!117 sync some patches from upstream

From: @yangl777 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw

backport-ITS-10193-Asyncmeta-starts-more-than-one-timeout-loo.patch

@@ -0,0 +1,64 @@
+From 729a604192edd2943e1464de998626c76b808ebd Mon Sep 17 00:00:00 2001
+From: Nadezhda Ivanova <nivanova@symas.com>
+Date: Tue, 2 Apr 2024 13:34:07 +0300
+Subject: [PATCH 1/1] ITS#10193 Asyncmeta starts more than one timeout loop per
+ database and slaptest crashes
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/729a604192edd2943e1464de998626c76b808ebd
+Conflict:NA
+
+---
+ servers/slapd/back-asyncmeta/config.c | 9 ++++++---
+ servers/slapd/back-asyncmeta/init.c   | 2 +-
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/back-asyncmeta/config.c b/servers/slapd/back-asyncmeta/config.c
+index fbc9681418..aae054ab0a 100644
+--- a/servers/slapd/back-asyncmeta/config.c
++++ b/servers/slapd/back-asyncmeta/config.c
+@@ -497,7 +497,8 @@ asyncmeta_cfadd( Operation *op, SlapReply *rs, Entry *p, ConfigArgs *c )
+ static int
+ asyncmeta_back_new_target(
+ 	a_metatarget_t	**mtp,
+-	a_metainfo_t     *mi )
++	a_metainfo_t     *mi,
++	BackendDB        *db )
+ {
+ 	a_metatarget_t		*mt;
+ 
+@@ -516,7 +517,9 @@ asyncmeta_back_new_target(
+ 	mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;
+ 
+ 	*mtp = mt;
+-
++	if ( !SLAP_DBOPEN(db) || !(slapMode & SLAP_SERVER_MODE)) {
++		return 0;
++	}
+ 	for ( i = 0; i < mi->mi_num_conns; i++ ) {
+ 		a_metaconn_t *mc = &mi->mi_conns[i];
+ 		mc->mc_conns = ch_realloc( mc->mc_conns, sizeof( a_metasingleconn_t ) * mi->mi_ntargets);
+@@ -1907,7 +1910,7 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
+ 			return 1;
+ 		}
+ 
+-		if ( asyncmeta_back_new_target( &mi->mi_targets[ i ], mi ) != 0 ) {
++		if ( asyncmeta_back_new_target( &mi->mi_targets[ i ], mi, c->be ) != 0 ) {
+ 			snprintf( c->cr_msg, sizeof( c->cr_msg ),
+ 				"unable to init server"
+ 				" in \"%s <protocol>://<server>[:port]/<naming context>\"",
+diff --git a/servers/slapd/back-asyncmeta/init.c b/servers/slapd/back-asyncmeta/init.c
+index 5c8016fb2b..45fccf03ec 100644
+--- a/servers/slapd/back-asyncmeta/init.c
++++ b/servers/slapd/back-asyncmeta/init.c
+@@ -275,7 +275,7 @@ asyncmeta_back_db_open(
+ 	
+ 	ber_dupbv ( &mi->mi_suffix, &be->be_suffix[0] );
+ 
+-	if ( mi->mi_ntargets > 0 ) {
++	if ( ( slapMode & SLAP_SERVER_MODE ) && mi->mi_ntargets > 0 ) {
+ 		ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
+ 		mi->mi_task = ldap_pvt_runqueue_insert( &slapd_rq, 1,
+ 							asyncmeta_timeout_loop, mi, "asyncmeta_timeout_loop", mi->mi_suffix.bv_val );
+-- 
+2.33.0
+

