backport upstream patches

(cherry picked from commit d7d81d6f756dfd01e7468127b14968119a999cd3)

backport-ITS-10016-slapo-syncprov-fix-Abandon-with-active-qtask.patch

@@ -0,0 +1,124 @@
+From 5f934c8c457ffe906c844ab2313943ae9b66bc46 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 27 Feb 2023 15:01:23 +0000
+Subject: [PATCH] ITS#10016: slapo-syncprov: fix Abandon with active qtask
+
+---
+ servers/slapd/overlays/syncprov.c | 42 ++++++++++++++++++++++++++-----
+ 1 file changed, 36 insertions(+), 6 deletions(-)
+
+diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
+index f62d6c63ea..44a6181410 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -871,6 +871,11 @@ static void free_resinfo( syncres *sr )
+ 
+ #define FS_UNLINK	1
+ #define FS_LOCK		2
++#define FS_DEFER	4
++
++#define FSR_NOTFREE	0
++#define FSR_DIDFREE	1
++#define FSR_CANFREE	2
+ 
+ static int
+ syncprov_free_syncop( syncops *so, int flags )
+@@ -881,12 +886,19 @@ syncprov_free_syncop( syncops *so, int flags )
+ 	if ( flags & FS_LOCK )
+ 		ldap_pvt_thread_mutex_lock( &so->s_mutex );
+ 	/* already being freed, or still in use */
+-	if ( !so->s_inuse || --so->s_inuse > 0 ) {
++	if ( !so->s_inuse || so->s_inuse > 1 ) {
+ 		if ( flags & FS_LOCK )
+ 			ldap_pvt_thread_mutex_unlock( &so->s_mutex );
+-		return 0;
++		if ( !( flags & FS_DEFER ) && so->s_inuse )
++			so->s_inuse--;
++		return FSR_NOTFREE;
+ 	}
+ 	ldap_pvt_thread_mutex_unlock( &so->s_mutex );
++
++	/* caller wants to cleanup other stuff before actual free */
++	if ( flags & FS_DEFER )
++		return FSR_CANFREE;
++
+ 	if (( flags & FS_UNLINK ) && so->s_si ) {
+ 		syncops **sop;
+ 		ldap_pvt_thread_mutex_lock( &so->s_si->si_ops_mutex );
+@@ -914,7 +926,7 @@ syncprov_free_syncop( syncops *so, int flags )
+ 	}
+ 	ldap_pvt_thread_mutex_destroy( &so->s_mutex );
+ 	ch_free( so );
+-	return 1;
++	return FSR_DIDFREE;
+ }
+ 
+ /* Send a persistent search response */
+@@ -1029,6 +1041,9 @@ syncprov_qplay( Operation *op, syncops *so )
+ 			} else {
+ 				rc = syncprov_sendresp( op, sr->s_info, so, sr->s_mode );
+ 			}
++		} else {
++			/* set rc so we don't do a new qstart */
++			rc = 1;
+ 		}
+ 
+ 		free_resinfo( sr );
+@@ -1055,6 +1070,9 @@ syncprov_qplay( Operation *op, syncops *so )
+ 	return rc;
+ }
+ 
++static int
++syncprov_drop_psearch( syncops *so, int lock );
++
+ /* task for playing back queued responses */
+ static void *
+ syncprov_qtask( void *ctx, void *arg )
+@@ -1063,7 +1081,7 @@ syncprov_qtask( void *ctx, void *arg )
+ 	OperationBuffer opbuf;
+ 	Operation *op;
+ 	BackendDB be;
+-	int rc;
++	int rc, flag, frc;
+ 
+ 	op = &opbuf.ob_op;
+ 	*op = *so->s_op;
+@@ -1092,14 +1110,24 @@ syncprov_qtask( void *ctx, void *arg )
+ 	if ( !rc && !so->s_res )
+ 		rc = 1;
+ 
++	flag = FS_UNLINK;
++	if ( rc && op->o_abandon )
++		flag = FS_DEFER;
++
+ 	/* decrement use count... */
+-	if ( !syncprov_free_syncop( so, FS_UNLINK )) {
++	frc = syncprov_free_syncop( so, flag );
++	if ( frc == FSR_NOTFREE ) {
+ 		if ( rc )
+ 			/* if we didn't unlink, and task is no longer queued, clear flag */
+ 			so->s_flags ^= PS_TASK_QUEUED;
+ 		ldap_pvt_thread_mutex_unlock( &so->s_mutex );
+ 	}
+ 
++	/* if we got abandoned while processing, cleanup now */
++	if ( frc == FSR_CANFREE ) {
++		syncprov_drop_psearch( so, 1 );
++	}
++
+ 	return NULL;
+ }
+ 
+@@ -1274,7 +1302,9 @@ syncprov_op_abandon( Operation *op, SlapReply *rs )
+ 				return SLAP_CB_CONTINUE;
+ 			}
+ 		}
+-		syncprov_drop_psearch( so, 0 );
++		/* if task is active, it must drop itself */
++		if ( !( so->s_flags & PS_TASK_QUEUED ))
++			syncprov_drop_psearch( so, 0 );
+ 	}
+ 	return SLAP_CB_CONTINUE;
+ }
+-- 
+GitLab

