Security Bug #96767, ssl not being used always. Note that both 2.1.30-r5 and 2.2.27-r1 have the patch.

(Portage version: 2.0.51.22-r1)

7 files changed, 638 insertions, 1 deletions

diff --git a/net-nds/openldap/ChangeLog b/net-nds/openldap/ChangeLog
index 2fb84e549df6..bc0e558c7075 100644
--- a/net-nds/openldap/ChangeLog
+++ b/net-nds/openldap/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for net-nds/openldap
 # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-nds/openldap/ChangeLog,v 1.118 2005/07/03 18:00:00 robbat2 Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-nds/openldap/ChangeLog,v 1.119 2005/07/03 19:14:50 robbat2 Exp $
+
+*openldap-2.2.27-r1 (03 Jul 2005)
+*openldap-2.1.30-r5 (03 Jul 2005)
+
+  03 Jul 2005; Robin H. Johnson <robbat2@gentoo.org>
+  +files/openldap-2.2.26-tls-fix-connection-test.patch,
+  +openldap-2.1.30-r5.ebuild, +openldap-2.2.27-r1.ebuild:
+  Security Bug #96767, ssl not being used always. Note that both 2.1.30-r5 and
+  2.2.27-r1 have the patch.
 
 *openldap-2.2.27 (03 Jul 2005)
 
diff --git a/net-nds/openldap/Manifest b/net-nds/openldap/Manifest
index b601bd69f8a7..58af90e76960 100644
--- a/net-nds/openldap/Manifest
+++ b/net-nds/openldap/Manifest
@@ -1,11 +1,13 @@
 MD5 f0f6d95bb459a68e1af47d41c03698e0 openldap-2.1.30-r3.ebuild 7217
 MD5 eccf7065578fd1850586d204d1037294 openldap-2.2.27.ebuild 12433
+MD5 f208bec4616a38e1d8979bfea9ad00a1 openldap-2.1.30-r5.ebuild 7489
 MD5 5bd89548fb8de6b4f0fdca12617e4e0c openldap-2.2.24.ebuild 9516
 MD5 7147b6711fd08405e22461185a531b7e openldap-2.1.27.ebuild 7058
 MD5 652065b4b1af04d11846fcdab7807ff8 openldap-2.1.30-r2.ebuild 7491
 MD5 8ca33d2e9e42040d47ae4119384c34fe openldap-2.2.26-r2.ebuild 11641
 MD5 47247dbac20cbf48c08404fca5b51b7f openldap-2.2.26.ebuild 9741
 MD5 2adaddb98fafad5e590a07c8e96cf5a8 openldap-2.1.30-r4.ebuild 7316
+MD5 3cf52c2cc3f10d12553e969816e22a7f openldap-2.2.27-r1.ebuild 12595
 MD5 bda33bb3429f18d3078dd9a642021ab2 openldap-2.2.23-r1.ebuild 8792
 MD5 90ad9b62db369bad1f15a4401267e438 openldap-2.2.23.ebuild 7820
 MD5 b33684a7371eb8e18a8cc35c381cd469 openldap-2.2.19.ebuild 7963
@@ -17,6 +19,7 @@ MD5 8207b5af41a71f4927b42ffd66bc5f10 ChangeLog 22209
 MD5 b0d485ea1a51fb83c70daedef2599272 metadata.xml 279
 MD5 7901f04890caac3b418942143b60b284 openldap-2.1.27-r1.ebuild 7452
 MD5 b230f9445ab2e9b4ae10beb130d329db openldap-2.2.26-r1.ebuild 10639
+MD5 4591bdcf0bd459c6fdbcabc93f5b6b55 files/openldap-2.2.26-tls-fix-connection-test.patch 663
 MD5 c16eada85fafe1c17bf0089d0ef90ae3 files/gencert.sh-2.2.27 2939
 MD5 c8d6f4ebeb92ef1085b1bb77d7b4db5f files/gencert.sh 3505
 MD5 c58db81c8d7084a9abf48747134da0a8 files/openldap-2.1.30-db40.patch 718
@@ -25,11 +28,13 @@ MD5 6da89687536a5ec9a422938e997a8a04 files/digest-openldap-2.1.30-r1 65
 MD5 6da89687536a5ec9a422938e997a8a04 files/digest-openldap-2.1.30-r2 65
 MD5 6da89687536a5ec9a422938e997a8a04 files/digest-openldap-2.1.30-r3 65
 MD5 6da89687536a5ec9a422938e997a8a04 files/digest-openldap-2.1.30-r4 65
+MD5 6da89687536a5ec9a422938e997a8a04 files/digest-openldap-2.1.30-r5 65
 MD5 1afdae6ce6fa709abed41ce45f41f5e8 files/openldap-2.1.30-tls-activedirectory-hang-fix.patch 1122
 MD5 4c6ef684996786b3a7cc2dc15c4ae7a4 files/openldap-2.2.14-db40.patch 773
 MD5 fa0a0dfbb9f3984fb2907c020e02ec73 files/digest-openldap-2.2.23-r1 65
 MD5 f1e72154e299a0b90a1157c7ed171daf files/digest-openldap-2.2.26-r1 130