backport-ITS-10204-slapo-constraint-fix-double-free-on-invali.patch

@@ -0,0 +1,28 @@
+From 6d5400a2c701125c71d907988ef57130c038759c Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 30 Apr 2024 15:55:01 +0100
+Subject: [PATCH 1/1] ITS#10204 slapo-constraint: fix double-free on invalid
+ attr
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/6d5400a2c701125c71d907988ef57130c038759c
+Conflict:NA
+
+---
+ servers/slapd/overlays/constraint.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
+index 0d6156af4d..9622c29929 100644
+--- a/servers/slapd/overlays/constraint.c
++++ b/servers/slapd/overlays/constraint.c
+@@ -369,6 +369,7 @@ constraint_cf_gen( ConfigArgs *c )
+ 						ap.attrs[i] = NULL;
+ 						if ( slap_str2ad( ap.lud->lud_attrs[i], &ap.attrs[i], &text ) ) {
+ 							ch_free( ap.attrs );
++							ap.attrs = NULL;
+ 							snprintf( c->cr_msg, sizeof( c->cr_msg ),
+ 								"%s <%s>: %s\n", c->argv[0], ap.lud->lud_attrs[i], text );
+ 							rc = ARG_BAD_CONF;
+-- 
+2.33.0
+

backport-ITS-10211-slapd-Fix-peercred-uid-and-gid-format.patch

@@ -0,0 +1,34 @@
+From bf01750381726db3052d94514eec4048c90a616a Mon Sep 17 00:00:00 2001
+From: Nick Porter <nick@portercomputing.co.uk>
+Date: Thu, 2 May 2024 08:48:14 +0100
+Subject: [PATCH 1/1] ITS#10211 slapd: Fix peercred uid and gid format
+
+uid and gid are unsigned int and so should be formatted as such when
+creating the authid string.
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/bf01750381726db3052d94514eec4048c90a616a
+Conflict:NA
+
+---
+ servers/slapd/daemon.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
+index 26e7e67619..8c2dd83efd 100644
+--- a/servers/slapd/daemon.c
++++ b/servers/slapd/daemon.c
+@@ -2270,9 +2270,9 @@ slap_listener(
+ 					STRLENOF( "gidNumber=4294967295+uidNumber=4294967295,"
+ 					"cn=peercred,cn=external,cn=auth" ) + 1 );
+ 				authid.bv_len = sprintf( authid.bv_val,
+-					"gidNumber=%d+uidNumber=%d,"
++					"gidNumber=%u+uidNumber=%u,"
+ 					"cn=peercred,cn=external,cn=auth",
+-					(int) gid, (int) uid );
++					gid, uid );
+ 				assert( authid.bv_len <=
+ 					STRLENOF( "gidNumber=4294967295+uidNumber=4294967295,"
+ 					"cn=peercred,cn=external,cn=auth" ) );
+-- 
+2.33.0
+

backport-ITS-10264-free-NoD-data-we-stored-locally.patch

@@ -0,0 +1,32 @@
+From 3f6cec3b467c78104e915642b41f7625f35518d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Wed, 2 Oct 2024 13:23:44 +0100
+Subject: [PATCH] ITS#10264 Free NoD data we stored locally
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/3f6cec3b467c78104e915642b41f7625f35518d8
+Conflict:no
+---
+ libraries/libldap/result.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
+index acbf51f55f..e9ac9f32b3 100644
+--- a/libraries/libldap/result.c
++++ b/libraries/libldap/result.c
+@@ -904,6 +904,13 @@ nextresp2:
+ 
+ 				if ( lr != &dummy_lr ) {
+ 					ldap_return_request( ld, lr, 1 );
++				} else {
++					if ( lr->lr_res_matched ) {
++						LDAP_FREE( lr->lr_res_matched );
++					}
++					if ( lr->lr_res_error ) {
++						LDAP_FREE( lr->lr_res_error );
++					}
+ 				}
+ 				lr = NULL;
+ 			}
+-- 
+GitLab
+

