OpenLDAP 2.4.48
Added libldap OpenSSL Elliptic Curve support
Added libldap Expose OpenLDAP specific interfaces via openldap.h
Added slapd-monitor support for slapd-mdb
Fixed liblber leaks
Fixed liblber with partial flush
Fixed libldap ASYNC TLS so it works
Fixed libldap ASYNC connections with Solaris 10
Fixed libldap with SASL_NOCANON=on and ldapi connections
Fixed libldap to be able to unset syncrepl TLS options
Fixed libldap race condition in ldap_int_initialize
Fixed libldap return code in ldap_create_assertion_control_value
Fixed libldap to correctly disable IPv6 when configured to do so
Fixed libldap to correctly close TLS connection
Fixed libldap_r handling of deprecated OpenSSL function
Fixed liblunicode case correspondance
Fixed slapd with an idletimeout of less than four seconds
Fixed slapd config parser variable for Windows64
Fixed slapd syncrepl fallback handling with delta-syncrepl
Fixed slapd telephoneNumberNormalize, cert DN validation
Fixed slapd syncrepl for relax with delta-syncrepl
Fixed slapd to restrict rootDN proxyauthz to its own databases
Fixed slapd to initialize SASL SSF per connection
Fixed slapo-accesslog with SLAP_MOD_SOFT modifications
Fixed slapd-ldap starttls connections timeout behavior
Fixed slapd-ldap segfault when entry result doesn't match filter
Fixed slapd-meta conversion from slapd.conf to cn=config
Fixed slapd-meta assertion when network interface goes down
Fixed slapd-mdb fix bitshift integer overflow
Fixed slapd-mdb index cleanup with cn=config
Fixed slapd-mdb to improve performance with alias deref
Fixed slapo-accesslog possible assert with exops
Fixed slapo-chain to correctly reject multiple chaining URIs
Fixed slapo-chain conversion from slapd.conf to cn=config
Fixed slapo-memberof conversion from slapd.conf to cn=config
Fixed slapo-memberof for group name change to itself
Fixed slapo-ppolicy behavior when pwdInHistory is changed
Fixed slapo-rwm to not free original filter
Fixed slapo-syncprov contextCSN generation
Build Environment
Fixed slapd to only link to BDB libraries with static build
Fixed libldap implicit declaration with LDAP_CONNECTIONLESS
Fixed libldap double inclusion of limits.h in cyrus.c
Documentation
General - Fixed minor typos
admin24 - Miscellaneous updates promoting mdb and fixing examples
slapd.access(5) - Note MDB is the primary backend
slapd.backends(5) - Note MDB is the recommended backend
slapd-ldap(5) - Document starttls parameter
Contrib
Added slapo-lastbind capability to forward authTimestamp updates
Added slapd support for OpenSSL 1.1.0 series (ITS-8353, ITS-8533, ITS-8634)
Fixed libldap to fail ldap_result if the handle is already bad (ITS-8585)
Fixed libldap to expose error if user specified CA doesn't exist (ITS-8529)
Fixed libldap handling of Diffie-Hellman parameters (ITS-7506)
Fixed libldap GnuTLS use after free (ITS-8385)
Fixed libldap SASL initialization (ITS-8648)
Fixed slapd bconfig rDN escape handling (ITS-8574)
Fixed slapd segfault with invalid hostname (ITS-8631)
Fixed slapd sasl SEGV rebind in same session (ITS-8568)
Fixed slapd syncrepl filter handling (ITS-8413)
Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS-8432)
Fixed slapd callback struct so older modules without writewait should function.
Custom modules may need to be updated for sc_writewait callback (ITS-8435)
Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS-8576)
Fixed slapd-mdb so it passes ITS6794 regression test (ITS-6794)
Fixed slapd-mdb double free with size zero paged result (ITS-8655)
Fixed slapd-meta uninitialized diagnostic message (ITS-8442)
Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS-8423)
Fixed slapo-accesslog with multiple modifications to the same attribute (ITS-6545)
Fixed slapo-relay to correctly initialize sc_writewait (ITS-8428)
Fixed slapo-sssvlv double free (ITS-8592)
Fixed slapo-unique with empty modifications (ITS-8266)
Build Environment
Added test065 for proxyauthz (ITS-8571)
Fix test008 to be portable (ITS-8414)
Fix test064 to wait for slapd to start (ITS-8644)
Fix its4336 regression test (ITS-8534)
Fix its4337 regression test (ITS-8535)
Fix regression tests to execute on all backends (ITS-8539)
Contrib
Added slapo-autogroup(5) man page (ITS-8569)
Added passwd missing conversion scripts for apr1 (ITS-6826)
Fixed contrib modules where the writewait callback was not correctly initialized (ITS-8435)
Fixed smbk5pwd to build with newer OpenSSL releases (ITS-8525)
Documentation
admin24 fixed tls_cipher_suite bindconf option (ITS-8099)
admin24 fixed typo cn=config to be slapd.d (ITS-8449)
admin24 fixed slapo-syncprov information to be curent (ITS-8253)
admin24 fixed typo in access control docs (ITS-7341, ITS-8391)
admin24 fixed minor typo in tuning guide (ITS-8499)
admin24 fixed information about the limits option (ITS-7700)
admin24 fixed missing options for syncrepl configuration (ITS-7700)
admin24 fixed accesslog documentation to note it should not be replicated (ITS-8344)
Fixed ldap.conf(5) missing information on SASL_NOCANON option (ITS-7177)
Fixed ldapsearch(1) information on the V[V] flag behavior (ITS-7177, ITS-6339)
Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS-8538)
Fixed slapd-config(5), slapd.conf(5) clarify serverID requirements (ITS-8635)
Fixed slapd-config(5), slapd.conf(5) clarification on loglevel settings (ITS-8123)
Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS-8565)
Fixed slapo-memberof(5) to note it is not safe to use with replication (ITS-8613)
Fixed slapo-syncprov(5) documentation to be current (ITS-8253)
Fixed slapadd(8) manpage to note slapd-mdb (ITS-8215)
Fixed various minor grammar issues in the man pages (ITS-8544)
Fixed various typos (ITS-8587)
Incorrect multi-keyword mode cipherstring parsing.