 MD5 f1e72154e299a0b90a1157c7ed171daf files/digest-openldap-2.2.26-r2 130
+MD5 919632051f7ddeeed29b011f163d17f0 files/digest-openldap-2.2.27-r1 130
 MD5 95a998755d69f0f30cb64b9cb8eeab15 files/openldap-2.2.14-perlthreadsfix.patch 614
 MD5 ca2c43219df88502aafeab9db9eda4d5 files/openldap-2.1.27-perlthreadsfix.patch 967
 MD5 30ef1dc504563809f990b72ffe2be6c0 files/digest-openldap-2.1.26 65
diff --git a/net-nds/openldap/files/digest-openldap-2.1.30-r5 b/net-nds/openldap/files/digest-openldap-2.1.30-r5
new file mode 100644
index 000000000000..a6a4a08b05c0
--- /dev/null
+++ b/net-nds/openldap/files/digest-openldap-2.1.30-r5
@@ -0,0 +1 @@
+MD5 e2ae8148c4bed07d7a70edd930bdc403 openldap-2.1.30.tgz 2044673
diff --git a/net-nds/openldap/files/digest-openldap-2.2.27-r1 b/net-nds/openldap/files/digest-openldap-2.2.27-r1
new file mode 100644
index 000000000000..3f10c4ded588
--- /dev/null
+++ b/net-nds/openldap/files/digest-openldap-2.2.27-r1
@@ -0,0 +1,2 @@
+MD5 51c053cc0ec82ff20b453f49ce78bb89 openldap-2.2.27.tgz 2628140
+MD5 e2ae8148c4bed07d7a70edd930bdc403 openldap-2.1.30.tgz 2044673
diff --git a/net-nds/openldap/files/openldap-2.2.26-tls-fix-connection-test.patch b/net-nds/openldap/files/openldap-2.2.26-tls-fix-connection-test.patch
new file mode 100644
index 000000000000..dce56a0093bb
--- /dev/null
+++ b/net-nds/openldap/files/openldap-2.2.26-tls-fix-connection-test.patch
@@ -0,0 +1,13 @@
+diff -urN openldap-2.2.26.orig/libraries/libldap/tls.c openldap-2.2.26/libraries/libldap/tls.c
+--- openldap-2.2.26.orig/libraries/libldap/tls.c	2005-01-20 17:01:02.000000000 +0000
++++ openldap-2.2.26/libraries/libldap/tls.c	2005-06-22 01:34:22.000000000 +0100
+@@ -1738,7 +1738,8 @@
+ 
+ 	/* XXYYZ: this initiates operation only on default connection! */
+ 
+-	if ( ld->ld_sb != NULL && ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) {
++	if ( ( ld->ld_defconn != NULL ) ? ( ld->ld_defconn->lconn_sb != NULL && ldap_pvt_tls_inplace( ld->ld_defconn->lconn_sb ) != 0 )
++			: ( ld->ld_sb != NULL && ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) ) {
+ 		return LDAP_LOCAL_ERROR;
+ 	}
+ 
diff --git a/net-nds/openldap/openldap-2.1.30-r5.ebuild b/net-nds/openldap/openldap-2.1.30-r5.ebuild
new file mode 100644
index 000000000000..c85b0aec5fd4
--- /dev/null
+++ b/net-nds/openldap/openldap-2.1.30-r5.ebuild
@@ -0,0 +1,238 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-nds/openldap/openldap-2.1.30-r5.ebuild,v 1.1 2005/07/03 19:14:50 robbat2 Exp $
+
+inherit eutils
+
+DESCRIPTION="LDAP suite of application and development tools"
+HOMEPAGE="http://www.OpenLDAP.org/"
+SRC_URI="mirror://openldap/openldap-release/${P}.tgz"
+
+LICENSE="OPENLDAP"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
+IUSE="berkdb crypt debug gdbm ipv6 odbc perl readline samba sasl slp ssl tcpd"
+
+DEPEND=">=sys-libs/ncurses-5.1
+	>=sys-apps/sed-4
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
+	ssl? ( >=dev-libs/openssl-0.9.6 )
+	readline? ( >=sys-libs/readline-4.1 )
+	sasl? ( >=dev-libs/cyrus-sasl-2.1.7-r3 )
+	odbc? ( dev-db/unixODBC )
+	slp? ( >=net-libs/openslp-1.0 )
+	perl? ( >=dev-lang/perl-5.6 )
+	samba? ( >=dev-libs/openssl-0.9.6 )"
+
+# note that the 'samba' USE flag pulling in OpenSSL is NOT an error.  OpenLDAP
+# uses OpenSSL for LanMan/NTLM hashing (which is used in some enviroments, like
+# mine at work)!