backport-ITS-8047-fix-tls-connection-timeout-handling.patch

@@ -0,0 +1,103 @@
+From d143f7a2dc82fb66e7741b93a1ae9e874ce2ac46 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 21 Oct 2024 11:50:11 +0100
+Subject: [PATCH] ITS#8047 Fix TLS connection timeout handling
+
+The test for async in ldap_int_tls_start was inverted, we already
+support calling ldap_int_tls_connect repeatedly. And so long as
+LBER_SB_OPT_NEEDS_* are managed correctly, the application should be
+able to do the right thing.
+
+Might require a new result code rather than reporposing
+LDAP_X_CONNECTING for this.
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/d143f7a2dc82fb66e7741b93a1ae9e874ce2ac46
+Conflict:context conflict by https://git.openldap.org/openldap/openldap/-/commit/139944ac1e5fcf74e903e1e3d887fb8498c2fd1e
+---
+ libraries/libldap/ldap-int.h |  1 +
+ libraries/libldap/tls2.c     | 18 +++++++++++++++++-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 2dae6ef..6827ec4 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -368,6 +368,7 @@ typedef struct ldap_conn {
+ #define LDAP_CONNST_NEEDSOCKET		1
+ #define LDAP_CONNST_CONNECTING		2
+ #define LDAP_CONNST_CONNECTED		3
++#define LDAP_CONNST_TLS_INPROGRESS	4
+ 	LDAPURLDesc		*lconn_server;
+ 	BerElement		*lconn_ber;	/* ber receiving on this conn. */
+ 
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 1fb6cff..3d3b5fd 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -383,6 +383,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
+ 		if ( lo && lo->ldo_tls_connect_cb && lo->ldo_tls_connect_cb !=
+ 			ld->ld_options.ldo_tls_connect_cb )
+ 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
++		conn->lconn_status = LDAP_CONNST_TLS_INPROGRESS;
+ 	}
+ 
+ 	/* pass hostname for SNI, but only if it's an actual name
+@@ -441,9 +442,11 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
+ 		ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
+ 			LBER_SBIOD_LEVEL_TRANSPORT );
+ #endif
++		conn->lconn_status = LDAP_CONNST_CONNECTED;
+ 		return -1;
+ 	}
+ 
++	conn->lconn_status = LDAP_CONNST_CONNECTED;
+ 	return 0;
+ }
+ 
+@@ -516,8 +519,9 @@ int
+ ldap_tls_inplace( LDAP *ld )
+ {
+ 	Sockbuf		*sb = NULL;
++	LDAPConn	*lc = ld->ld_defconn;
+ 
+-	if ( ld->ld_defconn && ld->ld_defconn->lconn_sb ) {
++	if ( lc && lc->lconn_sb ) {
+ 		sb = ld->ld_defconn->lconn_sb;
+ 
+ 	} else if ( ld->ld_sb ) {
+@@ -527,6 +531,10 @@ ldap_tls_inplace( LDAP *ld )
+ 		return 0;
+ 	}
+ 
++	if ( lc && lc->lconn_status == LDAP_CONNST_TLS_INPROGRESS ) {
++		return 0;
++	}
++
+ 	return ldap_pvt_tls_inplace( sb );
+ }
+ 
+@@ -1159,6 +1167,9 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 	  */
+ 	while ( ret > 0 ) {
+ 		if ( async ) {
++			ld->ld_errno = LDAP_X_CONNECTING;
++			return (ld->ld_errno);
++		} else {
+ 			struct timeval curr_time_tv, delta_tv;
+ 			int wr=0;
+ 
+@@ -1217,6 +1228,11 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 		ret = ldap_int_tls_connect( ld, conn, host );
+ 	}
+ 
++	if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
++		/* Restore original sb status */
++		ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)0 );
++	}
++
+ 	if ( ret < 0 ) {
+ 		if ( ld->ld_errno == LDAP_SUCCESS )
+ 			ld->ld_errno = LDAP_CONNECT_ERROR;
+-- 
+2.33.0
+