backport-ITS-10028-crash-with-pwdMinDelay.patch

@@ -0,0 +1,27 @@
+From 0e409f49ec9a83d7259f9a671e85125d4d724144 Mon Sep 17 00:00:00 2001
+From: HAMANO Tsukasa <code@cuspy.org>
+Date: Fri, 24 Mar 2023 11:24:15 +0900
+Subject: [PATCH] ITS#10028 - crash with pwdMinDelay
+
+---
+ servers/slapd/overlays/ppolicy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
+index 0271dde6a7..d4032cc7d3 100644
+--- a/servers/slapd/overlays/ppolicy.c
++++ b/servers/slapd/overlays/ppolicy.c
+@@ -1868,7 +1868,8 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
+ 		} else if ( ppb->pp.pwdMinDelay ) {
+ 			int waittime = ppb->pp.pwdMinDelay << fc;
+ 			time_t wait_end;
+-			struct berval lockout_stamp;
++			char lockout_stamp_buf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
++			struct berval lockout_stamp = BER_BVC(lockout_stamp_buf);
+ 
+ 			if ( waittime > ppb->pp.pwdMaxDelay ) {
+ 				waittime = ppb->pp.pwdMaxDelay;
+-- 
+GitLab
+
+

backport-ITS-10035-Fix-setting-TLSv1.3-ciphersuite.patch

@@ -0,0 +1,24 @@
+From 818e2a5455bac1db029124b5aabc8b03415f917b Mon Sep 17 00:00:00 2001
+From: Ian Puleston <ipuleston@sonicwall.com>
+Date: Thu, 30 Mar 2023 13:04:50 -0700
+Subject: [PATCH] ITS#10035 Fix setting TLSv1.3 ciphersuite
+
+---
+ libraries/libldap/tls_o.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 0a74ffa7f9..8f1d84efa1 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -335,7 +335,7 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
+ 				if ( !strncmp( ver, "TLSv", 4 ) && strncmp( ver+4, "1.3", 3 ) >= 0 ) {
+ 					if ( tls13_suites[0] )
+ 						ts = tlso_stecpy( ts, ":", te );
+-					ts = tlso_stecpy( ts, sname, te );
++					ts = tlso_stecpy( ts, nptr, te );
+ 				}
+ 			}
+ 		}
+-- 
+GitLab