+# Robin H. Johnson <robbat2@gentoo.org> March 8, 2004
+
+# if USE=berkdb
+#	pull in sys-libs/db
+# else if USE=gdbm
+#	pull in sys-libs/gdbm
+# else
+#	pull in sys-libs/db
+DEPEND="${DEPEND}
+	berkdb? ( >=sys-libs/db-4.1.25_p1-r3 )
+	!berkdb? (
+		gdbm? ( >=sys-libs/gdbm-1.8.0 )
+		!gdbm? ( >=sys-libs/db-4.1.25_p1-r3 )
+	)"
+
+pkg_preinst() {
+	enewgroup ldap 439
+	enewuser ldap 439 /bin/false /usr/lib/openldap ldap
+}
+
+src_unpack() {
+	unpack ${A}
+
+	# According to MDK, the link order needs to be changed so that
+	# on systems w/ MD5 passwords the system crypt library is used
+	# (the net result is that "passwd" can be used to change ldap passwords w/
+	#  proper pam support)
+	sed -ie 's/$(SECURITY_LIBS) $(LDIF_LIBS) $(LUTIL_LIBS)/$(LUTIL_LIBS) $(SECURITY_LIBS) $(LDIF_LIBS)/' \
+		${S}/servers/slapd/Makefile.in
+
+	# Fix up DB-4.0 linking problem
+	# remember to autoconf! this expands configure by 500 lines (4 lines to m4
+	# stuff).
+	epatch ${FILESDIR}/${PN}-2.1.30-db40.patch
+	epatch ${FILESDIR}/${PN}-2.1.30-tls-activedirectory-hang-fix.patch
+
+	# Security bug #96767 
+	# http://bugzilla.padl.com/show_bug.cgi?id=210
+	EPATCH_OPTS="-p1 -d ${S}" epatch ${FILESDIR}/${PN}-2.2.26-tls-fix-connection-test.patch
+
+	# supersedes old fix for bug #31202
+	cd ${S}
+	epatch ${FILESDIR}/${PN}-2.1.27-perlthreadsfix.patch
+
+	# fix up stuff for newer autoconf that simulates autoconf-2.13, but doesn't
+	# do it perfectly.
+	cd ${S}/build
+	ln -s shtool install
+	ln -s shtool install.sh
+
+	# ximian connector 1.4.7 ntlm patch
+	cd ${S}
+	epatch ${FILESDIR}/${PN}-2.1.30-ximian_connector.patch
+
+	# reconf for db40 fixes.
+	cd ${S}
+	WANT_AUTOCONF="2.1" autoconf
+}
+
+src_compile() {
+	local myconf
+
+	# enable debugging to syslog
+	use debug && myconf="${myconf} --enable-debug"
+	myconf="${myconf} --enable-syslog"
+
+	# enable slapd/slurpd servers
+	myconf="${myconf} --enable-ldap"
+	myconf="${myconf} --enable-slapd --enable-slurpd"
+
+	myconf="${myconf} `use_enable crypt`"
+	myconf="${myconf} `use_enable ipv6`"
+	myconf="${myconf} `use_with sasl cyrus-sasl` `use_enable sasl spasswd`"
+	myconf="${myconf} `use_with readline`"
+	myconf="${myconf} `use_with ssl tls` `use_with samba lmpasswd`"
+	myconf="${myconf} `use_enable tcpd wrappers`"
+	myconf="${myconf} `use_enable odbc sql`"
+	myconf="${myconf} `use_enable perl`"
+	myconf="${myconf} `use_enable slp`"
+
+	myconf="${myconf} --enable-ldbm"
+	myconf_berkdb='--enable-bdb --with-ldbm-api=berkeley'
+	myconf_gdbm='--disable-bdb --with-ldbm-api=gdbm'
+	if use berkdb; then
+		einfo "Using Berkeley DB for local backend"
+		myconf="${myconf} ${myconf_berkdb}"
+	elif use gdbm; then
+		einfo "Using GDBM for local backend"
+		myconf="${myconf} ${myconf_gdbm}"
+	else
+		ewarn "Neither gdbm or berkdb USE flags present, falling back to"
+		ewarn "Berkeley DB for local backend"
+		myconf="${myconf} ${myconf_berkdb}"
+	fi
+
+	# alas, for BSD only
+	#myconf="${myconf} --with-fetch"
+
+	myconf="${myconf} --enable-dynamic --enable-modules"
+	myconf="${myconf} --enable-rewrite --enable-rlookups"