backport-ITS-9037-mdb_page_search-fix-error-code-when-DBI-rec.patch

@@ -0,0 +1,31 @@
+From 83dc42c5cab8999a5d9c20bf696b03d657170c51 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 26 Mar 2024 14:50:17 +0000
+Subject: [PATCH 1/1] ITS#9037 mdb_page_search: fix error code when DBI record
+ is missing
+
+Use the more relevant MDB_BAD_DBI instead of MDB_NOTFOUND error code
+
+Reference:https://git.openldap.org/openldap/openldap/-/commit/83dc42c5cab8999a5d9c20bf696b03d657170c51
+Conflict:NA
+
+---
+ libraries/liblmdb/mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
+index 0570deab23..53e1b4c257 100644
+--- a/libraries/liblmdb/mdb.c
++++ b/libraries/liblmdb/mdb.c
+@@ -5701,7 +5701,7 @@ mdb_page_search(MDB_cursor *mc, MDB_val *key, int flags)
+ 					MDB_node *leaf = mdb_node_search(&mc2,
+ 						&mc->mc_dbx->md_name, &exact);
+ 					if (!exact)
+-						return MDB_NOTFOUND;
++						return MDB_BAD_DBI;
+ 					if ((leaf->mn_flags & (F_DUPDATA|F_SUBDATA)) != F_SUBDATA)
+ 						return MDB_INCOMPATIBLE; /* not a named DB */
+ 					rc = mdb_node_read(&mc2, leaf, &data);
+-- 
+2.33.0
+

backport-ITS-9898-tests-fix-slapd-addel-non-std-syntax.patch

@@ -1,29 +0,0 @@
-From 21abafcc9d040b0aa1cf7e47b76abc975e27dc68 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Tue, 9 Aug 2022 18:11:30 +0100
-Subject: [PATCH] ITS#9898 tests: fix slapd-addel non-std syntax
-
-Broken in f5bef58cae5e16d56c48b1efd55249fa7ce54cc6
----
- tests/progs/slapd-addel.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/progs/slapd-addel.c b/tests/progs/slapd-addel.c
-index ca007ce3f..f67c1fbde 100644
---- a/tests/progs/slapd-addel.c
-+++ b/tests/progs/slapd-addel.c
-@@ -65,9 +65,9 @@ main( int argc, char **argv )
- 	char *filename = NULL, *buf = NULL;
- 	int		friendly = 0;
- 	struct LDIFFP *fp;
--	LDIFRecord	record = {};
-+	LDIFRecord	record = {0};
- 	struct tester_conn_args	*config;
--	struct berval bv = {};
-+	struct berval bv = {0};
- 	unsigned long lineno = 0;
- 
- 	config = tester_init( "slapd-addel", TESTER_ADDEL );
--- 
-2.33.0
-

backport-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch

@@ -1,26 +0,0 @@
-From ea8dd2d279c5aeaf9d4672a4e95bebd99babcce1 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Wed, 24 Aug 2022 14:40:51 +0100
-Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure
-
-Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a
----
- libraries/libldap/fetch.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c
-index 9e426dc64..536871bcf 100644
---- a/libraries/libldap/fetch.c
-+++ b/libraries/libldap/fetch.c
-@@ -69,6 +69,8 @@ ldif_open_url(
- 		}
- 
- 		p = ber_strdup( urlstr );
-+		if ( p == NULL )
-+			return NULL;
- 
- 		/* But we should convert to LDAP_DIRSEP before use */
- 		if ( LDAP_DIRSEP[0] != '/' ) {
--- 
-2.33.0
-

