This disables a flaky tests which sometimes fails
(most likely due to some race condition).
It's also disabled for Debian since 2.5.13:
https://launchpad.net/debian/+source/openldap/2.5.13+dfsg-3
For reference, the failure looks like this:
>>>>> 00:13:52 Starting test063-delta-multiprovider for mdb...
running defines.sh
Initializing server configurations...
Starting server 1 on TCP/IP port 9011...
Using ldapsearch to check that server 1 is running...
Using ldapadd for context on server 1...
Starting server 2 on TCP/IP port 9012...
Using ldapsearch to check that server 2 is running...
Starting server 3 on TCP/IP port 9013...
Using ldapsearch to check that server 3 is running...
Starting server 4 on TCP/IP port 9014...
Using ldapsearch to check that server 4 is running...
Using ldapadd to populate server 1...
Waiting 7 seconds for syncrepl to receive changes...
Using ldapsearch to read all the entries from server 1...
Using ldapsearch to read all the entries from server 2...
Using ldapsearch to read all the entries from server 3...
Using ldapsearch to read all the entries from server 4...
Comparing retrieved entries from server 1 and server 2...
Comparing retrieved entries from server 1 and server 3...
Comparing retrieved entries from server 1 and server 4...
test failed - server 1 and server 4 databases differ
>>>>> 00:14:25 Failed test063-delta-multiprovider for mdb after 33 seconds
(exit 1)
make[2]: *** [Makefile:320: mdb-yes] Error 1
make[2]: Leaving directory '/build/openldap-2.6.4/tests'
make[1]: *** [Makefile:287: test] Error 2
make[1]: Leaving directory '/build/openldap-2.6.4/tests'
make: *** [Makefile:298: test] Error 2
error: builder for '/nix/store/ypmpgzfjc992x24h8ga7xvbmk24qbfml-openldap-2.6.4.drv' failed with exit code 2;
with structuredAttrs lists will be bash arrays which cannot be exported
which will be a issue with some patches and some wrappers like cc-wrapper
this makes it clearer that NIX_CFLAGS_COMPILE must be a string as lists
in env cause a eval failure
https://hydra.nixos.org/build/195641103
This essentially partially reverts dd331ad167.
I don't expect issues, as libxcrypt it meant to replace parts dropped
from glibc which's never been used on *-darwin anyway.
We want Openldap clients to load /etc/ldap.conf at runtime, not
${pkgs.openldap}/etc/ldap.conf which is always a sample config.
Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded
in the library as the path of its config file.
Pass sysconfdir=${out}/etc at install time, so that the sample configs
and schema files are correctly included in the build output.
This hack works because the Makefiles are not smart enough to notice
that the sysconfdir variable has changed across invocations -- because
nobody ever writes their Makefiles to be that smart. :-)
Fixes#181937.
By default, this is /run/ldapi, which is not compatible with systemd's
runtime directories. Change it to /run/slapd/ldapi (in library and
server). This makes `ldapi:///` work as a default socket again.
These patches are from the 2.6 support branch and will hence make it
into 2.6.3 at a later point. At this point however, I cannot use slapd
as a syncrepl slave because it segfaults on startup. This also fixes
parallel build.
At some point, I'd like to make another attempt at
71f1f4884b ("openssl: stop static binaries referencing libs"), which
was reverted in 195c7da07d. One problem with my previous attempt is
that I moved OpenSSL's libraries to a lib output, but many dependent
packages were hardcoding the out output as the location of the
libraries. This patch fixes every such case I could find in the tree.
It won't have any effect immediately, but will mean these packages
will automatically use an OpenSSL lib output if it is reintroduced in
future.
This patch should cause very few rebuilds, because it shouldn't make
any change at all to most packages I'm touching. The few rebuilds
that are introduced come from when I've changed a package builder not
to use variable names like openssl.out in scripts / substitution
patterns, which would be confusing since they don't hardcode the
output any more.
I started by making the following global replacements:
${pkgs.openssl.out}/lib -> ${lib.getLib pkgs.openssl}/lib
${openssl.out}/lib -> ${lib.getLib openssl}/lib
Then I removed the ".out" suffix when part of the argument to
lib.makeLibraryPath, since that function uses lib.getLib internally.
Then I fixed up cases where openssl was part of the -L flag to the
compiler/linker, since that unambigously is referring to libraries.
Then I manually investigated and fixed the following packages:
- pycurl
- citrix-workspace
- ppp
- wraith
- unbound
- gambit
- acl2
I'm reasonably confindent in my fixes for all of them.
For acl2, since the openssl library paths are manually provided above
anyway, I don't think openssl is required separately as a build input
at all. Removing it doesn't make a difference to the output size, the
file list, or the closure.
I've tested evaluation with the OfBorg meta checks, to protect against
introducing evaluation failures.
argon2 is the recommended password hashing function, and the module is
included with OpenLDAP contrib.
This change enables argon2 hashes by default in our OpenLDAP package.
The install command for argon2 needs to be install-lib, as it otherwise
tries to install manpages to /usr, which fails.
Fixes: CVE-2020-12243
In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters
with nested boolean expressions can result in denial of service
(daemon crash).