+	myconf="${myconf} --enable-passwd --enable-phonetic"
+	myconf="${myconf} --enable-dnssrv --enable-ldap"
+	myconf="${myconf} --enable-meta --enable-monitor"
+	myconf="${myconf} --enable-null --enable-shell"
+	myconf="${myconf} --enable-local --enable-proctitle"
+
+	# disabled options
+	# --with-bdb-module=dynamic
+	# --enable-dnsserv --with-dnsserv-module=dynamic
+
+	econf \
+		--enable-static \
+		--enable-shared \
+		--libexecdir=/usr/lib/openldap \
+		${myconf} || die "configure failed"
+
+	make depend || die "make depend failed"
+	make || die "make failed"
+
+}
+
+src_test() {
+	einfo "Doing tests"
+	cd tests ; make tests || die "make tests failed"
+}
+
+src_install() {
+	make DESTDIR=${D} install || die "make install failed"
+
+	dodoc ANNOUNCEMENT CHANGES COPYRIGHT README LICENSE
+	docinto rfc ; dodoc doc/rfc/*.txt
+
+	# make state directories
+	for x in data slurp ldbm; do
+		keepdir /var/lib/openldap-${x}
+		fowners ldap:ldap /var/lib/openldap-${x}
+		fperms 0700 /var/lib/openldap-${x}
+	done
+
+	# manually remove /var/tmp references in .la
+	# because it is packaged with an ancient libtool
+	for x in ${D}/usr/lib/lib*.la; do
+		sed -i -e "s:-L${S}[/]*libraries::" ${x}
+	done
+
+	# change slapd.pid location in configuration file
+	keepdir /var/run/openldap
+	fowners ldap:ldap /var/run/openldap
+	fperms 0755 /var/run/openldap
+	for f in /etc/openldap/slapd.conf /etc/openldap/slapd.conf.default; do
+		sed -e "s:/var/lib/slapd.:/var/run/openldap/slapd.:" -i ${D}/${f}
+		sed -e "/database\tbdb$/acheckpoint	32	30 # <kbyte> <min>" -i ${D}/${f}
+		fowners root:ldap ${f}
+		fperms 0640 ${f}
+	done
+
+	# install our own init scripts
+	exeinto /etc/init.d
+	newexe ${FILESDIR}/2.0/slapd slapd
+	newexe ${FILESDIR}/2.0/slurpd slurpd
+	insinto /etc/conf.d
+	newins ${FILESDIR}/2.0/slapd.conf slapd
+
+	# install MDK's ssl cert script
+	if use ssl || use samba; then
+		dodir /etc/openldap/ssl
+		exeinto /etc/openldap/ssl
+		doexe ${FILESDIR}/gencert.sh
+	fi
+}
+
+pkg_postinst() {
+	if use ssl; then
+		# make a self-signed ssl cert (if there isn't one there already)
+		if [ ! -e /etc/openldap/ssl/ldap.pem ]
+		then
+			cd /etc/openldap/ssl
+			yes "" | sh gencert.sh
+			chmod 640 ldap.pem
+			chown root:ldap ldap.pem
+		else
+			einfo "An LDAP cert already appears to exist, no creating"
+		fi
+	fi
+
+	# Since moving to running openldap as user ldap there are some
+	# permissions problems with directories and files.
+	# Let's make sure these permissions are correct.
+	chown ldap:ldap /var/run/openldap
+	chmod 0755 /var/run/openldap
+	chown root:ldap /etc/openldap/slapd.conf
+	chmod 0640 /etc/openldap/slapd.conf
+	chown root:ldap /etc/openldap/slapd.conf.default
+	chmod 0640 /etc/openldap/slapd.conf.default
+	chown ldap:ldap /var/lib/openldap-{data,ldbm,slurp}
+
+	# notes from bug #41297, bug #41039
+	ewarn "If you are upgrading from OpenLDAP 2.0, major changes have occured:"
+	ewarn "- bind_anon_dn is now disabled by default for security"
+	ewarn "  add 'allow bind_anon_dn' to your config for the old behavior."