backport-fix-cve-2022-29155.patch

@@ -1,273 +0,0 @@
-From 87df6c19915042430540931d199a39105544a134 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Wed, 23 Mar 2022 12:43:31 +0000
-Subject: [PATCH] ITS#9815 slapd-sql: escape filter values
-
----
- servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++-----
- 1 file changed, 105 insertions(+), 18 deletions(-)
-
-diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
-index 2168a1553b..d4177f6292 100644
---- a/servers/slapd/back-sql/search.c
-+++ b/servers/slapd/back-sql/search.c
-@@ -63,6 +63,38 @@ static void send_paged_response(
- 	ID  *lastid );
- #endif /* ! BACKSQL_ARBITRARY_KEY */
- 
-+/* Look for chars that need to be escaped, return count of them.
-+ * If out is non-NULL, copy escape'd val to it.
-+ */
-+static int
-+backsql_val_escape( Operation *op, struct berval *in, struct berval *out )
-+{
-+	char *ptr, *end;
-+	int q = 0;
-+
-+	ptr = in->bv_val;
-+	end = ptr + in->bv_len;
-+	while (ptr < end) {
-+		if ( *ptr == '\'' )
-+			q++;
-+		ptr++;
-+	}
-+	if ( q && out ) {
-+		char *dst;
-+		out->bv_len = in->bv_len + q;
-+		out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
-+		ptr = in->bv_val;
-+		dst = out->bv_val;
-+		while (ptr < end ) {
-+			if ( *ptr == '\'' )
-+				*dst++ = '\'';
-+			*dst++ = *ptr++;
-+		}
-+		*dst = '\0';
-+	}
-+	return q;
-+}
-+
- static int
- backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad )
- {
-@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
- 	backsql_info		*bi = (backsql_info *)bsi->bsi_op->o_bd->be_private;
- 	int			i;
- 	int			casefold = 0;
-+	int			escaped = 0;
-+	struct berval	escval, *fvalue;
- 
- 	if ( !f ) {
- 		return 0;
-@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
- 
- 		BER_BVZERO( &bv );
- 		if ( f->f_sub_initial.bv_val ) {
--			bv.bv_len += f->f_sub_initial.bv_len;
-+			bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
- 		}
- 		if ( f->f_sub_any != NULL ) {
- 			for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
--				bv.bv_len += f->f_sub_any[ a ].bv_len;
-+				bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
- 			}
- 		}
- 		if ( f->f_sub_final.bv_val ) {
--			bv.bv_len += f->f_sub_final.bv_len;
-+			bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
- 		}
- 		bv.bv_len = 2 * bv.bv_len - 1;
- 		bv.bv_val = ch_malloc( bv.bv_len + 1 );
- 
- 		s = 0;
- 		if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
--			bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
--			for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
-+			fvalue = &f->f_sub_initial;
-+			escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
-+			if ( escaped )
-+				fvalue = &escval;
-+			bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
-+			for ( i = 1; i < fvalue->bv_len; i++ ) {
- 				bv.bv_val[ s + 2 * i - 1 ] = '%';
--				bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
-+				bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
- 			}
- 			bv.bv_val[ s + 2 * i - 1 ] = '%';
- 			s += 2 * i;
-+			if ( escaped )
-+				bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
- 		}
- 
- 		if ( f->f_sub_any != NULL ) {
- 			for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
--				bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
--				for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
-+				fvalue = &f->f_sub_any[ a ];
-+				escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
-+				if ( escaped )
-+					fvalue = &escval;
-+				bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
-+				for ( i = 1; i < fvalue->bv_len; i++ ) {
- 					bv.bv_val[ s + 2 * i - 1 ] = '%';
--					bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
-+					bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
- 				}
- 				bv.bv_val[ s + 2 * i - 1 ] = '%';
- 				s += 2 * i;
-+				if ( escaped )
-+					bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
- 			}
- 		}
- 
- 		if ( !BER_BVISNULL( &f->f_sub_final ) ) {
--			bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
--			for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
-+			fvalue = &f->f_sub_final;
-+			escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
-+			if ( escaped )
-+				fvalue = &escval;
-+			bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
-+			for ( i = 1; i < fvalue->bv_len; i++ ) {
