From 39ef6322b5b9dcddaee2a1caf7b07c09747784a2 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 18 May 2022 02:57:29 +0200 Subject: [PATCH] openldap: 2.4.58 -> 2.6.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5/ANNOUNCEMENT https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6/ANNOUNCEMENT Co-Authored-By: Andreas Schrägle --- .../from_md/release-notes/rl-2205.section.xml | 12 ++ .../manual/release-notes/rl-2205.section.md | 2 + .../libraries/openldap/default.nix | 120 ++++++++++-------- 3 files changed, 84 insertions(+), 50 deletions(-) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index c0f36fcfd35..c4f7d64d97b 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -672,6 +672,18 @@ the IPv6 loopback address (::1). + + + openldap (and therefore the slapd LDAP + server) were updated to version 2.6.2. The project introduced + backwards-incompatible changes, namely the removal of the bdb, + hdb, ndb, and shell backends in slapd. Therefore before + updating, dump your database slapcat -n 1 + in LDIF format, and reimport it after updating your + services.openldap.settings, which + represents your cn=config. + + openssh has been update to 8.9p1, changing diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 5902957a535..f07439d34a1 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -238,6 +238,8 @@ In addition to numerous new and upgraded packages, this release has the followin - In the ncdns module, the default value of `services.ncdns.address` has been changed to the IPv6 loopback address (`::1`). +- `openldap` (and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database `slapcat -n 1` in LDIF format, and reimport it after updating your `services.openldap.settings`, which represents your `cn=config`. + - `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface. - `git` no longer hardcodes the path to openssh' ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your enviroment consider adding `openssh` to it or switching to `gitFull`. diff --git a/pkgs/development/libraries/openldap/default.nix b/pkgs/development/libraries/openldap/default.nix index 4ecfc569ae1..44afffc7204 100644 --- a/pkgs/development/libraries/openldap/default.nix +++ b/pkgs/development/libraries/openldap/default.nix @@ -1,33 +1,48 @@ -{ lib, stdenv, fetchurl, openssl, db, groff, libtool, libsodium -, withCyrusSasl ? true +{ lib +, stdenv +, fetchurl + +# dependencies , cyrus_sasl +, db +, groff +, libsodium +, libtool +, openssl +, systemdMinimal }: stdenv.mkDerivation rec { pname = "openldap"; - version = "2.4.58"; + version = "2.6.2"; src = fetchurl { url = "https://www.openldap.org/software/download/OpenLDAP/openldap-release/${pname}-${version}.tgz"; - sha256 = "sha256-V7WSVL4V0L9qmrPVFMHAV3ewISMpFTMTSofJRGj49Hs="; + hash = "sha256-gdCTRSMutiSG7PWsrNLFbAxFtKbIwGZhLn9CGiOhz4c"; }; # TODO: separate "out" and "bin" - outputs = [ "out" "dev" "man" "devdoc" ]; + outputs = [ + "out" + "dev" + "man" + "devdoc" + ]; enableParallelBuilding = true; - nativeBuildInputs = [ groff ]; - - buildInputs = [ openssl cyrus_sasl db libsodium libtool ]; + nativeBuildInputs = [ + groff + ]; - # Disable install stripping as it breaks cross-compiling. - # We strip binaries anyway in fixupPhase. - makeFlags= [ - "STRIP=" - "prefix=$(out)" - "moduledir=$(out)/lib/modules" - "CC=${stdenv.cc.targetPrefix}cc" + buildInputs = [ + cyrus_sasl + db + libsodium + libtool + openssl + ] ++ lib.optionals (stdenv.isLinux) [ + systemdMinimal ]; preConfigure = lib.optionalString (lib.versionAtLeast stdenv.hostPlatform.darwinMinVersion "11") '' @@ -35,56 +50,61 @@ stdenv.mkDerivation rec { ''; configureFlags = [ - "--enable-overlays" - "--disable-dependency-tracking" # speeds up one-time build - "--enable-modules" - "--sysconfdir=/etc" - "--localstatedir=/var" + "--enable-argon2" "--enable-crypt" + "--enable-modules" + "--enable-overlays" ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "--with-yielding_select=yes" "ac_cv_func_memcmp_working=yes" - ] ++ lib.optional (!withCyrusSasl) "--without-cyrus-sasl" - ++ lib.optional stdenv.isFreeBSD "--with-pic"; + ] ++ lib.optional stdenv.isFreeBSD "--with-pic"; + + makeFlags= [ + "CC=${stdenv.cc.targetPrefix}cc" + "STRIP=" # Disable install stripping as it breaks cross-compiling. We strip binaries anyway in fixupPhase. + "prefix=${placeholder "out"}" + "sysconfdir=${placeholder "out"}/etc" + "systemdsystemunitdir=${placeholder "out"}/lib/systemd/system" + # contrib modules require these + "moduledir=${placeholder "out"}/lib/modules" + "mandir=${placeholder "out"}/share/man" + ]; + + extraContribModules = [ + # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules + "passwd/sha2" + "passwd/pbkdf2" + "passwd/totp" + ]; postBuild = '' - make $makeFlags CC=$CC -C contrib/slapd-modules/passwd/sha2 - make $makeFlags CC=$CC -C contrib/slapd-modules/passwd/pbkdf2 - make $makeFlags CC=$CC -C contrib/slapd-modules/passwd/argon2 + for module in ${lib.concatStringsSep " " extraContribModules}; do + make $makeFlags CC=$CC -C contrib/slapd-modules/$module + done ''; - doCheck = false; # needs a running LDAP server + preCheck = '' + substituteInPlace tests/scripts/all \ + --replace "/bin/rm" "rm" + ''; - installFlags = [ - "sysconfdir=$(out)/etc" - "localstatedir=$(out)/var" - "moduledir=$(out)/lib/modules" - # The argon2 module hardcodes /usr/bin/install as the path for the - # `install` binary, which is overridden here. - "INSTALL=install" - ]; + doCheck = true; - # 1. Libraries left in the build location confuse `patchelf --shrink-rpath` - # Delete these to let patchelf discover the right path instead. - # FIXME: that one can be removed when https://github.com/NixOS/patchelf/pull/98 - # is in Nixpkgs patchelf. - # 2. Fixup broken libtool for openssl and cyrus_sasl (if it is not disabled) + # The directory is empty and serve no purpose. preFixup = '' rm -r $out/var - rm -r libraries/*/.libs - rm -r contrib/slapd-modules/passwd/*/.libs - for f in $out/lib/libldap.la $out/lib/libldap_r.la; do - substituteInPlace "$f" --replace '-lssl' '-L${lib.getLib openssl}/lib -lssl' - '' + lib.optionalString withCyrusSasl '' - substituteInPlace "$f" --replace '-lsasl2' '-L${cyrus_sasl.out}/lib -lsasl2' - '' + '' - done ''; + installFlags = [ + "prefix=${placeholder "out"}" + "moduledir=${placeholder "out"}/lib/modules" + "INSTALL=install" + ]; + postInstall = '' - make $installFlags install -C contrib/slapd-modules/passwd/sha2 - make $installFlags install -C contrib/slapd-modules/passwd/pbkdf2 - make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2 + for module in ${lib.concatStringsSep " " extraContribModules}; do + make $installFlags install -C contrib/slapd-modules/$module + done chmod +x "$out"/lib/*.{so,dylib} '';