+	ewarn "- Default schemas have changed, you should slapcat your entire DB to"
+	ewarn "  a file, delete your DB, and then slapadd it again. Alternatively"
+	ewarn "  you can try slapindex which should work in almost all cases. Be"
+	ewarn "  sure to check the permissions on the database files afterwards!"
+	if use ssl; then
+		ewarn "- Self-signed SSL certificates are treated harshly by OpenLDAP 2.1"
+		ewarn "  add 'TLS_REQCERT never' if you want to use them."
+	fi
+}
diff --git a/net-nds/openldap/openldap-2.2.27-r1.ebuild b/net-nds/openldap/openldap-2.2.27-r1.ebuild
new file mode 100644
index 000000000000..3e9d413325a8
--- /dev/null
+++ b/net-nds/openldap/openldap-2.2.27-r1.ebuild
@@ -0,0 +1,369 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-nds/openldap/openldap-2.2.27-r1.ebuild,v 1.1 2005/07/03 19:14:50 robbat2 Exp $
+
+inherit flag-o-matic toolchain-funcs eutils multilib
+
+OLD_PV="2.1.30"
+OLD_P="${PN}-${OLD_PV}"
+OLD_S="${WORKDIR}/${OLD_P}"
+
+DESCRIPTION="LDAP suite of application and development tools"
+HOMEPAGE="http://www.OpenLDAP.org/"
+SRC_URI="mirror://openldap/openldap-release/${P}.tgz
+		 mirror://openldap/openldap-release/${OLD_P}.tgz"
+
+LICENSE="OPENLDAP"
+SLOT="0"
+IUSE="berkdb crypt debug gdbm ipv6 kerberos minimal odbc perl readline samba sasl slp ssl tcpd"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~ppc64 ~sparc ~x86"
+
+RDEPEND=">=sys-libs/ncurses-5.1
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
+	ssl? ( >=dev-libs/openssl-0.9.6 )
+	readline? ( >=sys-libs/readline-4.1 )
+	sasl? ( >=dev-libs/cyrus-sasl-2.1.7-r3 )
+	odbc? ( dev-db/unixODBC )
+	slp? ( >=net-libs/openslp-1.0 )
+	perl? ( >=dev-lang/perl-5.6 )
+	samba? ( >=dev-libs/openssl-0.9.6 )
+	kerberos? ( virtual/krb5 )"
+
+# note that the 'samba' USE flag pulling in OpenSSL is NOT an error.  OpenLDAP
+# uses OpenSSL for LanMan/NTLM hashing (which is used in some enviroments, like
+# mine at work)!
+# Robin H. Johnson <robbat2@gentoo.org> March 8, 2004
+
+# if USE=berkdb
+#	pull in sys-libs/db
+# else if USE=gdbm
+#	pull in sys-libs/gdbm
+# else
+#	pull in sys-libs/db
+RDEPEND_BERKDB=">=sys-libs/db-4.2.52_p1"
+RDEPEND_GDBM=">=sys-libs/gdbm-1.8.0"
+RDEPEND="${RDEPEND}
+	berkdb? ( ${RDEPEND_BERKDB} )
+	!berkdb? (
+		gdbm? ( ${RDEPEND_GDBM} )
+		!gdbm? ( ${RDEPEND_BERKDB} )
+	)"
+
+DEPEND="${RDEPEND}
+		sys-devel/libtool
+		>=sys-apps/sed-4"
+
+# for tracking versions
+OPENLDAP_VERSIONTAG="/var/lib/openldap-data/.version-tag"
+
+#DEPEND="${DEPEND} !<net-nds/openldap-2.2"
+
+openldap_upgrade_warning() {
+	ewarn "If you are upgrading from OpenLDAP-2.1, and run slapd on this"
+	ewarn "machine please see the ebuild for upgrade instructions, otherwise"
+	ewarn "you may corrupt your database!"
+	echo
+	ewarn "Part of the configuration file syntax has changed:"
+	ewarn "'access to attribute=' is now 'access to attrs='"
+	echo
+	ewarn "You must also run revdep-rebuild after upgrading from 2.1 to 2.2:"
+	ewarn "# revdep-rebuild --soname liblber.so.2"
+	ewarn "# revdep-rebuild --soname libldap.so.2"
+	ewarn "# revdep-rebuild --soname libldap_r.so.2"
+}
+
+pkg_setup() {
+	# grab lines
+	openldap_datadirs="$(awk '{if($1 == "directory") print $2 }' /etc/openldap/slapd.conf)"
+	datafiles=""
+	for d in $openldap_datadirs; do
+		datafiles="${datafiles} $(ls $d/*db*} 2>/dev/null)"
+	done
+	# remove extra spaces
+	datafiles="$(echo ${datafiles// })"
+	# TODO: read OPENLDAP_VERSIONTAG instead in future
+	if has_version '<net-nds/openldap-2.2' && [ -n "$datafiles" ]; then
+		eerror "A possible old installation of OpenLDAP was detected"
+		eerror "As major version upgrades to 2.2 can corrupt your database"
+		eerror "You need to dump your database and re-create it afterwards."