- 				bv.bv_val[ s + 2 * i - 1 ] = '%';
--				bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
-+				bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
- 			}
--				bv.bv_val[ s + 2 * i - 1 ] = '%';
-+			bv.bv_val[ s + 2 * i - 1 ] = '%';
- 			s += 2 * i;
-+			if ( escaped )
-+				bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
- 		}
- 
- 		bv.bv_val[ s - 1 ] = '\0';
-@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
- 			f->f_sub_initial.bv_val );
- #endif /* BACKSQL_TRACE */
- 
-+		fvalue = &f->f_sub_initial;
-+		escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
-+		if ( escaped )
-+			fvalue = &escval;
- 		start = bsi->bsi_flt_where.bb_val.bv_len;
- 		backsql_strfcat_x( &bsi->bsi_flt_where,
- 				bsi->bsi_op->o_tmpmemctx,
- 				"b",
--				&f->f_sub_initial );
-+				fvalue );
-+		if ( escaped )
-+			bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
- 		if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
- 			ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
- 		}
-@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
- 				i, f->f_sub_any[ i ].bv_val );
- #endif /* BACKSQL_TRACE */
- 
-+			fvalue = &f->f_sub_any[ i ];
-+			escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
-+			if ( escaped )
-+				fvalue = &escval;
- 			start = bsi->bsi_flt_where.bb_val.bv_len;
- 			backsql_strfcat_x( &bsi->bsi_flt_where,
- 					bsi->bsi_op->o_tmpmemctx,
- 					"bc",
--					&f->f_sub_any[ i ],
-+					fvalue,
- 					'%' );
-+			if ( escaped )
-+				bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
- 			if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
- 				/*
- 				 * Note: toupper('%') = '%'
-@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
- 			f->f_sub_final.bv_val );
- #endif /* BACKSQL_TRACE */
- 
-+		fvalue = &f->f_sub_final;
-+		escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
-+		if ( escaped )
-+			fvalue = &escval;
- 		start = bsi->bsi_flt_where.bb_val.bv_len;
-     		backsql_strfcat_x( &bsi->bsi_flt_where,
- 				bsi->bsi_op->o_tmpmemctx,
- 				"b",
--				&f->f_sub_final );
-+				fvalue );
-+		if ( escaped )
-+			bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
-   		if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
- 			ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
- 		}
-@@ -1182,6 +1252,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r
- 	struct berval		*filter_value = NULL;
- 	MatchingRule		*matching_rule = NULL;
- 	struct berval		ordering = BER_BVC("<=");
-+	struct berval		escval;
-+	int					escaped = 0;
- 
- 	Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
- 		at->bam_ad->ad_cname.bv_val );
-@@ -1236,6 +1308,10 @@ equality_match:;
- 			casefold = 1;
- 		}
- 
-+		escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
-+		if ( escaped )
-+			filter_value = &escval;
-+
- 		/* FIXME: directoryString filtering should use a similar
- 		 * approach to deal with non-prettified values like
- 		 * " A  non    prettified   value  ", by using a LIKE
-@@ -1316,6 +1392,10 @@ equality_match:;
- 			casefold = 1;
- 		}
- 
-+		escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
-+		if ( escaped )
-+			filter_value = &escval;
-+
- 		/*
- 		 * FIXME: should we uppercase the operands?
- 		 */
-@@ -1349,7 +1429,7 @@ equality_match:;
- 					&at->bam_sel_expr,
- 					&ordering,
- 					'\'',
--					&f->f_av_value,
-+					filter_value,
- 					(ber_len_t)STRLENOF( /* (' */ "')" ),
- 						/* ( */ "')" );
- 		}
-@@ -1373,13 +1453,17 @@ equality_match:;
- 	case LDAP_FILTER_APPROX:
- 		/* we do our best */
- 
-+		filter_value = &f->f_av_value;
-+		escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
-+		if ( escaped )
-+			filter_value = &escval;
- 		/*
- 		 * maybe we should check type of at->sel_expr here somehow,
- 		 * to know whether upper_func is applicable, but for now
- 		 * upper_func stuff is made for Oracle, where UPPER is
- 		 * safely applicable to NUMBER etc.
- 		 */
--		(void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
-+		(void)backsql_process_filter_like( bsi, at, 1, filter_value );
- 		break;
- 
- 	default:
-@@ -1393,6 +1477,9 @@ equality_match:;
- 
- 	}
- 
-+	if ( escaped )
-+		bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
-+
- 	Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
- 		at->bam_ad->ad_cname.bv_val );
- 
--- 
-GitLab
-