backport-ITS-10091-Do-not-allow-dynlist-being-configured-as-global.patch

@@ -0,0 +1,28 @@
+From 02975a3dc769d0ffa60b07d91f5903bd719a6c9a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Tue, 15 Aug 2023 13:07:46 +0100
+Subject: [PATCH] ITS#10091 Do not allow dynlist being configured as global
+
+---
+ servers/slapd/overlays/dynlist.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/servers/slapd/overlays/dynlist.c b/servers/slapd/overlays/dynlist.c
+index 10cacf9798..b552353a7d 100644
+--- a/servers/slapd/overlays/dynlist.c
++++ b/servers/slapd/overlays/dynlist.c
+@@ -2740,6 +2740,11 @@ dynlist_db_init(
+ 	slap_overinst *on = (slap_overinst *)be->bd_info;
+ 	dynlist_gen_t *dlg;
+ 
++	if ( SLAP_ISGLOBALOVERLAY( be ) ) {
++		Debug( LDAP_DEBUG_ANY, "dynlist cannot be used as global overlay.\n" );
++		return 1;
++	}
++
+ 	dlg = (dynlist_gen_t *)ch_malloc( sizeof( *dlg ));
+ 	on->on_bi.bi_private = dlg;
+ 	dlg->dlg_dli = NULL;
+-- 
+GitLab
+

backport-ITS-7226-Make-olcAuditlogFile-SINGLE-VALUE.patch

@@ -0,0 +1,25 @@
+From 242d1e6d623dbb2ac0295ae17a54a674b1b356cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 21 Aug 2023 12:19:16 +0100
+Subject: [PATCH] ITS#7226 Make olcAuditlogFile SINGLE-VALUE
+
+---
+ servers/slapd/overlays/auditlog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/overlays/auditlog.c b/servers/slapd/overlays/auditlog.c
+index 9292d4aa8b..43a5c15a41 100644
+--- a/servers/slapd/overlays/auditlog.c
++++ b/servers/slapd/overlays/auditlog.c
+@@ -44,7 +44,7 @@ static ConfigTable auditlogcfg[] = {
+ 	  "( OLcfgOvAt:15.1 NAME 'olcAuditlogFile' "
+ 	  "DESC 'Filename for auditlogging' "
+ 	  "EQUALITY caseExactMatch "
+-	  "SYNTAX OMsDirectoryString )", NULL, NULL },
++	  "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
+ };
+ 
+-- 
+GitLab
+

openldap.spec

@@ -2,7 +2,7 @@
 
 Name:           openldap
 Version:        2.6.0
-Release:        7
+Release:        8
 Summary:        LDAP support libraries
 License:        Open LDAP Public License v2.8
 URL:            https://www.openldap.org/
@@ -67,6 +67,12 @@ Patch6036:      backport-ITS-9898-tests-fix-slapd-addel-non-std-syntax.patch
 Patch6037:      backport-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
 Patch6038:      backport-ITS-9904-check-for-strdup-failure.patch
 
+Patch6039:      backport-ITS-10016-slapo-syncprov-fix-Abandon-with-active-qtask.patch
+Patch6040:      backport-ITS-10028-crash-with-pwdMinDelay.patch
+Patch6041:      backport-ITS-10035-Fix-setting-TLSv1.3-ciphersuite.patch
+Patch6042:      backport-ITS-7226-Make-olcAuditlogFile-SINGLE-VALUE.patch
+Patch6043:      backport-ITS-10091-Do-not-allow-dynlist-being-configured-as-global.patch
+
 
 BuildRequires:  cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
 BuildRequires:  glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@@ -181,6 +187,11 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch6036 -p1
 %patch6037 -p1
 %patch6038 -p1
+%patch6039 -p1
+%patch6040 -p1
+%patch6041 -p1
+%patch6042 -p1
+%patch6043 -p1
 
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
 mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@@ -467,6 +478,12 @@ popd
 %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
 
 %changelog
+* Wed Jan 10 2024 liubo <liubo335@huawei.com> - 2.6.0-8
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:backport patch
+
 * Mon Jul 24 2023 sunhai <sunhai10@huawei.com> - 2.6.0-7
 - Type:bugfix
 - ID:NA