+		eerror ""
+		d="$(date -u +%s)"
+		l="/root/ldapdump.${d}"
+		i="${l}.raw"
+		eerror " 1. /etc/init.d/slurpd stop ; /etc/init.d/slapd stop"
+		eerror " 2. slapcat -l ${i}"
+		eerror " 3. egrep -v '^entryCSN:' <${i} >${l}"
+		eerror " 4. emerge unmerge '<=net-nds/openldap-2.1*'"
+		eerror " 5. mv /var/lib/openldap-data/ /var/lib/openldap-data,2.1/"
+		eerror " 6. emerge '>=net-nds/openldap-2.2'"
+		eerror " 7. etc-update, and ensure that you apply the changes"
+		eerror " 8. slapadd -l ${l}"
+		eerror " 9. chown ldap:ldap /var/lib/openldap-data/*"
+		eerror "10. /etc/init.d/slapd start"
+		eerror "11. check that your data is intact."
+		eerror "12. set up the new replication system."
+		eerror ""
+		eerror "This install will not proceed until your old data directory"
+		eerror "is at least moved out of the way."
+		exit 1
+	fi
+	openldap_upgrade_warning
+}
+
+pkg_preinst() {
+	openldap_upgrade_warning
+	enewgroup ldap 439
+	enewuser ldap 439 /bin/false /usr/$(get_libdir)/openldap ldap
+}
+
+src_unpack() {
+	unpack ${A}
+
+	# According to MDK, the link order needs to be changed so that
+	# on systems w/ MD5 passwords the system crypt library is used
+	# (the net result is that "passwd" can be used to change ldap passwords w/
+	#  proper pam support)
+	sed -i -e 's/$(SECURITY_LIBS) $(LDIF_LIBS) $(LUTIL_LIBS)/$(LUTIL_LIBS) $(SECURITY_LIBS) $(LDIF_LIBS)/' \
+		${S}/servers/slapd/Makefile.in
+
+	# Fix up DB-4.0 linking problem
+	# remember to autoconf! this expands configure by 500 lines (4 lines to m4
+	# stuff).
+	EPATCH_OPTS="-p1 -d ${S}" epatch ${FILESDIR}/${PN}-2.2.14-db40.patch
+
+	# supersedes old fix for bug #31202
+	EPATCH_OPTS="-p1 -d ${S}" epatch ${FILESDIR}/${PN}-2.2.14-perlthreadsfix.patch
+
+	# Security bug #96767 
+	# http://bugzilla.padl.com/show_bug.cgi?id=210
+	EPATCH_OPTS="-p1 -d ${S}" epatch ${FILESDIR}/${PN}-2.2.26-tls-fix-connection-test.patch
+
+	# ensure correct SLAPI path by default
+	sed -i -e 's,\(#define LDAPI_SOCK\).*,\1 "/var/run/openldap/slapd.sock",' \
+		${S}/include/ldap_defaults.h
+
+	# fix up some automake stuff
+	#sed -i -e 's,^AC_CONFIG_HEADER,AM_CONFIG_HEADER,' ${S}/configure.in
+
+	# fix up stuff for newer autoconf that simulates autoconf-2.13, but doesn't
+	# do it perfectly.
+	cd ${S}/build
+	ln -s shtool install
+	ln -s shtool install.sh
+
+	# reconf for db40 fixes.