Fixes CVE-2015-3276.
Submitted upstream as ITS#8543, it apparently wasn't already(!)
http://www.openldap.org/its/index.cgi/Incoming?id=8543
Bump PKGREVISION for both openldap, openldap-server and openldap-client
(to be on the safe side...)
Fixed liblber remove obsolete assert (ITS-8240, ITS-8301)
Fixed libldap file URLs on windows (ITS-8273)
Fixed libldap microsecond timer for windows (ITS-8295)
Fixed slap tools minor one time memory leak (ITS-8082)
Fixed slapd to avoid redundant processing of abandon ops (ITS-8232)
Fixed slapd syncrepl segv when present list is NULL (ITS-8231, ITS-8042)
Fixed slapd segfault with invalid SASL URI (ITS-8218)
Fixed slapd configuration parser with unbalanced quotes (ITS-8233)
Fixed slapd syncrepl check with config db on windows (ITS-8277)
Fixed slapd with mod Increment and inherited attribute type (ITS-8289)
Fixed slapd-ldap SEGV after failed retry (ITS-8173)
Fixed slapd-ldap to skip client controls in ldap_back_entry_get (ITS-8244)
Fixed slapd-null to have an option to return a search entry (ITS-8249)
Fixed slapd-relay to correctly handle quoted options (ITS-8284)
Fixed slapo-accesslog delta-sync MMR with interrupted refresh phase (ITS-8281)
Fixed slapo-dds segfault when using slapo-memberof (ITS-8133)
Fixed slapo-ppolicy to allow purging of stale pwdFailureTime attributes (ITS-8185)
Fixed slapo-ppolicy to release entry on failure (ITS-7537)
Fixed slapo-ppolicy to fall back to default policy if there is a parsing error (ITS-8234)
Fixed slapo-syncprov with interrupted refresh phase (ITS-8281)
Fixed slapo-refint with subtree renames (ITS-8220)
Fixed slapo-rwm missing olcDropUnrequested attribute (ITS-7889)
Fixed slapo-rwm parsing to avoid double-escaping rewrite rules (ITS-7964)
Build Environment
Fixed ldif-filter option parsing (ITS-8292)
Fixed slapd-tester EOL handling in test output for windows (ITS-8280)
Fixed slapd-tester executable suffix for windows (ITS-8216)
Fixed test061 timing issues (ITS-8297)
Contrib
Added libnettle support to pw-pbkdf2 (ITS-8198)
Fixed smbk5pwd compiler warnings with libnettle (ITS-8235)
Fixed passwd symbol collisions with other crypto libraries (ITS-8294)
Documentation
Updated guide to reflect changes to how TLS is handled with syncrepl
After the recent logjam attack, longer DH parameter size have been advised.
Unfortunately, this comes with a high computational cost. ECDH is a good
alternative to acheive forward secrecy with lower CPU Loads.
This patch is a backport from upstream ECDH umplementation. ECDH is
enabled by speciying a curve name through the TLSECName directive.
Valid curve names can be obtaines by openssl ecparam -list_curves
Advised usage for a forward-secrecy only setup wiht only ECDH:
TLSCipherSuite EECDH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
TLSECName prime256v1
If backward compatibility with older clients is required:
TLSCipherSuite EECDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
TLSECName prime256v1
Backward compatible flavor with more forward secrecy, at
the expense of using costly DH. dh2048.pem is obtained using openssl
dhparam 2048 > /etc/openssl/certs/dh2048.pem
TLSCipherSuite EECDH:EDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
TLSDHParamFile /etc/openssl/certs/dh2048.pem
TLSECName prime256v1
From 6f120920d359d3b880c5c56bde4c1b91c3bedb01 Mon Sep 17 00:00:00 2001
From: Ben Jencks <ben@bjencks.net>
Date: Sun, 27 Jan 2013 18:27:03 -0500
Subject: [PATCH] ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage.
If a DHParamFile or olcDHParamFile is specified, then it will be used,
otherwise a hardcoded 1024 bit parameter will be used. This allows the use of
larger parameters; previously only 512 or 1024 bit parameters would ever be
used.
From cfeb28412c28ce9feeea6e6c055286f201bd0a34 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sat, 7 Sep 2013 06:39:53 -0700
Subject: [PATCH] ITS#7506 fix prev commit
The patch unconditionally enabled DHparams, which is a significant
change of behavior. Reverting to previous behavior, which only enables
DH use if a DHparam file was configured.
support, reported via PR pkg/37745 ).
OpenLDAP 2.4.x brings a lot of new features, including multi-master support,
dynamic configuration and schema changes, automatic reverse group membership,
significant performance improvements, etc. One of the most noticeable changes
for administrators though is the removal if the slurpd daemon (in favour of
the sync replication mechanism). Users of slurpd replication should migrate
to sync replication before upgrading to OpenLDAP 2.4.x.
split off. This package contains only the client tools and libraries, and the
manpages.
LDAP-based applications should depend on this package, not databases/openldap
(anymore).