openldap.spec

@@ -1,8 +1,8 @@
 %global systemctl_bin /usr/bin/systemctl
 
 Name:           openldap
-Version:        2.6.3
-Release:        2
+Version:        2.6.5
+Release:        6
 Summary:        LDAP support libraries
 License:        OLDAP-2.8
 URL:            https://www.openldap.org/
@@ -25,9 +25,13 @@ Patch5:         backport-openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-s
 Patch7:         backport-check-password-makefile.patch
 Patch8:         backport-check-password.patch
 Patch9:         add-ber_sockbuf_io_udp-to-liber.map.patch
-Patch6000:      backport-ITS-9898-tests-fix-slapd-addel-non-std-syntax.patch
-Patch6001:      backport-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
 
+Patch10:        backport-ITS-10193-Asyncmeta-starts-more-than-one-timeout-loo.patch
+Patch11:        backport-ITS-10204-slapo-constraint-fix-double-free-on-invali.patch
+Patch12:        backport-ITS-10211-slapd-Fix-peercred-uid-and-gid-format.patch
+Patch13:        backport-ITS-9037-mdb_page_search-fix-error-code-when-DBI-rec.patch
+Patch14:        backport-ITS-10264-free-NoD-data-we-stored-locally.patch
+Patch15:        backport-ITS-8047-fix-tls-connection-timeout-handling.patch
 
 BuildRequires:  cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
 BuildRequires:  glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@@ -55,7 +59,7 @@ customized LDAP clients.
 
 %package        servers
 Summary:        LDAP server
-License:        OpenLDAP
+License:        OLDAP-2.8
 Requires:       openldap = %{version}-%{release}
 Requires(pre):  shadow-utils
 %{?systemd_requires}
@@ -102,8 +106,12 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 
 %patch9 -p1
 
-%patch6000 -p1
-%patch6001 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
 
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
 mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@@ -151,9 +159,15 @@ pushd openldap-%{version}
 popd
 
 pushd ltb-project-openldap-ppolicy-check-password-1.1
+%if "%toolchain" == "clang"
+make LDAP_INC="-I../openldap-%{version}/include \
+ -I../openldap-%{version}/servers/slapd \
+ -I../openldap-%{version}/build-servers/include" CC=clang
+%else
 make LDAP_INC="-I../openldap-%{version}/include \
  -I../openldap-%{version}/servers/slapd \
  -I../openldap-%{version}/build-servers/include"
+%endif
 popd
 
 %install
@@ -391,10 +405,31 @@ popd
 %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
 
 %changelog
+* Thu Feb 13 2025 yanglu <yanglu72@h-partners.com> - 2.6.5-6
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:sync some patches from upstream
+
+* Fri Jun 14 2024 xinghe <xinghe2@h-partners.com> - 2.6.5-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix license
+
+* Thu Jul 27 2023 zhangchenglin <zhangchenglin@kylinos.cn> - 2.6.5-1
+- update to version 2.6.5
+
+* Tue May 30 2023 liyunfei <liyunfei33@huawei.com> - 2.6.3-4
+- add clang compile support
+
+* Tue Mar 14 2023 zhujunhao <zhujunhao11@huawei.com> - 2.6.3-3
+- remove unused file
+
 * Tue Feb 28 2023 zhujunhao <zhujunhao11@huawei.com> - 2.6.3-2
 - add options for build cross
 
-* Tue Feb 8 2023 zhujunhao <zhujunhao11@huawei.com> - 2.6.3-1
+* Wed Feb 8 2023 zhujunhao <zhujunhao11@huawei.com> - 2.6.3-1
 - upgrade to 2.6.3
 
 * Mon Nov 7 2022 zhujunhao <zhujunhao11@huawei.com> - 2.6.0-5