+	cd ${S}
+	export WANT_AUTOMAKE="1.4"
+	export WANT_AUTOCONF="2.1"
+	einfo "Running libtoolize"
+	libtoolize --copy --force
+	#einfo "Running automake"
+	#automake --add-missing || die "automake failed"
+	#einfo "Running aclocal"
+	#aclocal || die "aclocal failed"
+	einfo "Running autoconf"
+	autoconf || die "autoconf failed"
+}
+
+src_compile() {
+	local myconf
+
+	# HDB is only available with BerkDB
+	myconf_berkdb='--enable-bdb --with-ldbm-api=berkeley --enable-hdb=mod'
+	myconf_gdbm='--disable-bdb --with-ldbm-api=gdbm --disable-hdb'
+
+	use debug && myconf="${myconf} --enable-debug" # there is no disable-debug
+
+	# enable slapd/slurpd servers if not doing a minimal build
+	if ! use minimal; then
+		myconf="${myconf} --enable-slapd --enable-slurpd"
+		# base backend stuff
+		myconf="${myconf} --enable-ldbm"
+		if use berkdb; then
+			einfo "Using Berkeley DB for local backend"
+			myconf="${myconf} ${myconf_berkdb}"
+		elif use gdbm; then
+			einfo "Using GDBM for local backend"
+			myconf="${myconf} ${myconf_gdbm}"
+		else
+			ewarn "Neither gdbm or berkdb USE flags present, falling back to"
+			ewarn "Berkeley DB for local backend"
+			myconf="${myconf} ${myconf_berkdb}"
+		fi
+		# extra backend stuff
+		myconf="${myconf} --enable-passwd=mod --enable-phonetic=mod"
+		myconf="${myconf} --enable-dnssrv=mod --enable-ldap"
+		myconf="${myconf} --enable-meta=mod --enable-monitor=mod"
+		myconf="${myconf} --enable-null=mod --enable-shell=mod"
+		myconf="${myconf} `use_enable perl perl mod`"
+		myconf="${myconf} `use_enable odbc sql mod`"
+		# slapd options
+		myconf="${myconf} `use_enable crypt` `use_enable slp`"
+		myconf="${myconf} --enable-rewrite --enable-rlookups"
+		myconf="${myconf} --enable-aci --enable-modules"
+		myconf="${myconf} --enable-cleartext --enable-slapi"
+		myconf="${myconf} `use_with samba lmpasswd`"
+		# disabled options:
+		# --with-bdb-module=dynamic
+		# alas, for BSD only:
+		# --with-fetch
+		# slapd overlay options
+		myconf="${myconf} --enable-dyngroup --enable-proxycache"
+	else
+		myconf="${myconf} --disable-slapd --disable-slurpd"
+		myconf="${myconf} --disable-bdb --disable-monitor"
+		myconf="${myconf} --disable-slurpd"
+	fi
+	# basic functionality stuff
+	myconf="${myconf} --enable-syslog --enable-dynamic"
+	myconf="${myconf} --enable-local --enable-proctitle"
+
+	myconf="${myconf} `use_enable ipv6` `use_enable readline`"
+	myconf="${myconf} `use_with sasl cyrus-sasl` `use_enable sasl spasswd`"
+	myconf="${myconf} `use_enable tcpd wrappers` `use_with ssl tls`"
+
+	if [ $(get_libdir) != "lib" ] ; then
+		append-ldflags -L/usr/$(get_libdir)
+	fi
+
+	econf \
+		--enable-static \
+		--enable-shared \
+		--libexecdir=/usr/$(get_libdir)/openldap \
+		${myconf} || die "configure failed"
+
+	make depend || die "make depend failed"
+	make || die "make failed"
+
+	# special kerberos stuff
+	tc-export CC
+	if ! use minimal && use kerberos ; then
+		cd ${S}/contrib/slapd-modules/passwd/ && \
+		${CC} -shared -I../../../include ${CFLAGS} -fPIC \
+		-DHAVE_KRB5 -o pw-kerberos.so kerberos.c || \
+		die "failed to compile kerberos module"
+	fi
+
+	# now build old compat lib
+	cd ${OLD_S} && \
+	econf \
+		--enable-static --enable-shared \
+		--libexecdir=/usr/$(get_libdir)/openldap \
+		--disable-slapd --disable-aci --disable-cleartext --disable-crypt \
+		--disable-lmpasswd --disable-spasswd --enable-modules \
+		--disable-phonetic --disable-rewrite --disable-rlookups --disable-slp \
+		--disable-wrappers --disable-bdb --disable-dnssrv --disable-ldap \
+		--disable-ldbm --disable-meta --disable-monitor --disable-null \
+		--disable-passwd --disable-perl --disable-shell --disable-sql \
+		--disable-slurpd || die "configure-2.1 failed"
+	make depend || die "make-2.1 depend failed"
