE,		/**< Return key and up to a page of duplicate data items
+	MDB_GET_MULTIPLE,		/**< Return up to a page of duplicate data items
 								from current cursor position. Move cursor to prepare
 								for #MDB_NEXT_MULTIPLE. Only for #MDB_DUPFIXED */
 	MDB_LAST,				/**< Position at last key/data item */
@@ -379,7 +379,7 @@ typedef enum MDB_cursor_op {
 	MDB_NEXT,				/**< Position at next data item */
 	MDB_NEXT_DUP,			/**< Position at next data item of current key.
 								Only for #MDB_DUPSORT */
-	MDB_NEXT_MULTIPLE,		/**< Return key and up to a page of duplicate data items
+	MDB_NEXT_MULTIPLE,		/**< Return up to a page of duplicate data items
 								from next cursor position. Move cursor to prepare
 								for #MDB_NEXT_MULTIPLE. Only for #MDB_DUPFIXED */
 	MDB_NEXT_NODUP,			/**< Position at first data item of next key */
@@ -390,7 +390,7 @@ typedef enum MDB_cursor_op {
 	MDB_SET,				/**< Position at specified key */
 	MDB_SET_KEY,			/**< Position at specified key, return key + data */
 	MDB_SET_RANGE,			/**< Position at first key greater than or equal to specified key. */
-	MDB_PREV_MULTIPLE		/**< Position at previous page and return key and up to
+	MDB_PREV_MULTIPLE		/**< Position at previous page and return up to
 								a page of duplicate data items. Only for #MDB_DUPFIXED */
 } MDB_cursor_op;
 
@@ -1510,6 +1510,10 @@ int  mdb_cursor_put(MDB_cursor *cursor, MDB_val *key, MDB_val *data,
 	/** @brief Delete current key/data pair
 	 *
 	 * This function deletes the key/data pair to which the cursor refers.
+	 * This does not invalidate the cursor, so operations such as MDB_NEXT
+	 * can still be used on it.
+	 * Both MDB_NEXT and MDB_GET_CURRENT will return the same record after
+	 * this operation.
 	 * @param[in] cursor A cursor handle returned by #mdb_cursor_open()
 	 * @param[in] flags Options for this operation. This parameter
 	 * must be set to 0 or one of the values described here.

libraries/liblmdb/mdb.c

@@ -3094,10 +3094,41 @@ mdb_freelist_save(MDB_txn *txn)
 		 * we may be unable to return them to me_pghead.
 		 */
 		MDB_page *mp = txn->mt_loose_pgs;
+		MDB_ID2 *dl = txn->mt_u.dirty_list;
+		unsigned x;
 		if ((rc = mdb_midl_need(&txn->mt_free_pgs, txn->mt_loose_count)) != 0)
 			return rc;
-		for (; mp; mp = NEXT_LOOSE_PAGE(mp))
+		for (; mp; mp = NEXT_LOOSE_PAGE(mp)) {
 			mdb_midl_xappend(txn->mt_free_pgs, mp->mp_pgno);
+			/* must also remove from dirty list */
+			if (txn->mt_flags & MDB_TXN_WRITEMAP) {
+				for (x=1; x<=dl[0].mid; x++)
+					if (dl[x].mid == mp->mp_pgno)
+						break;
+				mdb_tassert(txn, x <= dl[0].mid);
+			} else {
+				x = mdb_mid2l_search(dl, mp->mp_pgno);
+				mdb_tassert(txn, dl[x].mid == mp->mp_pgno);
+			}
+			dl[x].mptr = NULL;
+			mdb_dpage_free(env, mp);
+		}
+		{
+			/* squash freed slots out of the dirty list */
+			unsigned y;
+			for (y=1; dl[y].mptr && y <= dl[0].mid; y++);
+			if (y <= dl[0].mid) {
+				for(x=y, y++;;) {
+					while (!dl[y].mptr && y <= dl[0].mid) y++;
+					if (y > dl[0].mid) break;
+					dl[x++] = dl[y++];
+				}
+				dl[0].mid = x-1;
+			} else {
+				/* all slots freed */
+				dl[0].mid = 0;
+			}
+		}
 		txn->mt_loose_pgs = NULL;
 		txn->mt_loose_count = 0;
 	}
@@ -5063,7 +5094,7 @@ mdb_env_close0(MDB_env *env, int excl)
 	if (env->me_fd != INVALID_HANDLE_VALUE)
 		(void) close(env->me_fd);
 	if (env->me_txns) {
-		MDB_PID_T pid = env->me_pid;
+		MDB_PID_T pid = getpid();
 		/* Clearing readers is done in this function because
 		 * me_txkey with its destructor must be disabled first.
 		 *

libraries/liblmdb/mdb_load.c

@@ -68,6 +68,7 @@ static void readhdr(void)
 {
 	char *ptr;
 
+	flags = 0;
 	while (fgets(dbuf.mv_data, dbuf.mv_size, stdin) != NULL) {
 		lineno++;
 		if (!strncmp(dbuf.mv_data, "VERSION=", STRLENOF("VERSION="))) {
@@ -374,7 +375,6 @@ int main(int argc, char *argv[])
 	while(!Eof) {
 		MDB_val key, data;
 		int batch = 0;
-		flags = 0;
 
 		if (!dohdr) {
 			dohdr = 1;

servers/slapd/back-bdb/config.c

@@ -602,10 +602,11 @@ bdb_cf_gen( ConfigArgs *c )
 			if ( c->valx == -1 ) {
 				int i;
 
-				/* delete all (FIXME) */
+				/* delete all */
 				for ( i = 0; i < bdb->bi_nattrs; i++ ) {
 					bdb->bi_attrs[i]->ai_indexmask |= BDB_INDEX_DELETING;
 				}
+				bdb->bi_defaultmask = 0;
 				bdb->bi_flags |= BDB_DEL_INDEX;
 				c->cleanup = bdb_cf_cleanup;
 

servers/slapd/back-bdb/idl.c

@@ -1085,18 +1085,11 @@ bdb_idl_intersection(
 	}
 
 	/* If a range completely covers the list, the result is
-	 * just the list. If idmin to idmax is contiguous, just
-	 * turn it into a range.
+	 * just the list.
 	 */
 	if ( BDB_IDL_IS_RANGE( b )
 		&& BDB_IDL_RANGE_FIRST( b ) <= BDB_IDL_FIRST( a )
 		&& BDB_IDL_RANGE_LAST( b ) >= BDB_IDL_LLAST( a ) ) {
-		if (idmax - idmin + 1 == a[0])
-		{
-			a[0] = NOID;
-			a[1] = idmin;
-			a[2] = idmax;
-		}
 		goto done;
 	}
 

servers/slapd/back-mdb/config.c

@@ -423,10 +423,11 @@ mdb_cf_gen( ConfigArgs *c )
 			if ( c->valx == -1 ) {
 				int i;
 
-				/* delete all (FIXME) */
+				/* delete all */
 				for ( i = 0; i < mdb->mi_nattrs; i++ ) {
 					mdb->mi_attrs[i]->ai_indexmask |= MDB_INDEX_DELETING;
 				}
+				mdb->mi_defaultmask = 0;
 				mdb->mi_flags |= MDB_DEL_INDEX;
 				c->cleanup = mdb_cf_cleanup;