+	cd ${OLD_S}/libraries/liblber && make liblber.la || die "make-2.1 liblber.la failed"
+	cd ${OLD_S}/libraries/libldap && make libldap.la || die "make-2.1 libldap.la failed"
+	cd ${OLD_S}/libraries/libldap_r && make libldap_r.la || die "make-2.1 libldap_r.la failed"
+}
+
+src_test() {
+	einfo "Doing tests"
+	cd tests ; make tests || die "make tests failed"
+}
+
+src_install() {
+	make DESTDIR=${D} install || die "make install failed"
+
+	dodoc ANNOUNCEMENT CHANGES COPYRIGHT README LICENSE
+	docinto rfc ; dodoc doc/rfc/*.txt
+
+	# openldap modules go here
+	# TODO: write some code to populate slapd.conf with moduleload statements
+	keepdir /usr/$(get_libdir)/openldap/openldap/
+
+	# make state directories
+	for x in data slurp ldbm; do
+		keepdir /var/lib/openldap-${x}
+		fowners ldap:ldap /var/lib/openldap-${x}
+		fperms 0700 /var/lib/openldap-${x}
+	done
+
+	echo "OLDPF='${PF}'" >${D}${OPENLDAP_VERSIONTAG}
+	echo "# do NOT delete this. it is used" >>${D}${OPENLDAP_VERSIONTAG}
+	echo "# to track versions for upgrading." >>${D}${OPENLDAP_VERSIONTAG}
+
+	# manually remove /var/tmp references in .la
+	# because it is packaged with an ancient libtool
+	for x in ${D}/usr/$(get_libdir)/lib*.la; do
+		sed -i -e "s:-L${S}[/]*libraries::" ${x}
+	done
+
+	# change slapd.pid location in configuration file
+	keepdir /var/run/openldap
+	fowners ldap:ldap /var/run/openldap
+	fperms 0755 /var/run/openldap
+
+	if ! use minimal; then
+		# config modifications
+		for f in /etc/openldap/slapd.conf /etc/openldap/slapd.conf.default; do
+			sed -e "s:/var/lib/run/slapd.:/var/run/openldap/slapd.:" -i ${D}/${f}
+			sed -e "/database\tbdb$/acheckpoint	32	30 # <kbyte> <min>" -i ${D}/${f}
+			fowners root:ldap ${f}
+			fperms 0640 ${f}
+		done
+		# install our own init scripts
+		exeinto /etc/init.d
+		newexe ${FILESDIR}/2.0/slapd slapd
+		newexe ${FILESDIR}/2.0/slurpd slurpd
+		if [ $(get_libdir) != lib ]; then
+			sed -e "s,/usr/lib/,/usr/$(get_libdir)/," -i ${D}/etc/init.d/{slapd,slurpd}
+		fi
+		insinto /etc/conf.d
+		newins ${FILESDIR}/2.0/slapd.conf slapd
+		if use kerberos && [ -f ${S}/contrib/slapd-modules/passwd/pw-kerberos.so ]; then
+			insinto /usr/$(get_libdir)/openldap/openldap
+			doins ${S}/contrib/slapd-modules/passwd/pw-kerberos.so || \
+			die "failed to install kerberos passwd module"
+		fi
+	fi
+
+	# install MDK's ssl cert script
+	if use ssl || use samba; then
+		dodir /etc/openldap/ssl
+		exeinto /etc/openldap/ssl
+		newexe ${FILESDIR}/gencert.sh-2.2.27 gencert.sh
+	fi
+
+	dolib.so ${OLD_S}/libraries/liblber/.libs/liblber.so.2.0.130 || \
+	die "failed to install old liblber"
+	dolib.so ${OLD_S}/libraries/libldap/.libs/libldap.so.2.0.130 || \
+	die "failed to install old libldap"
+	dolib.so ${OLD_S}/libraries/libldap_r/.libs/libldap_r.so.2.0.130 || \
+	die "failed to install old libldap_r"
+}
+
+pkg_postinst() {
+	if use ssl; then
+		# make a self-signed ssl cert (if there isn't one there already)
+		if [ ! -e /etc/openldap/ssl/ldap.pem ]
+		then
+			cd /etc/openldap/ssl
+			yes "" | sh gencert.sh
+			chmod 640 ldap.pem
+			chown root:ldap ldap.pem
+		else
+			einfo "An LDAP cert already appears to exist, no creating"
+		fi
+	fi
+
+	# Since moving to running openldap as user ldap there are some
+	# permissions problems with directories and files.
+	# Let's make sure these permissions are correct.
+	chown ldap:ldap /var/run/openldap
+	chmod 0755 /var/run/openldap
+	chown root:ldap /etc/openldap/slapd.conf{,.default}
+	chmod 0640 /etc/openldap/slapd.conf{,.default}
+	chown ldap:ldap /var/lib/openldap-{data,ldbm,slurp}
+
+	if use ssl; then
+		ewarn "Self-signed SSL certificates are treated harshly by OpenLDAP 2.[12]"
+		ewarn "add 'TLS_REQCERT never' if you want to use them."
+	fi
+	openldap_upgrade_warning
+}